You created an Outlook rule to automatically forward certain emails to an external address, but the rule does not run. The rule appears enabled, yet messages stay in your Inbox. This happens because your Microsoft 365 tenant has an auto-forwarding policy that blocks external forwarding at the Exchange Online level. This article explains why the tenant policy overrides your Outlook rule and provides three workarounds that let you achieve external forwarding without violating the policy.
Key Takeaways: Working Around Tenant Auto-Forward Blocks
- Mail Flow Rule (Transport Rule): Create a server-side mail flow rule in Exchange Admin Center to forward messages to an external address while bypassing the client-side rule block.
- Power Automate Flow: Build a cloud flow that triggers on new email arrival and forwards selected messages to an external address without using a client rule.
- Shared Mailbox with Delegate Access: Grant a delegate send-as permission and use a separate Outlook profile to manually forward messages from a shared mailbox.
Why the Tenant Policy Blocks Your Outlook Rule
Microsoft 365 tenants have a default anti-phishing and data loss prevention policy that blocks automatic forwarding to external domains. This policy is managed in the Exchange admin center under Mail Flow > Remote Domains. When the setting Automatic Forwarding is set to Block, any client-side Outlook rule that tries to forward a message to an address outside the tenant is silently ignored. The rule still appears enabled in Outlook, but the server never executes the forward action.
The block applies regardless of whether you use a rule created in Outlook desktop, Outlook on the web, or Outlook for Mac. It is a server-side enforcement that overrides all client-side forwarding rules. The policy exists to prevent data exfiltration and spam abuse. Only tenant administrators can modify this setting, but many organizations keep it enabled for security compliance.
Three Workarounds to Auto-Forward Externally
Workaround 1: Create a Mail Flow Rule in Exchange Admin Center
A mail flow rule (also called a transport rule) runs on the Exchange server before the message reaches the recipient’s mailbox. Unlike a client-side rule, a mail flow rule is not affected by the remote domain automatic forwarding block. You need Exchange admin permissions to create this rule.
- Open Exchange Admin Center
Go to https://admin.exchange.microsoft.com and sign in with an administrator account. - Navigate to Mail flow > Rules
In the left navigation, select Mail flow and then click Rules. - Create a new rule
Click + Add a rule and select Create a new rule. - Set rule name and conditions
Enter a name like “Auto-forward specific emails to external”. Under Apply this rule if, choose a condition such as The sender is (user) or The subject or body includes (keywords). - Set the forward action
Under Do the following, select Forward the message to and then these recipients. Enter the external email address. - Enable the rule
Check Enforce at the bottom and click Next. Review the settings and click Finish.
The mail flow rule forwards matching messages before they reach the mailbox. The recipient will not see the forwarded message in their Sent Items folder because the rule operates on the server. If you need to keep a copy in the mailbox, add the action Blind carbon copy (Bcc) the message to and include the original recipient’s internal address.
Workaround 2: Use Power Automate to Forward Emails
Power Automate (formerly Microsoft Flow) can monitor a mailbox and forward emails to an external address without relying on an Outlook rule. This method works even when the tenant blocks automatic forwarding. You need a Power Automate license (included with most Microsoft 365 Business plans).
- Open Power Automate
Go to https://make.powerautomate.com and sign in with your work account. - Create an automated cloud flow
Click Create in the left pane, then select Automated cloud flow. - Choose the trigger
Search for When a new email arrives (V3) from the Outlook connector. Select it and click Create. - Configure the trigger
Set the folder to Inbox. Optionally add filters such as From or Subject contains to limit which emails trigger the flow. - Add a forward action
Click + New step. Search for Forward an email (V2) from the Outlook connector. In the Message Id field, select Message Id from the dynamic content list. In the To field, enter the external email address. - Save and test
Click Save. Send a test email that matches your filter and verify the flow forwards it to the external address.
Power Automate runs in the cloud and is not subject to the remote domain automatic forwarding policy. The forwarded message appears in the external recipient’s inbox. The original email remains in your Inbox unless you add a Delete or Move to folder action afterward.
Workaround 3: Use a Shared Mailbox with Delegate Access
If you need to forward emails from a shared mailbox that multiple users access, you can grant a delegate full access and send-as permissions. The delegate then manually forwards messages from the shared mailbox. This is not automatic but works when the tenant policy blocks all automated forwarding.
- Open Exchange Admin Center
Go to https://admin.exchange.microsoft.com and sign in as an admin. - Select the shared mailbox
Go to Recipients > Mailboxes. Find and select the shared mailbox. - Assign delegate permissions
In the mailbox properties pane, click Mailbox delegation. Under Read and manage, add the user who will forward emails. Under Send as, add the same user. Click Save. - Add the shared mailbox to Outlook
The delegate opens Outlook, goes to File > Account Settings > Account Settings, selects the email account, clicks Change, then More Settings > Advanced, and adds the shared mailbox under Open these additional mailboxes. - Forward emails manually
In Outlook, the delegate opens the shared mailbox folder, selects an email, and clicks Forward. The external address is entered in the To field. The email is sent from the shared mailbox address.
This workaround requires human intervention for each forwarded email. It is suitable for low-volume forwarding or when compliance requires manual review before sending.
If the Workarounds Still Do Not Work
Power Automate flow fails with a 403 error
A 403 error indicates that the connector does not have permission to forward messages. Go to Power Automate > Solutions and check if the Outlook connector has the required consent. An admin may need to approve the connector in the Azure AD Enterprise Applications blade. If the tenant has a conditional access policy that blocks automated forwarding, the flow may still fail. In that case, contact your tenant admin to create an exception for the flow app.
Mail flow rule does not forward to external domains
If the mail flow rule is enabled but messages are not forwarded, check the rule’s priority. The rule must have a higher priority (lower number) than any rule that blocks forwarding. Also verify that the remote domain setting for the target domain is not set to Block automatic forwarding. An admin can check this in Exchange Admin Center > Mail flow > Remote domains. If the domain has a custom setting, change Automatic Forwarding to Allow for that specific domain only.
Forwarded emails go to spam on the external side
External email servers may treat forwarded messages as spam because the sender address does not match the envelope sender. To improve deliverability, configure SPF, DKIM, and DMARC records for your domain. If you use the mail flow rule, ensure the message is forwarded with the original sender preserved. In the rule action, select Forward the message to these recipients rather than Redirect the message to these recipients. Forwarding preserves the original sender, while redirecting changes the sender to the mailbox owner.
Outlook Client Rule vs Mail Flow Rule vs Power Automate: Key Differences
| Item | Outlook Client Rule | Mail Flow Rule (Exchange) | Power Automate Flow |
|---|---|---|---|
| Where it runs | On the user’s computer or Outlook client | On the Exchange server | In the Microsoft cloud (Azure Logic Apps) |
| Affected by tenant auto-forward block | Yes — rule is silently disabled | No — bypasses the block | No — uses API calls not subject to the block |
| Requires admin permissions | No | Yes (Exchange admin) | No (but connector consent may need admin) |
| Works offline | Yes (when Outlook is running) | Yes (server always online) | No (requires internet connection) |
| Supports complex conditions | Basic (sender, subject, recipient) | Advanced (any message property, attachment, header) | Advanced (multiple triggers, conditions, actions) |
| Forwarded message appears in Sent Items | Yes | No (unless Bcc action is added) | No |
You can now bypass the tenant policy that blocks automatic forwarding by using a mail flow rule, Power Automate, or a shared mailbox with delegate access. The mail flow rule is the most reliable for automated server-side forwarding. Power Automate offers flexibility with custom filters and actions. If your organization requires manual approval before forwarding, the delegate method is the best choice. Before implementing any workaround, verify your compliance requirements with your IT department to ensure the method aligns with your company’s data protection policies.