Excerpt
Our all-hands list rejected internal senders after we allowed two external addresses. Here’s what happened, how to fix it cleanly in Exchange Online, and a PowerShell snippet you can reuse.
Intro
Two days ago, I could email everyone@[redacted].com just fine. Today, my message bounced: “this group only accepts messages from people in its organization or on its allowed senders list.” We’d recently added two partner addresses (s@[partner].com, j@[partner].com) so they could email the DL. That change flipped the DL into strict allow-list mode—blocking even internal senders who weren’t explicitly listed. Here’s the minimal, durable fix.
Straight line (what happened)
• Symptom: NDR when sending to everyone@[redacted].com from an internal account.
• State check showed:
– RequireSenderAuthenticationEnabled: False
– AcceptMessagesOnlyFromSendersOrMembers: {} (and earlier, it contained only the two partner GUIDs).
• Root cause: Delivery management was saved in “only these senders” mode; membership/ownership doesn’t matter in that state.
• Goal: Let all internal, authenticated users send; allow only specific externals; block the rest.
Fix (clean model)
- Let internal, authenticated users send to the DL (no hard allow-list on the group).
- Enforce external restrictions with a transport rule that allows only the partner exceptions.
Commands (PowerShell — Exchange Online)
Connect
Connect-ExchangeOnline -ShowBanner:$false
Allow internal, authenticated senders (clear hard allow-list)
Set-DistributionGroup everyone@[redacted].com `
-AcceptMessagesOnlyFromSendersOrMembers $null `
-RequireSenderAuthenticationEnabled:$true
Create the external block rule with an allow-list
# remove if an older copy exists (safe if none)
Get-TransportRule "Block external to Everyone (except allow-list)" -ErrorAction SilentlyContinue |
Remove-TransportRule -Confirm:$false
New-TransportRule "Block external to Everyone (except allow-list)" `
-FromScope NotInOrganization `
-AnyOfToHeader "everyone@[redacted].com" `
-ExceptIfFrom "s@[partner].com","j@[partner].com" `
-RejectMessageReasonText "External senders are not allowed for this list."
Verify
Get-DistributionGroup everyone@[redacted].com |
fl PrimarySmtpAddress,RequireSenderAuthenticationEnabled,AcceptMessagesOnlyFromSendersOrMembers
Get-TransportRule "Block external to Everyone (except allow-list)" |
fl Name,State,FromScope,AnyOfToHeader,ExceptIfFrom
Update the allow-list later
# add another partner
Set-TransportRule "Block external to Everyone (except allow-list)" `
-ExceptIfFrom @{Add="newuser@[partner].com"}
# remove a partner
Set-TransportRule "Block external to Everyone (except allow-list)" `
-ExceptIfFrom @{Remove="j@[partner].com"}
Smoke tests
• Internal sender → everyone@[redacted].com: delivers.
• External sender (not on list): NDR with “External senders are not allowed…”
• Allowed partner (s@[partner].com or j@[partner].com): delivers.
Why not leave the DL in allow-list mode?
Because it’s brittle. Every internal sender must be explicitly added, which guarantees future bounces and admin toil. Using RequireSenderAuthenticationEnabled for internal mail + a transport rule for externals gives you clarity and control.
Final reflection
Small toggles can have outsized effects. DL delivery settings look simple, but one checkbox can silently change who’s “allowed.” The durable pattern is: authenticate inside, whitelist outside, and verify with a quick trace.
Pocket I’m keeping
• Always snapshot DL settings before/after a change.
• Prefer transport rules for external policy; don’t hard-gate internals via allow-lists.
• Add a ready-to-run “add/remove external exception” snippet to the runbook.
What I hear now
Clarity beats cleverness. Make the rule obvious enough that the next admin can read it and know exactly who can send and why.
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.