Summary
Resolving the 'External Forwarding is not allowed' error in Office 365 when clients forward to G Workspace involves a multi-faceted approach focused on the sender's (Office 365) configuration. The problem often stems from security measures intended to prevent spam and phishing. Initially, confirm that the issue is indeed external forwarding, as it could be an internal O365 rejection. Key configuration areas to examine include Remote Domains, Anti-Spam Outbound Policy, Mail Flow Rules (transport rules), Conditional Access policies in Azure AD, connector settings in Exchange Online, anti-spoofing policies, and DMARC settings. Further, whitelisting the recipient domain in Exchange Online Protection (EOP), reviewing audit logs, checking for end-user forwarding rules, and considering legacy setups (previous M365 clients) can aid resolution. PowerShell cmdlets provide advanced management capabilities. In some cases, engaging the client's O365 admin for direct intervention is the most effective course of action, and caution must be applied to disabling any security policies.
Key findings
- Client-Side Configuration: The error primarily results from security settings within the client's Office 365 environment, not the recipient's.
- Internal vs. External: First, determine if the rejection is occurring internally within O365 or during external forwarding.
- Remote Domains: Configuring Remote Domains in Exchange Online is critical for enabling external forwarding.
- Anti-Spam Policy: The Anti-Spam Outbound Policy settings dictate whether auto-forwarding is permitted and configurable at user or organizational level.
- Mail Flow Rules: Mail flow rules allow for fine-grained control over external forwarding based on specified criteria (sender, recipient, domain).
- Conditional Access Policies: Restrictive Conditional Access policies in Azure AD can unintentionally block external forwarding.
- Connector Settings: Improperly configured connectors in Exchange Online can prevent external forwarding.
- Anti-Spoofing Policies: Anti-spoofing measures can flag forwarded emails as spoofed, leading to blockage.
- DMARC Impact: DMARC policies, especially with 'p=reject', can cause forwarded emails to fail authentication checks.
- Legacy M365 Setup: In some circumstances, legacy mail configurations can be a factor.
- End User Rules: End user forwarding rules may impact the configuration.
- Audit Logs: Audit Logs can provide the definitive source of the cause of the blocked forwarded message.
Key considerations
- Security Risks: Disabling or modifying security policies to allow forwarding introduces security risks, necessitating a careful evaluation of trade-offs.
- Client Admin Involvement: Engaging the client's O365 administrator may be the most effective approach, since the issue originates in their tenant.
- Granular Control: Leveraging mail flow rules and PowerShell provides enhanced control over external forwarding policies, improving security and compliance.
- PowerShell Proficiency: PowerShell cmdlets are a programmatic way to manage and control forwarding policies, requiring expertise to use.
- Testing: Testing is crucial after any configuration change is introduced to production.
- Anti-Spoofing Policies: Review anti-spoofing policies to ensure forwarded emails aren't incorrectly marked as spoofed and blocked.
What email marketers say
10 marketer opinions
Resolving the 'External Forwarding is not allowed' error in Office 365 when forwarding to G Workspace involves checking various settings and configurations within the Microsoft 365 environment. Possible causes include inactive email hosting from a previous M365 setup, restrictive Conditional Access policies, anti-phishing policies blocking forwarding, incorrect Exchange Online Protection (EOP) settings, outbound spam filter policies, connector settings, remote domain configurations, anti-spoofing policies, and end-user forwarding rules. Reviewing audit logs can help pinpoint the specific policy or rule causing the block.
Key opinions
- Previous M365 Setup: If the sending organization was previously an M365 client and the email hosting is still active, it can cause forwarding issues.
- Conditional Access Policies: Restrictive Conditional Access policies in Azure AD might unintentionally block external forwarding.
- Anti-Phishing Policies: Anti-phishing policies in Microsoft 365 can block forwarding.
- EOP Settings: Incorrect settings in Exchange Online Protection (EOP) can prevent emails forwarded to G Workspace from being delivered.
- Outbound Spam Filter Policy: The Outbound Spam Filter Policy's 'Automatic forwarding' settings may be configured to block external forwarding.
- Connector Settings: Incorrectly configured connectors in Exchange Online can block external forwarding.
- Remote Domain Configuration: The remote domain settings for the G Workspace domain might not be configured to allow forwarding.
- Anti-Spoofing Policies: Anti-spoofing policies may mark forwarded emails as spoofed, leading to them being blocked.
- End-User Forwarding Rules: Forwarding rules configured by the end-user can sometimes cause these issues.
- Audit Logs: Reviewing audit logs helps identify which specific policy or rule is causing the external forwarding to be blocked.
Key considerations
- Security Risks: Disabling or modifying security policies (like anti-phishing) can increase security risks. Weigh the convenience of forwarding against potential vulnerabilities.
- Granular Control: Use mail flow rules (transport rules) for granular control over which emails are allowed to be forwarded externally, based on specific criteria.
- Whitelisting Domains: Whitelisting the recipient domain can help, but be cautious about whitelisting domains broadly due to potential spoofing risks.
- Testing: After making any changes, thoroughly test the forwarding to ensure it works as expected and doesn't introduce other issues.
- Documentation: Consult official Microsoft documentation for the most accurate and up-to-date information on configuring and troubleshooting forwarding settings.
Marketer view
Email marketer from Stack Overflow recommends ensuring that the remote domain settings for the G Workspace domain are configured to allow forwarding. This setting can be found in the Exchange admin center under 'Mail flow' -> 'Remote domains'.
19 Jan 2023 - Stack Overflow
Marketer view
Email marketer from Reddit explains that an end user could have configured a forwarding rule that is now causing the issue. Ask the end user to remove any forwarding rules and then test forwarding.
9 Jan 2023 - Reddit
What the experts say
5 expert opinions
Resolving the 'External Forwarding is not allowed' error in Office 365 when forwarding to G Workspace often involves understanding that the issue stems from security configurations within the client's O365 environment rather than the recipient's domain. The error is often an O365 internal rejection. It's crucial to have the client's administrator adjust settings to allow external forwarding. DMARC policies, particularly with a 'p=reject' setting, can also contribute to the error by causing authentication failures. Adjusting DMARC policies or advising clients to avoid forwarding are potential solutions.
Key opinions
- O365 Configuration: The error is primarily due to security settings on the client's O365 instance blocking automatic external forwarding.
- Internal Rejection: The message may not be leaving O365; it might be an internal rejection within their system.
- Admin Action Required: The administrator of the Office 365 account needs to adjust settings to allow external forwarding.
- DMARC Impact: DMARC policies with 'p=reject' can cause forwarded emails to fail authentication, triggering the error.
Key considerations
- O365 Admin Involvement: The easy/right thing to do is to have the client ask their O365 admin about the error, as they control the relevant settings.
- Further Diagnosis: More details about the exact message would be needed to diagnose further.
- Avoid Forwarding: If adjusting DMARC is not feasible, advising clients to avoid forwarding emails may be a practical workaround.
Expert view
Expert from Spam Resource points out that DMARC policies, especially with a 'p=reject' setting, can cause forwarded emails to fail authentication checks, resulting in the 'External Forwarding is not allowed' error. The recommendation is to advise clients to avoid forwarding or to adjust DMARC policies carefully.
28 Sep 2024 - Spam Resource
Expert view
Expert from Word to the Wise explains that the administrator of the Office 365 account needs to adjust the settings to allow external forwarding, as the default configuration often blocks this to prevent potential security risks.
22 May 2024 - Word to the Wise
What the documentation says
4 technical articles
Resolving the 'External Forwarding is not allowed' error in Office 365 involves several configuration options within Exchange Online. Key areas include configuring Remote Domains to allow automatic forwarding, adjusting settings in the Anti-Spam Outbound Policy to enable auto-forwarding for specific users or the entire organization (while acknowledging the security risks), and utilizing mail flow rules to manage external forwarding based on specific criteria. PowerShell cmdlets like `Set-RemoteDomain` can be used for more programmatic control.
Key findings
- Remote Domains: Configuring Remote Domains in Exchange Online is necessary to allow external forwarding.
- Anti-Spam Policy: The Anti-Spam Outbound Policy settings control whether auto-forwarding is allowed and can be configured for specific users or organization-wide.
- Mail Flow Rules: Mail flow rules provide granular control over external forwarding based on sender, recipient, or domain.
- PowerShell Management: PowerShell cmdlets like `Set-RemoteDomain` offer a programmatic way to manage external forwarding policies.
Key considerations
- Security Risks: Enabling open forwarding can pose security risks, so carefully consider the implications before allowing forwarding for the entire organization.
- Granular Control: Using mail flow rules allows for more targeted control over who can forward emails externally, minimizing potential risks.
- Policy Adjustments: Administrators need to adjust anti-spam outbound policies to allow auto-forwarding either for specific users or the entire organization.
Technical article
Documentation from Microsoft Learn explains that to allow external forwarding, you need to configure Remote Domains in Exchange Online. You must create a new remote domain or modify the default one to allow automatic forwarding.
27 Oct 2024 - Microsoft Learn
Technical article
Documentation from Microsoft Support details that if auto-forwarding is disabled, the administrator needs to check the settings in the Anti-Spam Outbound Policy. They can either allow forwarding for specific users or for the entire organization, understanding the security risks associated with open forwarding.
11 Feb 2022 - Microsoft Support
Can a domain with poor reputation negatively affect other domains in Google Workspace?
Does using Microsoft O365 for business email affect email deliverability?
How can I implement a strict DMARC policy without blocking Google Workspace emails?
How do Google Groups impact DMARC when forwarding emails from multiple domains?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
What are the new email authentication and unsubscribe requirements from Gmail and Yahoo for 2024?
