Transport Rule Predicates

Applies to: Exchange Server 2013

Topic Last Modified: 2013-02-20

In Microsoft Exchange 2013, predicates are used to create conditions and exceptions in a Transport rule. Transport rules can be applied to email messages routed through your organization.

Looking for management tasks related to Transport rules? See Manage Transport Rules.

Looking for the Exchange Online version of this topic? See Transport Rule Predicates.

Looking for the Exchange Online Protection version of this topic? See Transport Rule Predicates.

Contents

Predicates and predicate properties

List of available predicates

Predicate property types

Predicates and predicate properties

Transport rule conditions and exceptions consist of one or more predicates. Predicates instruct the Transport rules agent in the Transport service on an Exchange 2013 Mailbox server to examine a specific part of an email message, such as sender, recipients, subject, other message headers, and message body. Based on this analysis, the Transport rules agent determines whether the rule should be applied to that message. As such, predicates act as building blocks for conditions and exceptions.

To determine whether a Transport rule should be applied to a message, most predicates have one or more properties for which you must specify a value. For example, the From predicate requires that you specify the sender for the message. Some predicates don't have properties. For example, the AttachmentHasExecutableContent predicate simply inspects whether any attachment in a message has executable content, and therefore doesn't require any values.

Because some predicates examine specific fields within an email message (such as the message header fields), you must set two predicate properties. For example, when you use a predicate to inspect message headers, one predicate property specifies the header to examine, such as To, From, Received, or Content-Type, and the second property specifies the value for that message header.

To assign a value to a predicate in the Exchange admin center (EAC), you can use the drop-down lists and secondary dialog boxes that are displayed in the Transport rule dialog. These help you select the correct property types and valid values for those property types. In the Exchange Management Shell, the properties are available as parameters of the New-TransportRule and Set-TransportRule cmdlets. Property values are specified after the property name.

List of available predicates

The following table lists the predicates available and provides the following information about each predicate:

The Predicate name in EAC column lists the predicate as it appears in the condition and exception lists in the EAC.
The Predicate name in Shell column lists the predicate name that you can use in the New-TransportRule and Set-TransportRule cmdlets. This is also the name returned by the Get-TransportRulePredicate cmdlet in the Shell.
The Predicate property type and Second predicate property type columns list the property types. Most property types accept specific values. To determine valid values for a property type, see the table Property types used in Transport rule predicates later in this topic.

Note:
Each predicate listed in the following table also has an equivalent exception that can be selected in the EAC. In the Shell, predicates that can be used as exceptions start with ExceptIf. For example, for the FromMemberOf predicate, the parameter that can be used as an exception in Transport rule cmdlets is called ExceptIfFromMemberOf. The same predicate object contains the logic for use in both Transport rule conditions and exceptions. Therefore, when you use the Get-TransportRulePredicate cmdlet to list predicates, exceptions aren't listed as separate predicates.

Note:

Each predicate listed in the following table also has an equivalent exception that can be selected in the EAC. In the Shell, predicates that can be used as exceptions start with ExceptIf. For example, for the FromMemberOf predicate, the parameter that can be used as an exception in Transport rule cmdlets is called ExceptIfFromMemberOf.

The same predicate object contains the logic for use in both Transport rule conditions and exceptions. Therefore, when you use the Get-TransportRulePredicate cmdlet to list predicates, exceptions aren't listed as separate predicates.

Available predicates

Predicate name in EAC Predicate name in Shell Predicate property type Second predicate property type Description

The sender is

From

Addresses

Not applicable

From matches messages sent by the specified mailboxes, mail-enabled users, or contacts.

The sender is located

FromScope

FromUserScope

Not applicable

FromScope matches messages that are sent by senders within the specified scope.

The sender is a member of

FromMemberOf

Addresses

Not applicable

FromMemberOf matches messages where the sender is a member of the specified distribution group.

The sender address includes

FromAddressContainsWords

Words

Not applicable

FromAddressContainsWords matches messages that contain the specified words in the sender's address.

The sender address matches

FromAddressMatchesPatterns

Patterns

Not applicable

FromAddressMatchesPatterns matches messages that contain text patterns in the sender's address that match the specified regular expression.

The sender's specified properties include any of these words

SenderADAttributeContainsWords

Words

Not applicable

SenderADAttributeContainsWords matches messages where the specified attribute of the sender contains specified words.

The sender's specified properties match these text patterns

SenderADAttributeMatchesPatterns

Patterns

Not applicable

SenderADAttributeMatchesPatterns matches messages where the specified attribute of the sender contains text patterns that match the specified regular expression.

The sender has overridden the Policy Tip

HasSenderOverride

Not applicable

HasSenderOverride matches messages where the sender has chosen to override a DLP policy.

Sender's IP address is in the range

SenderIPRanges

IPRanges

Not applicable

SenderIpRanges matches messages where the sender's IP address falls within the specified ranges.

The sender's domain is

SenderDomainIs

Domain name

Not applicable

SenderDomainIs matches messages where the sender's domain matches the specified domain name.

The recipient is

SentTo

Addresses

Not applicable

SentTo matches messages where one of the recipients is the specified mailbox, mail-enabled user, or contact. The specified recipients can be listed in the To, Cc, or Bcc fields.

Note:
You can't specify a distribution group with this predicate. If you need to create a rule that takes action on messages sent to a distribution group, use the To box contains (AnyOfToHeader) predicate instead.

The recipient is located

SentToScope

ToUserScope

Not applicable

SentToScope matches messages that are sent to recipients within the specified scope.

The recipient is a member of

SentToMemberOf

Addresses

Not applicable

SentToMemberOf matches messages that contain recipients who are members of the specified distribution group. The distribution group can be listed in the To, Cc, or Bcc fields.

The recipient address includes

RecipientAddressContainsWords

Words

Not applicable

RecipientAddressContainsWords matches messages where a recipient's address contains any of the specified words.

The recipient address matches

RecipientAddressMatchesPatterns

Patterns

Not applicable

RecipientAddressMatchesPatterns matches messages where a recipient's address matches a specified regular expression.

The recipient's specified properties include any of these words

RecipientADAttributeContainsWords

Words

Not applicable

RecipientAttributeContains matches messages where the specified attribute of a recipient contains any of the specified words..

The recipient's specified properties match these text patterns

RecipientADAttributeMatchesPatterns

Patterns

Not applicable

RecipientAttributeMatches matches messages where the specified attribute of a recipient matches the specified regular expression.

A recipient's domain is

RecipientDomainIs

Domain Name

Not applicable

RecipientDomainIs matches messages where the domain of any recipient of the message matches the specified domain name.

The subject or body includes

SubjectOrBodyContainsWords

Words

Not applicable

SubjectOrBodyContainsWords matches messages that have the specified words in the Subject field or message body.

The subject or body matches

SubjectOrBodyMatchesPatterns

Patterns

Not applicable

SubjectOrBodyMatchesPatterns matches messages where text patterns in the Subject field or message body match a specified regular expression.

The subject includes

SubjectContainsWords

Words

Not applicable

SubjectContainsWords matches messages that have the specified words in the Subject field.

The subject matches

SubjectMatchesPatterns

Patterns

Not applicable

SubjectMatchesPatterns matches messages where text patterns in the Subject field match a specified regular expression.

Any attachment's content includes

AttachmentContainsWords

Words

Not applicable

AttachmentContainsWords matches messages with attachments that contain a specified string.

Any attachment's content matches

AttachmentMatchesPatterns

Patterns

Not applicable

AttachmentMatchesPatterns matches messages with attachments that contain a text pattern that matches a specified regular expression.

Note:
Only the first 150 KB of the attachment is scanned when trying to match a pattern.

Any attachment's content can't be inspected

AttachmentIsUnsupported

Not applicable

AttachmentIsUnsupported matches messages with attachments that aren't supported.

Any attachment's file name matches

AttachmentNameMatchesPatterns

Patterns

Not applicable

AttachmentNameMatchesPatterns matches messages that contain text patterns in an attachment file name that matches a specified regular expression.

Any attachment's file extension matches

AttachmentExtensionMatchesWords

Words

Not applicable

AttachmentExtensionMatchesWords matches messages that contain an attachment whose extension matches any of the specified words.

Any attachment size is greater than or equal to

AttachmentSizeOver

Size

Not applicable

AttachmentSizeOver matches messages that contain attachments greater than or equal to the specified value.

The message didn't complete scanning

AttachmentProcessingLimitExceeded

Not applicable

AttachmentProcessingLimitExceeded matches messages for which the rules engine couldn't complete scanning of the attachments. This predicate can be used to create rules that work together with other attachment processing rules and gives you the ability to handle messages whose content couldn't be fully scanned.

Any attachment has executable content

AttachmentHasExecutableContent

Not applicable

AttachmentHasExecutableContent matches messages that contain executable files as attachments.

Any attachment is password protected

AttachmentIsPasswordProtected

Not applicable

AttachmentIsPasswordProtected matches messages that contain compressed archive attachments that are password protected, and therefore cannot be scanned.

The message contains sensitive information

MessageContainsDataClassifications

SensitiveInformation

Not applicable

MessageContainsDataClassifications matches messages that contain sensitive information.

The To box contains

AnyOfToHeader

Addresses

Not applicable

AnyOfToHeader matches messages where the To field includes any of the specified recipients.

The To box contains a member of

AnyOfToHeaderMemberOf

Addresses

Not applicable

AnyOfToHeaderMemberOf matches messages where the To field contains a recipient who is a member of the specified distribution group.

The Cc box contains

AnyOfCcHeader

Addresses

Not applicable

AnyOfCcHeader matches messages where the Cc field includes any of the specified recipients.

The Cc box contains a member of

AnyOfCcHeaderMemberOf

Addresses

Not applicable

AnyOfCcHeaderMemberOf matches messages where the Cc field contains a recipient who is a member of the specified distribution group.

The To or Cc box contains

AnyOfToCcHeader

Addresses

Not applicable

AnyOfToCcHeader matches messages where the To or Cc fields include any of the specified recipients.

The To or Cc box contains a member of

AnyOfToCcHeaderMemberOf

Addresses

Not applicable

AnyOfToCcHeaderMemberOf matches messages where the To or Cc fields contains a recipient who is a member of the specified distribution group.

The message size is greater than or equal to

MessageSizeOver

Size

Not applicable

MessageSizeOver matches messages whose overall size is greater than or equal to the specified value.

The message character set name includes any of these words

ContentCharacterSetContainsWords

Character Sets

Not applicable

The ContentCharacterSetContainsWords matches messages that have any of the character set names specified.

The sender is one of the recipients'

SenderManagementRelationship

ManagementRelationship

Not applicable

SenderManagementRelationship matches messages where the sender has the specified management relationship with a recipient.

The message is between members of these groups

BetweenMemberOf1 and BetweenMemberOf2

Addresses (BetweenMemberOf1)

Addresses (BetweenMemberOf2)

BetweenMemberOf1 and BetweenMemberOf2 together match messages that are sent between members of two distribution groups.

The manager of the sender or recipient is

ManagerForEvaluatedUser and ManagerAddress

EvaluatedUser (ManagerForEvaluatedUser)

Addresses (ManagerAddresses)

ManagerForEvaluatedUser and ManagerAddresses together match messages where the specified user's (sender or recipient) manager exists in the list of specified addresses.

The sender's and any recipient's property compares as

ADAttributeComparisonAttribute and ADComparisonOperator

ADAttribute (ADComparisonAttribute)

Evaluation (ADComparisonOperator)

ADAttributeComparisonAttribute and ADComparisonOperator together match messages where the sender's specified Active Directory attribute matches or doesn't match (as specified in the Evaluation property) the same attribute of any recipient.

The message type is

MessageTypeMatches

MessageType

Not applicable

MessageTypeMatches matches messages of the specified type.

The message is classified as

HasClassification

Classification

Not applicable

HasClassification matches messages that have the specified classification.

The message isn't marked with any classifications

HasNoClassification

Not applicable

HasNoClassification matches messages that don't have a message classification.

The message has an SCL greater than or equal to

SCLOver

SclValue

Not applicable

SCLOver matches messages that are assigned a spam confidence level (SCL) matching or exceeding the specified value.

The message importance is set to

WithImportance

Importance

Not applicable

WithImportance matches messages marked with the specified priority.

A message header includes

HeaderContainsMessageHeader and HeaderContainsWords

MessageHeader (HeaderContainsMessageHeader)

Words (HeaderContainsWords)

HeaderContainsMessageHeader and HeaderContainsWords together match messages where the specified message header contains one of the specified words.

A message header matches

HeaderMatchesMessageHeader and HeaderMatchesPatterns

MessageHeader (HeaderMatchesMessageHeader)

Patterns (HeaderMatchesPatterns)

HeaderMatchesMessageHeader and HeaderMatchesPatterns together match messages where the specified message header contains a text pattern that matches a specified regular expression.

Predicate property types

The following table lists the property types used in Transport rule predicates.

Property types used in Transport rule predicates

Property type	Valid values	Description
ADAttribute	One of the Active Directory attributes available for use	The `ADAttribute` property type accepts the name of one of the following Active Directory attributes: `DisplayName` `FirstName` `Initials` `LastName` `Office` `PhoneNumber` `OtherPhoneNumber` `Email` `Street` `POBox` `City` `State` `ZipCode` `Country` `UserLogonName` `HomePhoneNumber` `OtherHomePhoneNumber` `PagerNumber` `MobileNumber` `FaxNumber` `OtherFaxNumber` `Notes` `Title` `Department` `Company` `Manager` `CustomAttribute1` - `CutomAttribute15` When you use the Shell to create a Transport rule that contains a predicate which uses an Active Directory attribute, you must specify an attribute name from the preceding list followed by a colon (:) and the word or text pattern you want to match in the specified attribute. The entire notation should be enclosed in quotation marks ("). For example, to specify the attribute `City` and the values `San Francisco` or `Palo Alto`, you must use `City:San Francisco, Palo Alto`. You can also specify multiple Active Directory attributes and value pairs. For example, "`City:San Francisco, Palo Alto"`,"`Department:Sales, Finance"`. In this case, the recipient's `City` attribute should contain either `San Francisco` or `Palo Alto`, and the `Department` attribute should contain either `Sales` or `Finance`.
Addresses	Array of Active Directory mailbox, contact, or distribution group objects	The `Addresses` property type accepts one or more mailbox, contact, mail-enabled user, or distribution group object.
Character Sets	Array of valid character set names	The `Character Sets` property type is a list of names of specific content character sets that can be found in a message. For example, if you wanted to create a rule that checks messages for character sets used in Microsoft ForeFront Online Protection for Exchange, you would use the following list: Arabic/iso-8859-6 Chinese/big5 Chinese/euc-cn Chinese/euc-tw Chinese/gb2312 Chinese/iso-2022-cn Cyrillic/iso-8859-5 Cyrillic/koi8-r Cyrillic/windows-1251 Greek/iso-8859-7 Hebrew/iso-8859-8 Japanese/euc-jp Japanese/iso-022-jp Japanese/shift-jis Korean/euc-kr Korean/johab Korean/ks_c_5601-1987 Turkish/windows-1254 Turkish/iso-8859-9 Vietnamese/tcvn
Classification	Message classification object	The `Classification` property type accepts a message classification object. To see what message classifications are available, you can use the Get-MessageClassification cmdlet.
Domain Name	Any valid SMTP domain name	The `Domain Name` property type is the FQDN for any valid SMTP domain.
EvaluatedUser	Single value of `Sender` or `Recipient`	The `EvaluatedUser` property type is used to determine whether the value specified in the ManagerAddresses parameter is the manager of the sender or one of the recipients.
Evaluation	Single value of `Equal` or `NotEqual`	The `Evaluation` property type is used when comparing the Active Directory attributes of the sender and recipients.
FromUserScope	Single value of `InOrganization` or `NotInOrganization`	The `FromUserScope` property type specifies whether the message is sent by a sender who is considered to be inside the organization or external to the organization. The following values can be used: InOrganization A sender is considered to be inside the organization if either of the following conditions is true: The sender is a mailbox, mail-enabled user, distribution group, or public folder that exists in the organization's Active Directory. The domain of the sender is an accepted domain in the Exchange organization, but isn't an `ExternalRelay` domain. Also, the message must be sent or received by using an authenticated connection. NotInOrganization A sender is considered to be outside the organization if the sender's domain isn't an accepted domain in the Exchange organization, or is in an accepted domain that is configured as an `ExternalRelay` domain.
Importance	Single value of `High`, `Low`, or `Normal`	The `Importance` property type specifies the message priority.
IPRanges	Array of IP ranges	The `IPRanges` property type is used to specify one or more IP address ranges.
ManagementRelationship	Single value of `Manager` or `DirectReport`	The `ManagementRelationship` property type specifies the relationship between two evaluated users, for example the sender and the recipient. The evaluated user's Active Directory information is located to determine the manager and direct reports.
MessageHeader	Single string	The `MessageHeader` property type accepts a string that can be used to specify the SMTP message header to examine. This property is used together with the `Words` or `Patterns` properties, which specify the value of the header field to match.
MessageType	Single message type name	The `MessageType` property type accepts one of the following message types: OOF AutoForward Encrypted Calendaring PermissionControlled Voicemail Signed ApprovalRequest ReadReceipt
Patterns	Array or regular expressions	The `Patterns` property type accepts one or more regular expressions that can be used to match text that follows an identifiable pattern. Enclose the expression in quotation marks (").
SclValue	Single integer	The `SclValue` property type accepts an integer that can be used to match the spam confidence level (SCL) assigned to a message. SCL values range from -1 through 9.
SensitiveInformation	Sensitive Information Types	The `SensitiveInformation` property type accepts the sensitive information types defined in your organization. For a list of built-in sensitive information types in Exchange 2013, see Sensitive Information Types Inventory.
Size	Single integer with quantifier such as KB or MB	The `Size` property type accepts an integer that specifies the size of an email attachment or the overall message. When using the EAC, the value specified is in kilobytes. When using the Shell, you can enter an integer value qualified by one of the following units: B (bytes) KB (kilobytes) MB (megabytes) GB (gigabytes) For example, `20MB`
ToUserScope	One of the following values: `InOrganization` `NotInOrganization` `ExternalPartner` `ExternalNonPartner`	The `ToUserScope` property type specifies the scope of the recipients. The `InOrganization` and `NotInOrganization` values are evaluated similar to the `FromUserScope` property, but in the context of the recipient. The following is a description of the other possible values: ExternalPartner These domains are configured to send mail to an external domain by using Domain Secure security ExternalNonPartner These represent all other domains that aren't considered `ExternalPartner` domains.
Words	Array of strings	The `Words` property type accepts one string or an array of strings. It's used in all predicates that inspect different parts of a message for specific words or strings. In Exchange 2013, only instances of the word without a prefix or suffix are matched. For example, if you specify the word "contoso", the rule will fire only if an exact match is found. The following variations where the word appears as a suffix, a prefix, or between other characters (other than the space character) aren't considered an exact match: Acontoso Contosoa Acontosob The property isn't case-sensitive. The asterisk (*) is treated as a literal character, and not used as a wildcard character.

For more information

Transport Rules

Transport Rule Actions

Manage Transport Rules