Question on Forwarding

Question

Hi All,

In Exchange Admin Center → Mail Flow → Remote Domains, I currently have the following configuration:

• Name: Default
• Remote Domain: *
• Email Reply Types: Automatic Forwarding Not Allowed

This means automatic forwarding is blocked for the default remote domain (*). I have also created a few specific remote domain entries where automatic forwarding is allowed for selected trusted domains only. I was advised to also review the following setting:

Microsoft 365 Defender → Email & Collaboration → Policies & Rules → Threat Policies → Anti-spam → Outbound Policy (Default) Under protection settings:

• Automatic forwarding rules = Automatic - System controlled or
• **Off - Forwarding is disabled`

My questions are:

1. If I change the Automatic forwarding rules setting in Microsoft 365 Defender, does it take precedence over the Remote Domains configuration in Exchange Admin Center?
2. Since forwarding is blocked on the default remote domain and only allowed for selected domains, will setting Defender to Off - Forwarding is disabled block all external auto-forwarding, including those explicitly allowed in Remote Domains?
3. How do these two controls interact:
   • Exchange Admin Center → Remote Domains
   • Microsoft 365 Defender → Outbound Anti-spam Policy
4. Is there official Microsoft documentation that explains the precedence/order of evaluation between these settings? Any guidance would be appreciated.

Answer 1

Hi Glenn Maxwell

Thank you for reaching out to Microsoft Q&A forum

I have conducted some research and to directly answer your questions:

If I change the Automatic forwarding rules setting in Microsoft 365 Defender, does it take precedence over the Remote Domains configuration in Exchange Admin Center?

Technically, neither control strictly "takes precedence" in the traditional sense. When one setting allows external forwarding but another setting blocks it, the block typically wins. They are independent enforcement points, and a block at either layer is sufficient to stop forwarding.

Since forwarding is blocked on the default remote domain and only allowed for selected domains, will setting Defender to Off - Forwarding is disabled block all external auto-forwarding, including those explicitly allowed in Remote Domains?

Yes. If you configure remote domain settings to allow automatic forwarding, but automatic forwarding in the outbound spam filter policy is set to Off, automatically forwarded messages to recipients in the affected domains are blocked. As states in LINK Your Remote Domains allow-list for trusted domains will be overridden.

How do these two controls interact: Exchange Admin Center > Remote Domains and Microsoft 365 Defender > Outbound Anti-spam Policy

In this context, you can think of automatic email forwarding like passing through two separate gates in sequence both must allow it for forwarding to work. The first gate is the anti-spam (Defender) outbound policy, which controls whether a user is allowed to forward messages at all. The second gate is the remote domain setting in Exchange Admin Center (EAC), which controls where those messages can be forwarded. If either one blocks forwarding, the message won’t go through. In practice, this means you can enable forwarding at the policy level but still restrict which external domains users are allowed to send forwarded mail to.

From my perspective view, a useful way to apply this is to allow forwarding in outbound spam filter policies while using remote domains as a more precise allow/block list for specific destinations. Also note that the “Automatic (system-controlled)” setting now behaves the same as “Off,” meaning forwarding is effectively disabled unless you’ve explicitly enabled it in a custom policy.

*You can read here for more information: *Control automatic external email forwarding from cloud mailboxes

Hope my answer will help you.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

1. The outbound anti-spam policy and Remote Domains both apply, but the more restrictive setting wins. When one setting allows external forwarding and another blocks it, the block takes precedence.
2. With the current setup:
   • Default Remote Domain * = Automatic forwarding Not allowed (blocked for all external domains by default).
   • Specific Remote Domains = Automatic forwarding Allowed for selected trusted domains.
   If the outbound anti-spam policy is set to:
   • Automatic – System-controlled: This is now functionally the same as Off – Forwarding is disabled. Forwarding is blocked at the outbound spam policy level, even if Remote Domains allow it.
   • Off – Forwarding is disabled: All automatic external forwarding from cloud mailboxes is blocked by the outbound spam policy, including to domains that are explicitly allowed in Remote Domains.
   So yes: setting the Defender outbound policy to Off – Forwarding is disabled (or leaving it at Automatic – System-controlled) will block all automatic external forwarding from cloud mailboxes, even for the trusted domains that are allowed in Remote Domains.
3. Interaction between the two controls:
   • Exchange Admin Center → Remote Domains
     • Controls whether automatic forwarding (and other automatic replies) is allowed to specific external domains.
     • If a remote domain has automatic forwarding disabled, user-configured automatic forwarding (Inbox rules, Outlook/OWA forwarding) to that domain is blocked, even if the user tries to configure it.
   • Microsoft 365 Defender → Outbound Anti-spam Policy
     • Controls whether automatic external forwarding from cloud mailboxes is allowed at all.
     • Three values for automatic forwarding:
       • On – Forwarding is enabled (not shown in your snippet but available): allows automatic external forwarding, subject to other controls like Remote Domains and mail flow rules.
       • Automatic – System-controlled: now equivalent to Off – Forwarding is disabled for all organizations.
       • Off – Forwarding is disabled: blocks automatic external forwarding from cloud mailboxes.
   • Precedence / effective behavior (from the documented examples):
     • Remote Domain allows forwarding, Outbound spam policy = Off or Automatic – System-controlled → forwarding is blocked.
     • Outbound spam policy = On, Remote Domain or mail flow rule blocks forwarding → forwarding is blocked.
   In other words:
   • Outbound anti-spam policy is a global gate for automatic external forwarding from cloud mailboxes.
   • Remote Domains and mail flow rules provide additional, more granular control.
   • Any block at any layer (Outbound spam policy, Remote Domain, or mail flow rule) will prevent forwarding.
   For a configuration like yours (only allow forwarding to selected trusted domains):
   • Set outbound spam policy automatic forwarding to On – Forwarding is enabled.
   • Use Remote Domains to:
     • Block automatic forwarding on the default * domain.
     • Allow automatic forwarding only on the specific trusted remote domains.
4. Official documentation on precedence/order of evaluation: The precedence behavior is described explicitly in the “How the outbound spam filter policy settings work with other automatic email forwarding controls” section, including this key statement and table:
   • When one setting allows external forwarding and another setting blocks external forwarding, the block typically wins.
   • Example from the table:
     • Remote domain allows automatic forwarding + outbound spam policy = Off or Automatic – System-controlled → automatically forwarded messages are blocked.
     • Outbound spam policy = On + mail flow rules or remote domains block forwarding → automatically forwarded messages are blocked by mail flow rules or remote domains.
   Remote domain behavior and how it overrides per-user settings is documented under Remote Domains, including the note that if automatic forwarding is turned off on the default remote domain, users can still create rules, but messages will not be forwarded.

---

References:

• Control automatic external email forwarding from cloud mailboxes
• Remote domains in Exchange Online
• Manage remote domains in Exchange Online
• Configure email forwarding in Microsoft 365
• Configure email forwarding for a mailbox in Exchange Online