Transport Rules in Exchange 2016



Exchange transport rules are used to look for specific conditions in messages that pass through the organization and take action on them. For example, we might require that certain types of messages be blocked or rejected in order to meet legal or compliance requirements, or to implement specific business needs.

Transport rules are similar to the Inbox rules that are available in Outlook or OWA. The main difference is that transport rules take action on messages while they are in transit as opposed to after the message is delivered. Transport rules also contain a richer set of conditions, exceptions and actions, which provides administrators with the flexibility to implement many types of messaging policies.

If we use the Exchange Admin Center in Exchange 2013 to create a new transport rule, these are the conditions and actions available to us:

Figure 1

Figure 2

While in Exchange 2016 (build 15.01.0225.042 at the time of writing this article) we get the following:

Figure 3

Figure 4

Yes, the conditions available seem to be exactly the same while for the actions we only get a new one (the last one listed)… Really?! No, there are several improvements to transport rules in Exchange 2016.

Sensitive Information

When we create a transport rule in Exchange 2016 and select the The message contains sensitive information condition as per the following screenshot:

Figure 5

We now have 80 different types of sensitive information that we can look out for (compared to 51 in Exchange 2013 CU8):

Figure 6

If we look at the example of Portugal Citizen Card Number, this is what Exchange 2016 will look for when we use this type:

Format Eight digits
Pattern Eight digits
Checksum No
Definition A DLP policy is 85% confident that it’s detected this type of sensitive information if, within a proximity of 300 characters:

  • The regular expression Regex_portugal_citizen_card finds content that matches the pattern.
  • A keyword from Keyword_portugal_citizen_card is found.

<!– Portugal Citizen Card   Number –>

<Entity   id=”91a7ece2-add4-4986-9a15-c84544d81ecd” recommendedConfidence=”85″ patternsProximity=”300″>

<Pattern confidenceLevel=”85″>

<IdMatch idRef=”Regex_portugal_citizen_card”/>

<Match idRef=”Keyword_portugal_citizen_card”/>



Keywords Citizen Card

National ID Card


Cartão de Cidadão

Bilhete de Identidade

Table 1

These types are extremely useful as they make it easy to find and act on particular types of sensitive information.

Attachment Properties

With the new condition Any attachment has these properties, including any of these words, a transport rule can match messages where the specified property of the attached Office document contains specified words. This condition makes it easy to integrate Exchange transport rules and DLP policies with SharePoint Server, Windows Server 2012 R2 File Classification Infrastructure (FCI), or a third-party classification system:

Figure 7

Notify Recipient

With the new action Notify the recipient with a message, a transport rule can send a notification to the recipient with the text we specify. Microsoft says that we can use this new action to, for example, “inform the recipient that the message was rejected by a transport rule, or that it was marked as spam and will be delivered to their Junk Email folder”. However, without being able to insert dynamic text into the notification text such as the sender or subject of the original message, I am struggling to find any use for this new action…

Figure 8

Generate Incident

The action Generate incident report and send it to is not entirely new. However, in Exchange 2016 it has been updated so that the incident report can now be sent to multiple distribution lists.

Figure 9

Transport Rules on Edge Servers

Edge Transport servers handle all inbound and outbound Internet mail flow by providing mail relay and smart host services for the Exchange organization. Agents running on the Edge Transport server provide additional layers of message protection and security. These agents provide protection against viruses and spam and apply transport rules to control mail flow.

Because the Edge Transport server is installed in the perimeter network, it is never a member of an organization’s internal Active Directory (AD) forest and does not have access to AD information. However, the Edge Transport server requires data that resides in AD such as connector information for mail flow and recipient information for antispam recipient lookup tasks. This data is synchronized to the Edge Transport server by the Microsoft Exchange EdgeSync service (EdgeSync). EdgeSync is a collection of processes run on an Exchange 2016 Mailbox server to establish one-way replication of recipient and configuration information from Active Directory to the Active Directory Lightweight Directory Services (AD LDS) instance on the Edge Transport server. EdgeSync copies only the information that’s required for the Edge Transport server to perform anti-spam configuration tasks and to enable end-to-end mail flow.

Part of this synchronized data is not Transport Rules, meaning transport rules we create on our “internal” servers do not get replicated to our Edge server(s). This is because Edge Transport rules are used to control the flow of messages sent to or received from the Internet and not internal mail flow. Edge Transport rules are configured on each Edge Transport server to help protect corporate network resources and data by applying an action to messages meeting specified conditions. Edge Transport rule conditions are based on data, such as specific words or text patterns in the message subject, body, header, or from address, the spam confidence level (SCL), or the attachment type. Actions determine how the message is processed when a specified condition is true. Possible actions include quarantining a message, dropping or rejecting a message, appending additional recipients, or logging an event.

The components of the Transport service on Edge Transport servers are identical to the components of the Transport service on Mailbox servers. However, what actually happens during each stage of processing on Edge Transport servers is different. In terms of transport rules, these are controlled by the Edge Rule agent. Compared to the Transport Rule agent on Mailbox servers, only a small subset of transport rule conditions are available on Edge Transport servers.

Conditions available only on Edge Transport servers:

Condition name in Shell Description
SubjectContains This condition matches messages that contain the specified words in the Subject field.
SubjectOrBodyContains This condition matches messages that contain the specified words in the Subject field or message body.
HeaderContains This condition matches messages where the value of the specified message header contains the specified words.
FromAddressContains This condition matches messages that contain the specified words in the From field.
AnyOfRecipientAddressContains This condition matches messages that contain the specified words in the To, Cc, or Bcc fields of the message.
SubjectMatches This condition matches messages where text patterns in the Subject field match a specified regular expression.
SubjectOrBodyMatches This condition matches messages where text patterns in the Subject field or message body match a specified regular expression.
HeaderMatches This condition matches messages where the specified message header field contains text patterns that match a specified regular expression.
FromAddressMatches This condition matches messages that contain text patterns in the From field of the messages that match a specified regular expression.
AnyOfRecipientAddressMatches This condition matches messages where text patterns in the To, Cc, or Bcc fields of the message match a specified regular expression.
SCLOver This condition matches messages with an SCL that’s equal to or greater than the value specified.
AttachmentSizeOver This condition matches messages that contain attachments larger than the specified value.
FromScope This condition matches messages that are sent from the specified scope.
MessageSizeOver This condition matches messages when the message size is larger than or equal to the specified value.

Table 2


In this article we looked at what is new in Transport Rules with Exchange 2016. There is not much new, but the ability to look inside Office documents for certain properties or words, and the increase of sensitive information types we can look for are certainly great improvements.

About The Author

4 thoughts on “Transport Rules in Exchange 2016”

  1. Hi Nuno

    has Exchange 2016 or support jpg attachments for a transport rule for example my copany want to add a logo for every email sent inside or outside.

    is it possible with exchange 2016?

    thanks in advance,

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top