Email remains one of the most common channels for data exchangeβand also one of the most exploited attack vectors. Organizations handling financial, legal, or confidential information often need tight control over who can send emails to their users and where users can send emails.
Using Microsoft 365, administrators can enforce strict email communication policies through Exchange Online Mail Flow Rules (Transport Rules). This article explains the complete end-to-end process to:
Allow email communication only with approved external domains
Block all other external email traffic (incoming and outgoing)
Restrict email attachment size to 512 KB
Apply rules only to selected mailboxes
@partnerbank.example
@trustedvendor.example
Maximum allowed attachment size: 512 KB
Prevent data leakage and accidental sharing
Reduce phishing and ransomware exposure
Enforce compliance and audit requirements
Control document flow via email
Secure high-risk or sensitive mailboxes
Before starting, ensure:
You have Global Administrator or Exchange Administrator access
Mailboxes already exist in Microsoft 365
Approved domains list is finalized
Users are informed about upcoming restrictions
Log in to https://admin.microsoft.com
Go to Admin Centers
Click Exchange
Navigate to Mail Flow β Rules
(Allow sending only to approved domains)
Blocks outgoing emails sent to any external domain except the approved list.
Rule Name:Outgoing Restriction β Approved Domains Only
Apply this rule if:
Sender is Inside the organization
Sender address equals:
AND Recipient domain does NOT include:
partnerbank.example
trustedvendor.example
Do the following:
Block the message
Reject with explanation:
"Email sending is restricted to approved partner domains only."
Additional Settings:
Stop processing more rules: β Enabled
Mode: Enforce
β
Result:
Users cannot send emails to any unapproved external domain.
(Allow receiving only from approved domains)
Prevents unauthorized external senders from emailing protected mailboxes.
Rule Name:Incoming Restriction β Approved Domains Only
Apply this rule if:
Recipient address equals:
AND Sender domain does NOT include:
partnerbank.example
trustedvendor.example
Do the following:
Block the message
Reject with explanation:
"This mailbox accepts emails only from authorized partner domains."
Mode: Enforce
β
Result:
Only trusted external partners can send emails to these mailboxes.
(Limit attachment size to 512 KB)
Prevents large file transfers via email.
Rule Name:Attachment Limit β 512KB
Apply this rule if:
Sender address equals:
AND Any attachment size is greater than 512 KB
Do the following:
Block the message
Reject with explanation:
"Attachments larger than 512 KB are not permitted. Please share files via secure links."
Mode: Enforce
β
Result:
Large files must be shared via OneDrive, SharePoint, or secure portals.
Ensure rules are ordered as follows:
Outgoing restriction rule
Incoming restriction rule
Attachment size restriction rule
This avoids rule conflicts and ensures predictable behavior.
Send email to approved domain β Allowed
Send email to unapproved domain β Blocked
Receive email from approved domain β Allowed
Receive email from unapproved domain β Blocked
Send attachment >512 KB β Blocked
Send attachment <512 KB β Allowed
Optional: Use Audit mode first to monitor impact without blocking.
Maintain a documented approved domain list
Review rules quarterly
Educate users about restrictions
Use rejection messages that explain next steps
Combine with Microsoft Defender for Email
Enable message trace for troubleshooting
Banking and financial communications
Vendor invoice processing
Legal and compliance teams
Management and admin accounts
High-risk email addresses
By using Exchange Online mail flow rules, organizations can fully control email communication boundaries and file sharing behavior. Domain-restricted email access combined with strict attachment size limits provides a strong, simple, and effective email security posture in Microsoft 365βespecially for sensitive or compliance-driven environments.
#Microsoft365 #ExchangeOnline #EmailSecurity #MailFlowRules #Office365Admin
#EmailCompliance #DomainRestriction #AttachmentLimit #CyberSecurity
#BusinessEmail #SecureEmail #EmailGovernance #ITSecurity #CloudSecurity
#MicrosoftAdmin #EmailPolicies #PhishingProtection #DataProtection
#EmailFiltering #SecureCommunication #EmailControl #InformationSecurity
#EmailHardening #CompliancePolicy #EnterpriseSecurity #EmailManagement
#MicrosoftSecurity #MailSecurity #BusinessIT #CloudEmail #EmailProtection
#EmailRisk #ExchangeAdmin #SecurityBestPractices #EmailRules #Office365Security
#MicrosoftExchange #EmailSafety #ITAdministration #SecurityAwareness
