How to Protect Messages Sent to Dynamic Distribution Lists

Seeking Protection Against Forwarding

A question came in about the best way for internal email to be protected against external sharing. The company in question uses dynamic distribution lists for employee communications like organizational announcements. Management wants recipients to be unable to forward this email to external people. It’s a common request that goes back to the earliest days of information protection.

Outlook and OWA support encryption through the two default templates made available through Office 365 Message Encryption (OME) to users with Office 365 E3 and E5 licenses. The Encrypt-Only template protects email in transit and makes sure that only people on the addressee list can open messages. The Do No Forward template adds in a block to prevent forwarding. On the surface, it seems like the Do Not Forward template is a good choice. And is it, but only if you use regular distribution lists. OME-protected messages don’t work with dynamic distribution lists. The reason is simple and comes down to the inability to obtain use licenses from the Information Protection service.

Dynamic Membership Stops Protection Licensing

Exchange Online resolves the membership of a dynamic distribution list to know who should receive copies of messages sent to the list. For years, resolution happened when the transport service processed a message sent to a dynamic distribution list. Recently, Microsoft changed this to a timed basis, meaning that Exchange Online resolves the recipient query against the directory to find list membership daily. List membership is less dynamic than it once was, but the lack of immediacy doesn’t usually make much difference in practice.

When Exchange Online processes email sent to a dynamic distribution group, it bifurcates the message to create a copy to deliver to each recipient. If the message is protected with OME, recipients receive an encrypted copy with their email address in the message recipients. To open the copy, the recipient needs the right to access the content, which works for OME because the publishing license for the message includes the recipient. However, because Exchange Online creates message copies in the transport pipeline for list recipient, the publishing license doesn’t include their details. Email clients cannot verify that the recipient has the necessary permission, so they cannot open the message (Figure 1).

An OME-protected message cannot be opened by a dynamic distribution group member
Figure 1: An OME-protected message cannot be opened by a dynamic distribution group member

In a nutshell, OME templates work well when sent to individual recipients present in messages when sent. They just can’t deal with the way Exchange Online adds recipients to messages during transport.

Use a Sensitivity Label to Protect Confidential Email

Although dynamic distribution lists cannot be used with OME, sensitivity labels offer a solution. You cannot control the rights assigned through an OME template, but this control is possible in a sensitivity label. The key is to include the special All users and groups and your organization group in the permissions assigned in the label (Figure 2).

Selecting the special tenant group to receive permissions in a sensitivity label
Figure 2: Selecting the special tenant group to receive permissions in a sensitivity label

You can also assign permissions to individual users or groups (but not dynamic distribution lists). If you do this for a label used with dynamic distribution lists, make sure that you assign permissions to cover everyone in the list. If you don’t, some recipients will be unable to read messages. All users and groups in your organization is a convenient way to ensure that everyone in the tenant can read content protected by the sensitivity label, including documents stored in SharePoint Online and OneDrive for Business.

When you add permission assignments to the label, you define the rights the assignees receive. While you can create a custom permission set containing specific rights, Microsoft makes it easy to assign rights through predefined sets. Details of the Viewer role appear in Figure 3. Recipients with this role can read content but they cannot perform other actions like print or forward. Assigning this role to the special group in a sensitivity label ensures that everyone with an account in the tenant can read any content protected by the label.

Details of the rights assigned through a permissions role
Figure 3: Details of the rights assigned through a permissions role

After configuring the sensitivity label, it can be made available to users through a label publishing policy. This process will take some hours because it requires clients to refresh their label cache. Once this happens, users can apply the sensitivity label to email sent to dynamic distribution lists, and tenant accounts who are members of those lists can read the messages (Figure 4).

A message protected by a sensitivity label can be read by dynamic distribution group members
Figure 4: A message protected by a sensitivity label can be read by dynamic distribution group members

If someone forwards a message to someone outside the tenant, that user won’t have the necessary rights to open the message and all they’ll see is a message with an encrypted attachment. They can follow the directions in the message to the OME portal and attempt to open the message there, but without rights, nothing will happen. This is a good example of rights management in action.

Rights Management and Office 365

Anyone with an Office 365 license can read content protected with sensitivity labels. To apply sensitivity labels, you need at least an Office 365 E3 license. Remember that sensitivity labels also support container management for Groups, Teams, and Sites, so they’re more than just a way to apply encryption.


Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.