This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 57.99999999999999%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
Is it possible to add a Mail Flow rule for an AD Synced mail-enabled security group?
This is my general layout:
If the message...
'To' header matches the following patterns: 'AllEmployees'
and Is received from 'Outside the organization'
Do the following...
reject the message and include the explanation 'Non-Coprate domain detected - Contact xyz@keyman .com if you believe this is wrong.' with the status code: '5.7.1'
Except if...
sender's address domain portion belongs to any of these domains: 'customdomain1.com'
This rule doesn't work.
I have also tried the "To box contains" (it dosen't work either) according to https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions#recipients that one should be used as the "The recipient is" don't match distribution groups.
Any advice?
BR
Johannes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @MrBunne
Have you tried the suggestion below from Andy and and any progress so far?
I also test the rule using "To box contains" in my environment, it can work properly:
Hi @MrBunne ,
Have you checked the configuration for your groups, any progress so far?
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I would do something like:
Hello Andy and joyceshen,
Thanks for confirming that the mail flow should actually work. I struggled all day yesterday to no avail. Perhaps there was a service issue with our tenant as I have tried multiple times.
I'll simply my rule and break it down as to your suggestion and let you know my results. Am I just wondering if the fact that the mail-enabled security group is AD synced affects the mail flow from working?
BR
Bunne
That should not make a difference, no.
Hi, so some results.
This first rule actually seems to work:
If the message...
'To' header contains ''AllEmployees''
and Is received from 'Outside the organization'
Do the following...
reject the message and include the explanation 'Non-Corporate domain detected - Contact xyz@keyman .com if you believe this is wrong.' with the status code: '5.7.1'
I can see in the transport logs that the message is indeed rejected
Reason: [{LED=550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy};{MSG=};{FQDN=};{IP=};{LRT=}]
But I don't get the 5.7.1. email report?
I do get the report if I change to a regular recipient (normal user).
Any thoughts on that? Otherwise, I'll just leave it as is now as emails are rejected. But would be nice to actually get a message about it.
BR
Bunne
Hi,
Do you mean the message is getting rejected, however the sender doesn't receive the NDR message?
Could you please verify if this issue occurs on other groups?
Hi, the NDR report is not being sent out to the recipient but the message is getting rejected (can confirm that from a Massage trace).
The issue only seems to occur when I change to a distribution group in the mail flow rule. If I use the same rule but for a single recipient i.e. a user the NDR is being sent out correctly.
Thanks.
BR
Bunne
Hi @MrBunne ,
Can this issue be related to the group configuration?
Get-distributiongroup | fl name, *ReportTo*
-ReportToOriginatorEnabled
The ReportToOriginatorEnabled parameter specifies whether delivery status notifications (also known as DSNs, non-delivery reports, NDRs, or bounce messages) are sent to senders who send messages to this group. Valid values are:
$true: Delivery status notifications are sent to the message senders. This is the default value.
$false: Delivery status notifications aren't sent to the message senders.
The ReportToManagerEnabled and ReportToOriginatorEnabled parameters affect the return path for messages sent to the group. Some email servers reject messages that don't have a return path. Therefore, you should set one parameter to $false and one to $true, but not both to $false or both to $true.
You could use Set-DistributionGroup to modify this parameter
Set-DistributionGroup "group" -ReportToOriginatorEnabled $true -ReportToManagerEnabled $false
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Joyceshen, thanks for this information piece. You are correct!
However this seems to be my problem:
PS C:\WINDOWS\system32> Set-DistributionGroup "sg-fos-AllEmployees" -ReportToOriginatorEnabled $true -ReportToManagerEnabled $false
The operation on Identity "sg-fos-AllEmployees" failed because it's out of the current user's write scope. The action '
Set-DistributionGroup', 'ReportToManagerEnabled,ReportToOriginatorEnabled', can't be performed on the object 'sg-fos-Al
lEmployees' because the object is being synchronized from your on-premises organization. This action should be performe
d on the object in your on-premises organization.
I know I cant write to a AD synced object from Cloud. But these attributes don't exist in our on-premises AD environment (the Exchange schema is not installed).
I'm hesitant to do so as well as I don't want to extend the schema just for this purpose.
Thanks!
Hi,
Here seems discussed the same issue with yours, set local ad distro group -ReportToOriginatorEnabled $true
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
I'm afraid you will still need to extend the AD schema for your environment