Suped

How to resolve O365 'External Forwarding is not allowed' error when clients forward to G Workspace?

10 Marketer opinions5 Expert opinions4 Technical articles2 Resources

Summary

Resolving the 'External Forwarding is not allowed' error in Office 365 when clients forward to G Workspace involves a multi-faceted approach focused on the sender's (Office 365) configuration. The problem often stems from security measures intended to prevent spam and phishing. Initially, confirm that the issue is indeed external forwarding, as it could be an internal O365 rejection. Key configuration areas to examine include Remote Domains, Anti-Spam Outbound Policy, Mail Flow Rules (transport rules), Conditional Access policies in Azure AD, connector settings in Exchange Online, anti-spoofing policies, and DMARC settings. Further, whitelisting the recipient domain in Exchange Online Protection (EOP), reviewing audit logs, checking for end-user forwarding rules, and considering legacy setups (previous M365 clients) can aid resolution. PowerShell cmdlets provide advanced management capabilities. In some cases, engaging the client's O365 admin for direct intervention is the most effective course of action, and caution must be applied to disabling any security policies.

Key findings

  • Client-Side Configuration: The error primarily results from security settings within the client's Office 365 environment, not the recipient's.
  • Internal vs. External: First, determine if the rejection is occurring internally within O365 or during external forwarding.
  • Remote Domains: Configuring Remote Domains in Exchange Online is critical for enabling external forwarding.
  • Anti-Spam Policy: The Anti-Spam Outbound Policy settings dictate whether auto-forwarding is permitted and configurable at user or organizational level.
  • Mail Flow Rules: Mail flow rules allow for fine-grained control over external forwarding based on specified criteria (sender, recipient, domain).
  • Conditional Access Policies: Restrictive Conditional Access policies in Azure AD can unintentionally block external forwarding.
  • Connector Settings: Improperly configured connectors in Exchange Online can prevent external forwarding.
  • Anti-Spoofing Policies: Anti-spoofing measures can flag forwarded emails as spoofed, leading to blockage.
  • DMARC Impact: DMARC policies, especially with 'p=reject', can cause forwarded emails to fail authentication checks.
  • Legacy M365 Setup: In some circumstances, legacy mail configurations can be a factor.
  • End User Rules: End user forwarding rules may impact the configuration.
  • Audit Logs: Audit Logs can provide the definitive source of the cause of the blocked forwarded message.

Key considerations

  • Security Risks: Disabling or modifying security policies to allow forwarding introduces security risks, necessitating a careful evaluation of trade-offs.
  • Client Admin Involvement: Engaging the client's O365 administrator may be the most effective approach, since the issue originates in their tenant.
  • Granular Control: Leveraging mail flow rules and PowerShell provides enhanced control over external forwarding policies, improving security and compliance.
  • PowerShell Proficiency: PowerShell cmdlets are a programmatic way to manage and control forwarding policies, requiring expertise to use.
  • Testing: Testing is crucial after any configuration change is introduced to production.
  • Anti-Spoofing Policies: Review anti-spoofing policies to ensure forwarded emails aren't incorrectly marked as spoofed and blocked.

What email marketers say
10Marketer opinions

Resolving the 'External Forwarding is not allowed' error in Office 365 when forwarding to G Workspace involves checking various settings and configurations within the Microsoft 365 environment. Possible causes include inactive email hosting from a previous M365 setup, restrictive Conditional Access policies, anti-phishing policies blocking forwarding, incorrect Exchange Online Protection (EOP) settings, outbound spam filter policies, connector settings, remote domain configurations, anti-spoofing policies, and end-user forwarding rules. Reviewing audit logs can help pinpoint the specific policy or rule causing the block.

Key opinions

  • Previous M365 Setup: If the sending organization was previously an M365 client and the email hosting is still active, it can cause forwarding issues.
  • Conditional Access Policies: Restrictive Conditional Access policies in Azure AD might unintentionally block external forwarding.
  • Anti-Phishing Policies: Anti-phishing policies in Microsoft 365 can block forwarding.
  • EOP Settings: Incorrect settings in Exchange Online Protection (EOP) can prevent emails forwarded to G Workspace from being delivered.
  • Outbound Spam Filter Policy: The Outbound Spam Filter Policy's 'Automatic forwarding' settings may be configured to block external forwarding.
  • Connector Settings: Incorrectly configured connectors in Exchange Online can block external forwarding.
  • Remote Domain Configuration: The remote domain settings for the G Workspace domain might not be configured to allow forwarding.
  • Anti-Spoofing Policies: Anti-spoofing policies may mark forwarded emails as spoofed, leading to them being blocked.
  • End-User Forwarding Rules: Forwarding rules configured by the end-user can sometimes cause these issues.
  • Audit Logs: Reviewing audit logs helps identify which specific policy or rule is causing the external forwarding to be blocked.

Key considerations

  • Security Risks: Disabling or modifying security policies (like anti-phishing) can increase security risks. Weigh the convenience of forwarding against potential vulnerabilities.
  • Granular Control: Use mail flow rules (transport rules) for granular control over which emails are allowed to be forwarded externally, based on specific criteria.
  • Whitelisting Domains: Whitelisting the recipient domain can help, but be cautious about whitelisting domains broadly due to potential spoofing risks.
  • Testing: After making any changes, thoroughly test the forwarding to ensure it works as expected and doesn't introduce other issues.
  • Documentation: Consult official Microsoft documentation for the most accurate and up-to-date information on configuring and troubleshooting forwarding settings.
Marketer view

Email marketer from Stack Overflow recommends ensuring that the remote domain settings for the G Workspace domain are configured to allow forwarding. This setting can be found in the Exchange admin center under 'Mail flow' -> 'Remote domains'.

April 2022 - Stack Overflow
Marketer view

Email marketer from Reddit explains that an end user could have configured a forwarding rule that is now causing the issue. Ask the end user to remove any forwarding rules and then test forwarding.

August 2024 - Reddit
Marketer view

Marketer from Email Geeks shares one thing that could cause this (if it's experienced on multiple M365 domains) is if the sending organisation was previously an M365 client and the email hosting is still active.

March 2022 - Email Geeks
Marketer view

Email marketer from Microsoft Tech Community highlights the importance of whitelisting the recipient domain in the Exchange Online Protection (EOP) settings. Adding the G Workspace domain to the allowed senders list can prevent emails forwarded to that domain from being blocked.

December 2023 - Microsoft Tech Community
Marketer view

Email marketer from Reddit suggests checking Conditional Access policies in Azure AD. Sometimes, a Conditional Access policy might be unintentionally blocking external forwarding. Reviewing these policies and excluding the affected users or applications can resolve the issue.

May 2021 - Reddit
Marketer view

Email marketer from SuperUser suggests modifying the Outbound Spam Filter Policy in the Security & Compliance Center. Specifically, check the 'Automatic forwarding' settings. You can choose to allow forwarding, but be aware of the potential risks.

November 2024 - SuperUser
Marketer view

Email marketer from Experts Exchange recommends reviewing connector settings in Exchange Online. Incorrectly configured connectors can sometimes block external forwarding. Ensuring the connectors are properly set up to allow outbound mail can resolve the issue.

January 2024 - Experts Exchange
Marketer view

Email marketer from Practical365 highlights reviewing audit logs to identify why external forwarding is being blocked. The audit logs can provide detailed information about the specific policies or rules that are causing the issue.

June 2022 - Practical365
Marketer view

Email marketer from Informational Website explains the impact of anti-spoofing settings on forwarding. If the forwarded email is being marked as spoofed, it may be blocked. Reviewing the anti-spoofing policies and making necessary adjustments can help.

December 2024 - Informational Website
Marketer view

Email marketer from Spiceworks shares that the anti-phishing policy in Microsoft 365 may be blocking forwarding. Disabling or modifying the anti-phishing policy to allow forwarding can sometimes resolve the problem, but caution is advised as it can increase security risks.

November 2022 - Spiceworks

What the experts say
5Expert opinions

Resolving the 'External Forwarding is not allowed' error in Office 365 when forwarding to G Workspace often involves understanding that the issue stems from security configurations within the client's O365 environment rather than the recipient's domain. The error is often an O365 internal rejection. It's crucial to have the client's administrator adjust settings to allow external forwarding. DMARC policies, particularly with a 'p=reject' setting, can also contribute to the error by causing authentication failures. Adjusting DMARC policies or advising clients to avoid forwarding are potential solutions.

Key opinions

  • O365 Configuration: The error is primarily due to security settings on the client's O365 instance blocking automatic external forwarding.
  • Internal Rejection: The message may not be leaving O365; it might be an internal rejection within their system.
  • Admin Action Required: The administrator of the Office 365 account needs to adjust settings to allow external forwarding.
  • DMARC Impact: DMARC policies with 'p=reject' can cause forwarded emails to fail authentication, triggering the error.

Key considerations

  • O365 Admin Involvement: The easy/right thing to do is to have the client ask their O365 admin about the error, as they control the relevant settings.
  • Further Diagnosis: More details about the exact message would be needed to diagnose further.
  • Avoid Forwarding: If adjusting DMARC is not feasible, advising clients to avoid forwarding emails may be a practical workaround.
Expert view

Expert from Spam Resource points out that DMARC policies, especially with a 'p=reject' setting, can cause forwarded emails to fail authentication checks, resulting in the 'External Forwarding is not allowed' error. The recommendation is to advise clients to avoid forwarding or to adjust DMARC policies carefully.

February 2024 - Spam Resource
Expert view

Expert from Word to the Wise explains that the administrator of the Office 365 account needs to adjust the settings to allow external forwarding, as the default configuration often blocks this to prevent potential security risks.

August 2024 - Word to the Wise
Expert view

Expert from Email Geeks explains that he doesn't think the message is leaving O365 and that it's an O365 internal rejection, not a GSuite one.

July 2024 - Email Geeks
Expert view

Expert from Email Geeks explains the error message Steve Douglas is seeing is from O365 when it's configured not to allow automatic external forwarding and doesn't think that has much to do with the domain's configuration, rather it's a security setting on the client's O365 instance.

October 2023 - Email Geeks
Expert view

Expert from Email Geeks responds that it might be possible to diagnose further with more details about the exact message, but the easy/right thing to do is have the client ask their o365 admin about it.

November 2022 - Email Geeks

What the documentation says
4Technical articles

Resolving the 'External Forwarding is not allowed' error in Office 365 involves several configuration options within Exchange Online. Key areas include configuring Remote Domains to allow automatic forwarding, adjusting settings in the Anti-Spam Outbound Policy to enable auto-forwarding for specific users or the entire organization (while acknowledging the security risks), and utilizing mail flow rules to manage external forwarding based on specific criteria. PowerShell cmdlets like `Set-RemoteDomain` can be used for more programmatic control.

Key findings

  • Remote Domains: Configuring Remote Domains in Exchange Online is necessary to allow external forwarding.
  • Anti-Spam Policy: The Anti-Spam Outbound Policy settings control whether auto-forwarding is allowed and can be configured for specific users or organization-wide.
  • Mail Flow Rules: Mail flow rules provide granular control over external forwarding based on sender, recipient, or domain.
  • PowerShell Management: PowerShell cmdlets like `Set-RemoteDomain` offer a programmatic way to manage external forwarding policies.

Key considerations

  • Security Risks: Enabling open forwarding can pose security risks, so carefully consider the implications before allowing forwarding for the entire organization.
  • Granular Control: Using mail flow rules allows for more targeted control over who can forward emails externally, minimizing potential risks.
  • Policy Adjustments: Administrators need to adjust anti-spam outbound policies to allow auto-forwarding either for specific users or the entire organization.
Technical article

Documentation from Microsoft Learn explains that to allow external forwarding, you need to configure Remote Domains in Exchange Online. You must create a new remote domain or modify the default one to allow automatic forwarding.

January 2024 - Microsoft Learn
Technical article

Documentation from Microsoft Support details that if auto-forwarding is disabled, the administrator needs to check the settings in the Anti-Spam Outbound Policy. They can either allow forwarding for specific users or for the entire organization, understanding the security risks associated with open forwarding.

November 2022 - Microsoft Support
Technical article

Documentation from Microsoft Learn covers using mail flow rules (transport rules) to manage external forwarding. Admins can create rules to allow or block forwarding based on specific criteria, such as sender, recipient, or domain. This allows granular control over which emails are allowed to be forwarded externally.

August 2024 - Microsoft Learn
Technical article

Documentation from Microsoft Learn provides that administrators can use PowerShell cmdlets like `Set-RemoteDomain` to configure forwarding settings for remote domains. This provides a more programmatic way to manage and control external forwarding policies.

June 2021 - Microsoft Learn

Related resources
2Resources

How to fix the error: 550 5.7.520 Access denied, Your organization ...
How to fix the error: 550 5.7.520 Access denied, Your organization ...

I have often seen this error in scenarios with either multiple tenants or if an organization, has a need to do automatic forwarding of e-mails to specific recipients outside the organization (tenant). The error can be found during troubleshooting the message logs, on why a specific e-mail did not arrive ... Read more

MSDigest.net
Exchange2016 - 451 domain not found (not relaying for xx.xx.xx.xx ...
Exchange2016 - 451 domain not found (not relaying for xx.xx.xx.xx ...

So we recently just migrated from an on-prem Barracuda filter to their ESS cloud based service. Since then any internal emails that do not have our domain on them are now failing as we are now sending all email to the cloud service for filtering so the Exchange server sees the email as external when it comes back for delivery and fails because we don’t own the sender’s domain. As an example say my company name is contoso.com. The report would be from something like reports@northwindtraders.com. ...

Spiceworks Community

Related questions