question

zerasar-5856 avatar image
0 Votes"
zerasar-5856 asked joyceshen-MSFT commented

Exchange (online) email header "X-MS-Exchange-Transport-Forked: True"

Hiya!

At my workplace we mandate that emails are encrypted with SMIME certificates. This is only for internal emails as we are aware many external recipients often have issues opening signed or encrypted emails.

In passing my manager suggested that I put a mailflow/transport rule in that would enforce this.

With a lot of trial and error I believe that I got this functioning correctly. Test results below.

Internal to internal unencrypted - Blocked
Internal to internal encrypted - allowed
Internal to internal & external unencrypted - allowed.

The third scenario was complicated as it became clear that each email was being enumerated against the rules individually rather than collectively. So found it hard to find a condition/exception that allowed me to identify this specific recipient scenario.

Comparing the headers of the different scenarios the third scenario I noted "X-MS-Exchange-Transport-Forked: True". This is what I eventually ended up using as an exception to my mail blocking rule and appears to be working ok.

My issue though, is that I am having a hard time locating documentation on specifically what this header is, how it's used, and what the values represent.

In this instance it appears to mark an email that is sent both internally and to a separate domain, which is what I want... But I want to make sure I fully understand this and am not going to break something down the line.

TLDR
What is this header?
How is it used?
What do the values represent?

office-exchange-server-administrationoffice-exchange-online-itprooffice-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered zerasar-5856 commented

Forking an email traditionally is the same as bifurcation
https://docs.microsoft.com/en-us/exchange/mail-flow/mail-routing/recipient-resolution?view=exchserver-2019#bifurcation

$True, well, seems apparent :) - If the message is forked - split- bifurcated- two copies created - then I expect to see that set to true.

in this case, the message was forked ( bifurcated) between internal and external users.





· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the link Andy. Appreciate it.

Having read the link that you posted, it does explain some instances where the bifurcation occurs but not really specifically to my cases.
I had tried to test for the scenario of multiple internal recipients and did not note this header in those emails...

So I guess what I am wondering, could this occur between internal users emailing each other, distribution lists, shared mailboxes etc?
And if so, is there a better way to identify such emails (internal & external recipients) either via the header information or other mechanism in the Exchange transport/mailflow rules?

0 Votes 0 ·

Actually I am now seeing internal emails with this forked header as well. Seems it is not restricted to internal & external as I had been hoping.

Are you aware of any mechanism that I could trigger a rule sent from internal where "any" recipient is external?
I am aware there is a rule where "recipient is external"... But as the email is forked it only triggers this rule for the copy of the message bound for the external recipient. I want it to trigger for the internal recipient as well.

I can do string matches on the recipient address "for any recipient"... But I can imagine manually maintaining a list like that would be cumbersome.

0 Votes 0 ·

I just did a random check and the only time I see that so far in the headers is from external 365 tenants to me. Not seeing any in an internal headers so far...
Wonder if that also gets stamped simply when the transport sends its external as well.

hmm, not sure about your question, I may have to do some testing as well...

According to:
https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking?view=exchserver-2019

TRANSFER Recipients were moved to a forked message because of content conversion, message recipient limits, or agents. Sources include ROUTING or QUEUE.




0 Votes 0 ·

Yeh I get the feeling my earlier testing using that header for indentification purposes was a pure fluke of luck.
Have spent a good chunk of time trying to figure this out and so far I cant locate a suitable header.

The transport rules themselves are rather limiting... The "any recipient" condition is fixed to only words or strings. Can't say "any recipient is external". Which is a real disappointment.

0 Votes 0 ·
joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered joyceshen-MSFT commented

Hi @zerasar-5856

According to my search, seems not finding the official document which introduces about the message header X-MS-Exchange-Transport-Forked, and I my previous thread, it's hard to mark the message send to both internal and external recipients. Just like this: Exhange 2010 limiting message size for internal users only

The rule works fine when a message is sent to internal or external ONLY.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello!

Thanks for your feedback. I suspected as much :-(

Is there some way that this could be forwarded to the exchange and exchange online product teams as feedback?
I am finding the transport rules very limiting... Like they dont even have "is not" conditions. They are all "is"...

I think that were the "any recipients" condition to allow me to specify "external" as an option this would fix my issue.

0 Votes 0 ·

Hi @zerasar-5856

We could consider openning a service request in o365 side to feedback this issue temporarily.

Ways to contact support for business products - Admin Help


0 Votes 0 ·