Test mail flow rules in Exchange Online
In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you should test new mail flow rules (also known as transport rules) before you turn them on. This way, if you accidentally create a condition that doesn't do exactly what you want or interacts with other rules in unexpected ways, you won't have any unintended consequences.
Wait at least 30 minutes after creating a rule before you test it. If you test immediately after you create the rule, you may get inconsistent behavior.
Step 1: Create a rule in test mode
DLP and policy tips are not available in standalone EOP.
You can evaluate the conditions for a rule without taking any actions that impact mail flow by choosing a test mode. You can set up a rule so that you get an email notification any time the rule is matched, or you can look at the Look at the message trace for messages that might match the rule. There are two test modes:
Test without Policy Tips: Use this mode together with an incident report action, and you can receive an email message each time an email matches the rule.
Test with Policy Tips: This mode is only available if you're using Data loss prevention (DLP), which is available with some Exchange Online and Exchange Online Protection (EOP) subscription plans. With this mode, a message is set to the sender when a message they are sending matches a policy, but no mail flow actions are taken.
Here's what you'll see when a rule is matched if you include the incident report action:
Use a test mode with an incident report action
In the Exchange admin center (EAC), go to Mail flow > Rules.
Create a new rule, or select an existing rule, and then select Edit.
Scroll down to the Choose a mode for this rule section, and then select Test without Policy Tips or Test with Policy Tips.
Add an incident report action:
Select Add action, or, if this isn't visible, select More options, and then select Add action.
Select Generate incident report and send it to.
Click Select one... and select yourself or someone else.
Select Include message properties, and then select any message properties that you want included in the email you receive. If you don't select any, you will still get an email when the rule is matched.
Step 2: Evaluate whether your rule does what you intend
To test a rule, you can either send enough test messages to confirm that what you expect happens, or look at the message trace for messages that people in your organization send. Be sure to evaluate the following types of messages:
- Messages that you expect to match the rule
- Messages that you don't expect to match the rule
- Messages sent to and from people in your organization
- Messages sent to and from people outside your organization
- Replies to messages that match the rule
- Messages that might cause interactions between multiple rules
Tips for sending test messages
One way to test is to sign in as both the sender and recipient of a test message.
If you don't have access to multiple accounts in your organization, you can test in a trial account or create a few temporary fake users in your organization.
Because a web browser typically doesn't let you have simultaneous open sessions on the same computer signed in to multiple accounts, you can use Internet Explorer InPrivate Browsing, or a different computer, device, or web browser for each user.
Look at the message trace
The message trace includes an entry for each rule that is matched for the message, and an entry for each action the rule takes. This is useful for tracking what happens to test messages, and also for tracking what happens to real messages going through your organization.
In the EAC, go to Mail flow > Message trace.
Find the messages that you want to trace by using criteria such as the sender and the date sent. For help specifying criteria, see Run a Message Trace and View Results.
After locating the message you want to trace, double-click it to view details about the message.
Look in the Event column for Transport rule. The Action column shows the specific action taken.
Step 3: When you're done testing, set the rule to enforce
In the EAC, go to Mail flow > Rules.
Select a rule, and then select Edit.
If you used an action to generate an incident report, select the action and then select Remove.
To avoid surprises, inform your users about new rules.
Here are some common problems and resolutions:
Everything looks right, but the rule isn't working.
Occasionally it takes longer than 15 minutes for a new mail flow to be available. Wait a few hours, and then test again. Also check to see if another rule might be interfering. Try changing this rule to priority 0 by moving it to the top of the list.
Disclaimer is added to original message and all replies, instead of just the original message.
To avoid this, you can add an exception to your disclaimer rule to look for a unique phrase in the disclaimer.
My rule has two conditions, and I want the action to happen when either of the conditions is met, but it only is matched when both conditions are met.
You need to create two rules, one for each condition. You can easily copy the rule by selecting Copy and then remove one condition from the original and the other condition from the copy.
I'm working with distribution groups, and The sender is ( SentTo) doesn't seem to be working.
SentTo matches messages where one of the recipients is a mailbox, mail-enabled user, or contact, but you can't specify a distribution group with this condition. Instead, use To box contains a member of this group ( SentToMemberOf).
Other testing options
If you're using Exchange Online or Exchange Online Protection, you can check the number of times each rule is matched by using a rules report. In order to be included in the reports, a rule must have the Audit this rule with severity level check box selected. These reports help you spot trends in rule usage and identify rules that are not matched.
To view a rules report, in the Microsoft 365 admin center, select Reports.
While most data is in the report within 24 hours, some data may take as long as 5 days to appear.
To learn more, see View mail protection reports.