Mail flow rule conditions and exceptions (predicates) in Exchange Online
Article
Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the rule is applied to or not applied to. For example, if the rule adds a disclaimer to messages, you can configure the rule to only apply to messages that contain specific words, messages sent by specific users, or to all messages except those sent by the members of a specific distribution group. Collectively, the conditions and exceptions in mail flow rules are also known as predicates, because for every condition, there's a corresponding exception that uses the exact same settings and syntax. The only difference is that conditions specify messages to include, while exceptions specify messages to exclude.
Most conditions and exceptions have one property that requires one or more values. For example, the The sender is condition requires the sender of the message. Some conditions have two properties. For example, the A message header includes any of these words condition requires one property to specify the message header field, and a second property to specify the text to look for in the header field. Some conditions or exceptions don't have any properties. For example, the Any attachment has executable content condition simply looks for attachments in messages that have executable content.
For more information about mail flow rules in Exchange Online, including how multiple conditions/exceptions or multi-valued conditions/exceptions are handled, see Mail flow rules (transport rules) in Exchange Online.
Conditions and exceptions for mail flow rules in Exchange Online
The tables in the following sections describe the conditions and exceptions that are available in mail flow rules in Exchange Online. The property types are described in the Property types section.
After you select a condition or exception in the Exchange admin center (EAC), the value that's ultimately shown in the Apply this rule if or Except if field is often different (shorter) than the "click path value" you selected. Also, when you create new rules based on a template (a filtered list of scenarios), you can often select a short condition name instead of following the complete click path. The short names and full click path values are shown in the EAC column in the tables.
If you select [Apply to all messages] in the EAC, you can't specify any other conditions. The equivalent in PowerShell is to create a rule without specifying any condition parameters.
The settings and properties are the same in conditions and exceptions; so, the output of the Get-TransportRulePredicate cmdlet doesn't list exceptions separately. Also, the names of some of the predicates that are returned by this cmdlet are different than the corresponding parameter names, and a predicate might require multiple parameters.
Senders
For conditions and exceptions that examine the sender's address, you can specify where rule looks for the sender's address.
In the EAC, in the Properties of this rule section, select Match sender address in message. You might need to select More options to see this setting. In PowerShell, the parameter is SenderAddressLocation. The available values are:
Header: Only examine senders in the message headers (From field). This value is the default value.
Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission, which is typically stored in the Return-Path field). Message envelope searching is only available for the following conditions (and the corresponding exceptions):
The sender is (From)
The sender is a member of (FromMemberOf)
The sender address includes (FromAddressContainsWords)
The sender address matches (FromAddressMatchesPatterns)
The sender's domain is (SenderDomainIs)
Header or envelope (HeaderOrEnvelope) Examine senders in the message header and the message envelope.
Messages where the specified Active Directory attribute of the sender contains text patterns that match the specified regular expressions.
Sender's IP address is in the range
The sender > IP address is in any of these ranges or exactly matches
SenderIPRanges ExceptIfSenderIPRanges
IPAddressRanges
Messages where the sender's IP address matches the specified IP address, or falls within the specified IP address range. The IP address that's used during evaluation of this condition is the address of the last hop before reaching the service. This IP address is not guaranteed to be the original sender's IP address, especially if third-party software is used during message transport.
The sender's domain is
The sender > domain is
SenderDomainIs ExceptIfSenderDomainIs
DomainName
Messages where the domain of the sender's email address matches the specified value.
This predicate will match domains and subdomains with domain provided. For example:
For the value "domain.com", both domain "domain.com" and subdomain "subdomain.domain.com" will be matched.
Recipients
For conditions and exceptions that examine the recipient's address, you can specify where rule looks for the recipient's address by using the RecipientAddressType parameter in PowerShell. Valid values are:
Original: Checks the original address in the To field of the email.
Resolved: Examine the recipient's primary SMTP email address (not proxy addresses). This value is the default value.
Note
If the Mail flow rule is configured to check for the recipient where the recipient is a distribution group, the rule won't be matched.
When the message is sent to a distribution group, the group will be resolved to distinct users of that group before reaching Mail flow rules and instead, will check every member of a group.
Condition or exception in the EAC
Condition and exception parameters in Exchange Online PowerShell
Property type
Description
The recipient is
The recipient > is this person
SentTo ExceptIfSentTo
Addresses
Messages where one of the recipients is the specified mailbox, mail user, or mail contact in the organization. The recipients can be in the To, Cc, or Bcc fields of the message.
Note: You can't specify distribution groups, mail-enabled security groups, or Microsoft 365 groups. If you need to take action on messages that are sent to a group, use the To box contains(AnyOfToHeader) condition instead.
The recipient is located
The recipient > is external/external
SentToScope ExceptIfSentToScope
UserScopeTo
Messages that are sent to internal or external recipients.
The recipient is a member of
The recipient > is a member of this group
SentToMemberOf ExceptIfSentToMemberOf
Addresses
Messages that contain recipients who are members of the specified distribution group, mail-enabled security group, or Microsoft 365 group. The group can be in the To, Cc, or Bcc fields of the message.
For more information about using Microsoft 365 groups with this condition, see the Addresses entry in the Property types section.
The recipient address includes
The recipient > address includes any of these words
Messages that contain the specified words in the recipient's email address.
Note: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.
The recipient address matches
The recipient > address matches any of these text patterns
Messages where a recipient's email address contains text patterns that match the specified regular expressions.
Note: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.
The recipient is on the sender's list
The recipient > is on the sender's supervision list
Messages where the specified Active Directory attribute of a recipient contains text patterns that match the specified regular expressions.
A recipient's domain is
The recipient > domain is
RecipientDomainIs ExceptIfRecipientDomainIs
DomainName
Messages where the domain of a recipient's email address matches the specified value.
This predicate will match domains and subdomains with domain provided. For example:
For the value "domain.com", both domain "domain.com" and subdomain "subdomain.domain.com" will be matched.
Message subject or body
Note
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
Condition or exception in the EAC
Condition and exception parameters in Exchange Online PowerShell
Property type
Description
The subject or body includes
The subject or body > subject or body includes any of these words
If you suspect that your rule isn't working properly, first check which attachments the message contains.
To inspect which attachment/s the message contained during Mail flow rule evaluation, see Test-TextExtraction.
Condition or exception in the EAC
Condition and exception parameters in Exchange Online PowerShell
Property type
Description
Any attachment's content includes
Any attachment > content includes any of these words
Mail flow rules only can inspect the content of supported file types. If the mail flow rule finds an attachment file type that isn't supported, the AttachmentIsUnsupported condition is triggered. Supported file types for an attachment are listed here Use mail flow rules to inspect message attachments in Exchange Online.
Any attachment's file name matches
Any attachment > file name matches these text patterns
Messages where an attachment's file extension matches any of the specified words. Note: Nested attachments (files inside original attachments) extensions and original attachment extensions are inspected. If you want to see all attachment extensions evaluated by a mail flow rule for a specific message, see Test-TextExtraction.
Any attachment is greater than or equal to
Any attachment > size is greater than or equal to
AttachmentSizeOver ExceptIfAttachmentSizeOver
Size
Messages where any attachment is greater than or equal to the specified value.
In the EAC, you can only specify the size in kilobytes (KB).
Messages where the rules engine couldn't complete the scanning of the attachments. You can use this condition to create rules that work together to identify and process messages where the content couldn't be fully scanned.
Messages where an attachment is password protected (and therefore can't be scanned). Password detection works for Office documents, archive documents (.zip, .7z), and .pdf files.
has these properties, including any of these words
Any attachment > has these properties, including any of these words
Messages where the specified property of an attached Office document contains the specified words.
This condition helps you integrate mail flow rules with SharePoint, File Classification Infrastructure (FCI) in Windows Server 2012 R2 or later, or a third-party classification system.
You can select from a list of built-in properties, or specify a custom property.
Any recipients
The conditions and exceptions in this section provide a unique capability that affects all recipients when the message contains at least one of the specified recipients. For example, let's say you have a rule that rejects messages. If you use a recipient condition from the Recipients section, the message is only rejected for those specified recipients. For example, if the rule finds the specified recipient in a message, but the message contains five other recipients, then the message is rejected for that one recipient, and is delivered to the five other recipients.
If you add a recipient condition from this section, that same message is rejected for the detected recipient and the five other recipients.
Conversely, a recipient exception from this section prevents the rule action from being applied to all recipients of the message, not just for the detected recipients.
Note
These conditions don't consider messages that are sent to recipient proxy addresses. They only match messages that are sent to the recipient's primary email address.
These conditions are applied to all recipients in the current fork of the message only. If the message was bifurcated by any other action (for example, anti-malware or an earlier mail flow rule), the action will be applied on the matching fork only.
Condition or exception in the EAC
Condition and exception parameters in Exchange Online PowerShell
Property type
Description
Any recipient address includes
Any recipient > address includes any of these words
Messages where the To, Cc, or Bcc fields contain text patterns that match the specified regular expressions.
Message sensitive information types, To and Cc values, size, and character sets
The conditions in this section that look for values in the To and Cc fields behave like the conditions in the Any recipients section (all recipients of the message are affected by the rule, not just the detected recipients).
Notes:
The recipient conditions in this section don't consider messages that are sent to recipient proxy addresses. They only match messages that are sent to the recipient's primary email address.
For more information about using Microsoft 365 groups with the recipient conditions in this section, see the Addresses entry in the Property types section.
Condition or exception in the EAC
Condition and exception parameters in Exchange Online PowerShell
Property type
Description
The To box contains
The message > To box contains this person
AnyOfToHeader ExceptIfAnyOfToHeader
Addresses
Messages where the To field includes any of the specified recipients.
The To box contains a member of
The message > To box contains a member of this group
Messages where the To field contains a recipient who is a member of the specified distribution group, mail-enabled security group, or Microsoft 365 group.
The Cc box contains
The message > Cc box contains this person
AnyOfCcHeader ExceptIfAnyOfCcHeader
Addresses
Messages where the Cc field includes any of the specified recipients.
Messages where the To or Cc fields contains a recipient who is a member of the specified distribution group or mail-enabled security group.
The message size is greater than or equal to
The message > size is greater than or equal to
MessageSizeOver ExceptIfMessageSizeOver
Size
Messages where the total size (message plus attachments) is greater than or equal to the specified value.
In the EAC, you can only specify the size in kilobytes (KB).
Note: Message size limits on mailboxes are evaluated before mail flow rules' action. A message that's too large for a mailbox will be rejected before a rule with this condition is able to act on the message.
The message character set name includes any of these words
The message > character set name includes any of these words
Messages where the sender is either the manager of a recipient or is managed by a recipient.
The message is between members of these groups
The sender and the recipient > the message is between members of these groups
BetweenMemberOf1 and BetweenMemberOf2 ExceptIfBetweenMemberOf1 and ExceptIfBetweenMemberOf2
Addresses
Messages that are sent between members of the specified distribution groups or mail-enabled security groups.
For more information about using Microsoft 365 groups with this condition, see the Addresses entry in the Property types section.
The manager of the sender or recipient is
The sender and the recipient > the manager of the sender or recipient is this person
ManagerForEvaluatedUser and ManagerAddress ExceptIfManagerForEvaluatedUser and ExceptIfManagerAddress
First property: EvaluatedUser
Second property: Addresses
Messages where a specified user is either the manager of the sender or of a recipient.
The sender's and any recipient's property compares as
The sender and the recipient > the sender and recipient property compares as
ADComparisonAttribute and ADComparisonOperator ExceptIfADComparisonAttribute and ExceptIfADComparisonOperator
First property: ADAttribute
Second property: Evaluation
Messages where the specified Active Directory attributes for the sender and recipient either match or don't match.
Message properties
Condition or exception in the EAC
Condition and exception parameters in Exchange Online PowerShell
Property type
Description
The message type is
The message properties > include the message type
MessageTypeMatches ExceptIfMessageTypeMatches
MessageType
Messages of the specified type. Note: When Outlook or Outlook on the web (formerly known as Outlook Web App) is configured to forward a message, the ForwardingSmtpAddress property is added to the message. In thin clients like Outlook on the web, encryption as a message type is currently not supported. If the message has been forwarded using mailbox forwarding (also known as SMTP Forwarding), this condition/exception will not match during mail flow rule evaluation.
The message is classified as
The message properties > include this classification
HasClassification ExceptIfHasClassification
MessageClassification
Messages that have the specified message classification. This classification is a custom message classification that you can create in your organization by using the New-MessageClassification cmdlet.
Note: This condition/exception isn't available in standalone EOP environments.
The message isn't marked with any classifications
The message properties > don't include any classification
HasNoClassification ExceptIfHasNoClassification
n/a
Messages that don't have a message classification.
Note: This condition/exception isn't available in standalone EOP environments.
The message importance is set to
The message properties > include the importance level
WithImportance ExceptIfWithImportance
Importance
Messages that are marked with the specified "Importance" level.
Message headers
Note
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
Condition or exception in the EAC
Condition and exception parameters in Exchange Online PowerShell
Property type
Description
A message header includes
A message header > includes any of these words
HeaderContainsMessageHeader and HeaderContainsWords ExceptIfHeaderContainsMessageHeader and ExceptIfHeaderContainsWords
First property: MessageHeaderField
Second property: Words
Messages that contain the specified header field, and the value of that header field contains the specified words.
The name of the header field and the value of the header field are always used together.
A message header matches
A message header > matches these text patterns
HeaderMatchesMessageHeader and HeaderMatchesPatterns ExceptIfHeaderMatchesMessageHeader and ExceptIfHeaderMatchesPatterns
First property: MessageHeaderField
Second property: Patterns
Messages that contain the specified header field, and the value of that header field contains the specified regular expressions.
The name of the header field and the value of the header field are always used together.
Property types
The property types that are used in conditions and exceptions are described in the following table:
Note
If the property is a string, trailing spaces aren't allowed.
Property type
Valid values
Description
ADAttribute
Select from a predefined list of Active Directory attributes
You can check against any of the following Active Directory attributes:
City
Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode
In the EAC, to specify multiple words or text patterns for the same attribute, separate the values with commas. For example, the value San Francisco,Palo Alto for the City attribute looks for "City equals San Francisco" or "City equals Palo Alto".
In Exchange Online PowerShell, use the syntax "AttributeName1:Value1,Value 2 with spaces,Value3...","AttributeName2:Word4,Value 5 with spaces,Value6...", where Value is the word or text pattern that you want to match, for example, "City:San Francisco,Palo Alto" or "City:San Francisco,Palo Alto", "Department:Sales,Finance".
When you specify multiple attributes, or multiple values for the same attribute, the or operator is used. Don't use values with leading or trailing spaces.
The Country attribute requires the two-letter ISO 3166-1 country code value (for example, DE for Germany). For more information, see Country Codes - ISO 3166.
Addresses
Exchange Online recipients
Depending on the nature of the condition or exception, you might be able to specify any mail-enabled object in the organization (for example, recipient-related conditions), or you might be limited to a specific object type (for example, groups for group membership conditions). And, the condition or exception might require one value, or allow multiple values.
In Exchange Online PowerShell, separate the multiple values by commas.
This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.
The recipient picker in the EAC doesn't allow you to select Microsoft 365 groups from the list of recipients. But, you can enter the email address of a Microsoft 365 group in the box next to Check names, and then validate the email address by selecting Check names, which will add the group to the add box.
CharacterSets
Array of character set names
One or more content character sets that exist in a message. For example:
Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn
DomainName
Array of SMTP domains
For example, contoso.com or eu.contoso.com.
In Exchange Online PowerShell, you can specify multiple domains separated by commas.
EvaluatedUser
Single value of Sender or Recipient
Specifies whether the rule is looking for the manager of the sender or of the recipient.
Evaluation
Single value of Equal or Not equal (NotEqual)
When comparing the Active Directory attribute of the sender and recipients, this property specifies whether the values should match, or not match.
Importance
Single value of Low, Normal, or High
The "Importance" level that was assigned to the message by the sender in Outlook or Outlook on the web.
IPAddressRanges
Array of IP addresses or address ranges
You enter the IPv4 addresses using the following syntax:
Single IP address: For example, 192.168.1.1.
IP address range: For example, 192.168.0.1-192.168.0.254.
Classless InterDomain Routing (CIDR) IP address range: For example, 192.168.0.1/25.
In Exchange Online PowerShell, you can specify multiple IP addresses or ranges separated by commas.
ManagementRelationship
Single value of Manager or Direct report (DirectReport)
Specifies the relationship between the sender and any of the recipients. The rule checks the Manager attribute in Active Directory to see if the sender is the manager of a recipient or is managed by a recipient.
MessageClassification
Single message classification
In the EAC, you select from the list of message classifications that you've created.
In Exchange Online PowerShell, you use the Get-MessageClassification cmdlet to identify the message classification.
For example, use the following command to search for messages with the Company Internal classification and prepend the message subject with the value CompanyInternal: New-TransportRule "Rule Name" -HasClassification @(Get-MessageClassification "Company Internal").Identity -PrependSubject "CompanyInternal"
MessageHeaderField
Single string
Specifies the name of the header field. The name of the header field is always paired with the value in the header field (word or text pattern match). The message header is a collection of required and optional header fields in the message. Examples of header fields are To, From, Received, and Content-Type. Official header fields are defined in RFC 5322. Unofficial header fields start with X- and are known as X-headers.
MessageType
Single message type value
Specifies one of the following message types:
Automatic reply (OOF)
Auto-forward (AutoForward)
Encrypted
Calendaring
Permission controlled (PermissionControlled)
Voicemail
Signed
Approval request (ApprovalRequest)
Read receipt (ReadReceipt)
Note: When Outlook or Outlook on the web is configured to forward a message, the ForwardingSmtpAddress property is added to the message.
Patterns
Array of regular expressions
Specifies one or more regular expressions that are used to identify text patterns in values. For more information, see Regular Expression Syntax.
In Exchange Online PowerShell, you specify multiple regular expressions separated by commas, and you enclose each regular expression within quotation marks ("). Regular Expressions used in Transport Rules are NOT case sensitive.
SCLValue
One of the following values:
Bypass spam filtering (-1)
Integers 0 through 9
Specifies the spam confidence level (SCL) that's assigned to a message. A higher SCL value indicates that a message is more likely to be spam.
Size
Single size value
Specifies the size of an attachment or the whole message.
In the EAC, you can only specify the size in kilobytes (KB).
In Exchange Online PowerShell, when you enter a value, qualify the value with one of the following units:
B (bytes)
KB (kilobytes)
MB (megabytes)
GB (gigabytes)
For example, 20 MB. Unqualified values are typically treated as bytes, but small values may be rounded up to the nearest kilobyte.
SupervisionList
Single value of Allow or Block
Supervision policies were a feature in Live@edu that allowed you to control who could send mail to and receive mail from users in your organization (for example, the closed campus and anti-bullying policies). In Microsoft 365 and Office 365, you can't configure supervision list entries on mailboxes.
UserScopeFrom
Single value of Inside the organization (InOrganization) or Outside the organization (NotInOrganization)
A sender is considered to be inside the organization if either of the following conditions is true:
The message was sent or received over an authenticated connection AND the sender meets at least one of the following criteria: The sender is a mailbox or a mail user or a group, or a mail-enabled public folder in the organization.
The sender's email address is in an accepted domain that's configured as an authoritative domain or in an internal relay domain, and the message was sent or received over an authenticated connection. For more information about accepted domains, see Manage accepted domains in Exchange Online.
A sender is considered to be outside the organization if either of the following conditions is true:
The sender's email address isn't in an accepted domain.
The sender's email address is in an accepted domain that's configured as an external relay domain.
Note: To determine whether mail contacts are considered to be inside or outside the organization, the sender's address is compared with the organization's accepted domains.
UserScopeTo
One of the following values:
Inside the organization (InOrganization)
Outside the organization (NotInOrganization)
A recipient is considered to be inside the organization if any of the following conditions are true:
The recipient is a mailbox, mail user, group, or mail-enabled public folder that exists inside the organization.
The recipient's email address is in an accepted domain that's configured as an authoritative domain or in an internal relay domain, and the message was sent or received over an authenticated connection.
The recipient's domain is in a remote domain with the IsInternal parameter being set to the value $true.
A recipient is considered to be outside the organization if either of the following conditions is true:
The recipient's email address isn't in an accepted domain.
The recipient's email address is in an accepted domain that's configured as an external relay domain.
Words
Array of strings
Specifies one or more words to look for. The words aren't case-sensitive, and can be surrounded by spaces and punctuation marks. Wildcards and partial matches aren't supported. For example, "contoso" matches " Contoso".
However, if the text is surrounded by other characters, it isn't considered a match. For example, "contoso" doesn't match the following values:
Acontoso
Contosoa
Acontosob
The asterisk (*) is treated as a literal character, and isn't used as a wildcard character.
The "at" sign (@) is also treated as a literal character. Therefore, if it's used when searching Recipient Addresses, it won't match. For example:
@contoso.com won't match user@contoso.com
contoso.com will match user@contoso.com
In this scenario, the correct way to set up matching patterns is to use either ExceptIfRecipientDomainIs or ExceptIfRecipientAddressMatchesPatterns
Email continues to be the primary and preferred method of communication for many businesses. In some situations, emails are also received as official electronic forms of approval. This module will provide you with a list of best practices that you can follow by using Microsoft Power Automate for outgoing and incoming emails.