Create a Transport Protection Rule

Applies to: Exchange Server 2013

You can use transport protection rules to apply persistent rights protection to messages based on properties such as sender, recipient, message subject, and content.


Before you create transport rules in your production environment, we recommend creating them in a test environment and testing them thoroughly. The transport rules created in this topic are examples. You can create transport rules by using the appropriate transport rule predicates and values based on your requirements.

For additional management tasks related to Information Rights Management (IRM), see Information Rights Management procedures.

What do you need to know before you begin?

  • Estimated time to completion: 2-5 minutes.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Transport rules" entry in the Messaging policy and compliance permissions topic.

  • A server running Active Directory Rights Management Services (AD RMS) must be available in your organization and contain existing RMS templates.

  • If you configure transport protection rules to protect messages using IRM, and you also use journaling, consider enabling journal report decryption to allow the Journaling agent to save an unencrypted copy of the message in the journal report. To learn more, see Journal report decryption.

  • After you create a transport protection rule, if the rule can't be applied to messages because an AD RMS server is unavailable, messages will be queued by the Transport service on Mailbox servers. Depending on the volume of these messages, additional disk space may be consumed on Mailbox servers. Exchange will attempt to IRM-protect the message three times. After these attempts, if the AD RMS server is unreachable or the message can't be IRM-protected, a non-delivery report (NDR) is sent to the sender.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.


Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.

Use the EAC to create a transport protection rule

  1. Navigate to Mail flow > Rules.

  2. In the list view, click New Add Icon..

  3. In New Rule, first click More options, and then complete the following fields:

    • Name: Type a name for the transport rule.

    • Apply this rule if: Select a condition and enter any required values for the condition. To add more conditions, click Add condition.


      If you don't select any conditions when creating a transport protection rule, all messages handled by Exchange 2013 servers with the Transport service in your organization are IRM-protected. IRM-protecting all messages requires more resources. Therefore, we recommend that you plan your Mailbox server and AD RMS deployment accordingly.

    • Do the following: Select Apply rights protection to the message with and then use the Select RMS template dialog box to select a template.

    • Except if: (Optional) Click Add exception to specify an exception to the rule.

  4. Click Save to create the transport rule.

Use the Shell to create a transport protection rule

  • To create a transport protection rule, you must have existing RMS templates in your AD RMS deployment. This example retrieves the available templates from your AD RMS cluster.

    Get-RMSTemplate | format-list

    For detailed syntax and parameter information, see Get-RMSTemplate.

  • This example creates the transport protection rule Protect-BusinessCriticalProject. The rule IRM-protects messages that contain the phrase "Business Critical" in the Subject field with the Do Not Forward template.


    The SubjectContainsWords predicate is used in this example. You can use any combination of transport rule predicates to form the conditions and exceptions for the rule. For information about the available predicates, see Transport rule conditions (predicates).

    New-TransportRule -Name "Protect-BusinessCriticalProject" -SubjectContainsWords "Business Critical" -ApplyRightsProtectionTemplate "Do Not Forward"

    For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you have successfully created a transport protection rule, do one of the following:

  • Use the EAC to verify that the rule has been created, and then click Edit Edit icon. to view the rule's properties.

  • Use the Get-TransportRule cmdlet to retrieve the rule. For an example of how to retrieve a rule, see Examples in Get-TransportRule.

  • Using Outlook, Outlook Web App, or a mobile device, send a test message that meets the rule conditions and check whether the message received by the recipient is IRM-protected.