UPDATE 8/2/23: Another way to accomplish this is to enable the built-in external tags now supported by M365 Apps (Build 2211 and greater), Outlook on the Web, and Outlook Mobile. Note that this external tag will not work in older versions of Outlook or M365 Apps (prior to build 2211), so you may still need the original solution listed in this article.
If you are on M365 Apps, you can connect to Exchange Online PowerShell and run the following command: Set-ExternalInOutlook -Enabled $true
For more information, check Microsoft’s article Native external sender callouts on email in Outlook
Adding an external sender notification to the top of an email is an important distinction for many companies. This disclaimer quickly identifies its end users when a message is sourced from an external sender. This eliminates the guesswork for internal users, helping them to identify potential phishing attacks, but also a great reminder when it comes to data loss prevention as they reply.
Companies approach this disclaimer in many different ways. Two common examples are a disclaimer prepended at the top of the email or adding a keyword in the message subject.
Thankfully, adding this is a simple process in Office 365 (and also Exchange on-premises – the instructions are identical).
For this article, our example company, Time Travel Research, wishes that all inbound email from external senders is prepended with a disclaimer stating the sender is external to the organization. Time Travel Research wants to ensure that every instance of an external email, even those in the same email chain, is prepended with this disclaimer.
Let’s get started!
Add an external sender disclaimer to all inbound email
Log in to the Exchange Admin Center. Once logged in, navigate to Mail Flow >> Rules. Click the New () button.
From the drop-down menu, you will notice several choices. These choices are predefined rule templates. We will create a rule from scratch. Select Create a new rule.
This will launch the New Rule window. Towards the bottom of the window, select More options. This will allow us to see all available rule conditions and actions. In addition, it allows us to apply multiple conditions and actions in a single rule.
Select the Apply this rule if… dropdown. This is the condition for our rule to trigger. Select the sender > is external/internal.
Click the Select One link to the right of the dropdown. A Select Sender Location dialog will appear. From the dropdown, select Outside the organization and click Ok.
Click the Add Condition button. From the second dropdown, select the recipient > is external/internal.
Click the Select One link to the right of the dropdown. From the dialog, select Inside the organization and click Ok.
Select the Do the following… dropdown. This is the action of our rule. Select Apply a disclaimer to the message > Prepend a disclaimer. Prepend applies the warning to the top of the message body. Append would apply the disclaimer to the foot of the message body. Append is useful if we were applying a legal disclaimer.
To the right of the action, click the Enter text link. This will launch the Specify disclaimer text dialog. Paste or type your disclaimer text. This text can be either plain text or formatted by using HTML tags. Click Ok.
In the example above, we are formatting our disclaimer with HTML tags. Below is an example of what we used.
<table border=0 cellspacing=0 cellpadding=0 align=left width=`"100%`"> <tr> <td style='background:#bba555;padding:5.25pt 5.5pt 5.25pt 1.5pt'></td> <td width=`"100%`" style='width:100.0%;background:#ffe599;padding:5.25pt 3.75pt 5.25pt 11.25pt; word-wrap:break-word' cellpadding=`"7px 5px 7px 15px`" color=`"#212121`"> <div><p><span style='font-size:11pt;font-family:Arial,sans-serif;color: #212121'> <b>CAUTION:</b> This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. </span></p></div> </td></tr></table>
We also need to specify a fallback action. This is what Exchange will do when it can’t apply our external disclaimer. Click the Select one link.
You will notice three fallback actions Exchange can take if it can’t apply the disclaimer to the message. Here is what each does.
- Reject: Exchange rejects the message and sends a non-delivery report to the sender. The message is not delivered.
- Ignore: Exchange accepts the message and delivers it to the recipient without the disclaimer.
- Wrap: Exchange creates a new email message with the disclaimer and adds the original email message as an attachment.
For my example, I am going to choose Wrap. Click Ok.
We can also specify whether the rule goes into effect right away by selecting Enforce. However, it is always recommended to test the rule first. You can do this by selecting one of the Test options. Whether you pick policy tips or not will determine if your users see any policy tips in Outlook while you are testing. For my example, I am going to leave this at Enforce, putting the rule into immediate effect.
If we scroll to the top, we can see the New Rule dialog suggests a rule name. In our example, we are going to name this rule External Sender Disclaimer, but you can name your rule whatever you like. Enter your rule name in the Name dialog.
With the rule ready, let’s click Save and begin testing.
Limiting the disclaimer in an email string
Some companies mandate that every instance of an external email, even those in the same email chain, is prepended with an external sender disclaimer. Others prefer that just the first external message in the chain receives the disclaimer, and subsequent external messages in the same string do not get this disclaimer.
To achieve the latter scenario, we can add an exception to our previous rule. This exception will check each email to see if the disclaimer text is already present. If so, it will block the rule from applying another disclaimer. Without this exception, we would get a cascade of duplicate disclaimer text. To set the exception, we need to click the Add exception button.
From the Except if drop-down, select The subject or body >> Subject or body matches these text patterns.
In the specify words or phrases dialog, paste the same disclaimer text and click the Add () button.
Note: If your disclaimer contained any HTML markup, CSS, or, Active Directory attribute placeholders you will have to remove those from the exception. They won’t be understood.
You are all set!
What the other buttons do…
When you create a new rule, it is always added to the end of the list. This means it will be processed last by the transport engine. To change the priority or processing order of the rule, select it and click the Up or Down () arrows. You can also edit () the rule to change its Priority. In our example, we will make it number one and click Save. Unfortunately, the priority field is only available after the rule is created. The edit dialog allows you to change all other aspects of your rule.
You can also disable the rule by deselecting the checkbox in the ON column. Checking the box will enable the rule again.
To delete a rule permanently, select the rule and click the Delete () button. You will be prompted to confirm.
Finally, you can also copy a rule. Select a source rule and click the Copy () button. This will create an exact copy of your source rule which you can then modify, rename and save. This is especially useful when you need to create a lot of very similar rules and need to ensure a base rule configuration.
Here are some articles I thought you might like.
- Add a legal disclaimer to all outbound email
- Exchange 2016: Public Folder migration made easy
- Import & Export SSL Certificates in Exchange Server 2016
- Install Exchange 2016 in your lab (7-part series)
- Configure Kemp Load Balancer for Exchange 2016
Join the conversation on Twitter @SuperTekBoy.