External Email Forwarding Blocked by Organization Policy (NDR 550 5.7.520)

Hi Mohd Ishaque

Based on my research, this issue is most likely related to the outbound spam filter policy. When automatic external forwarding is disabled in that policy, any forwarding attempt, even if not visible in Outlook or OWA, will be blocked and result in the 550 5.7.520 NDR.

You can review the configuration using the following steps:

• Go to the Microsoft 365 Defender portal
• Navigate to Email & collaboration > Policies & rules > Threat policies
• Open Anti-spam policies and review the outbound spam filter policy applied to the affected user
• Check the setting for Automatic forwarding rules and confirm whether it is set to Off, as this will block all external forwarding

If external forwarding is required, this setting will need to be updated to allow it, either by modifying the existing policy or by creating a new policy scoped to the specific user.

Please let me know how it goes after checking this.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

The behavior matches automatic external forwarding being blocked by the organization’s outbound spam policy while some form of forwarding (Inbox rule or mailbox forwarding) is still configured for the mailbox.

Key points from the available information:

1. Automatic external forwarding control
   • Outbound spam filter policies control automatic forwarding to external recipients.
   • The policy has three modes:
     • Automatic – System-controlled (now effectively Off – Forwarding is disabled)
     • On – Forwarding is enabled
     • Off – Forwarding is disabled
   • When set to Off – Forwarding is disabled, any automatic external forwarding (Inbox rules or mailbox-level forwarding) is blocked and generates an NDR.
   • The NDR in this scenario is:

     5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)

2. What is being blocked
   • The documentation explicitly states that disabling automatic forwarding “disables any Inbox rules (users) or mailbox forwarding (admins) that redirect messages to external addresses.”
   • Automatic forwarding between internal users is not affected.
   • Because message headers show an external forwarding action (ExtFwd), Exchange is still attempting to forward, but the outbound spam policy is blocking it, resulting in repeated NDRs.
3. Interaction with other forwarding controls
   • Other controls that can allow or block automatic forwarding include:
     • Remote domains (Allow automatic forwarding per external domain).
     • Mail flow rules (transport rules) that detect and block automatically forwarded messages.
   • When one control allows and another blocks, the block typically wins. For example:
     • If remote domains allow automatic forwarding but the outbound spam filter policy is Off, forwarding is still blocked.
     • If outbound spam filter is On but mail flow rules or remote domains block, forwarding is blocked.
4. How to identify and track automatic forwarding
   • For cloud mailboxes, use the Auto forwarded messages report to see users automatically forwarding messages to external recipients.
   • For on-premises users forwarding through Microsoft 365, create a mail flow rule in the Exchange admin center (EAC) to detect forwarded messages by matching the X-MS-Exchange-Inbox-Rules-Loop header and then tagging them (for example, setting X-Forwarded: True).
   • Set a Severity on that rule so the Exchange transport rule report can be used to identify users who are forwarding.
5. Practical remediation approach based on the documentation
   • Confirm the outbound spam filter policy setting for automatic forwarding:
     • If the organization intends to allow external forwarding for this scenario, set the policy to On – Forwarding is enabled, or selectively allow via remote domains/mail flow rules.
     • If the organization intends to block external forwarding globally, the forwarding configuration (Inbox rule or mailbox forwarding) must be removed or corrected.
   • Use the reporting capabilities:
     • Auto forwarded messages report to confirm which users are forwarding.
     • If needed, implement the recommended mail flow rule using X-MS-Exchange-Inbox-Rules-Loop to track and identify forwarding activity, including any hidden or stale rules.

In summary, the NDR 550 5.7.520 and ExtFwd headers indicate that automatic external forwarding is still configured for the mailbox, but the organization’s outbound spam filter policy (or another forwarding control such as remote domains or mail flow rules) is set to block external forwarding, causing the failures.

References:

• Control automatic external email forwarding from cloud mailboxes
• Configure email forwarding in Microsoft 365
• Fix NDR error code "550 5.1.1" through "550 5.1.20" in Exchange Online