Back to Blog

Reply or Reply All: Controls, Options, and Best Practices

Image of Jeff Guillet MVP, MCSM
Jeff Guillet MVP, MCSM
Outlook-1.png

Since the dawn of email, organizations have struggled with the way that users reply to emails. Confusion (or worse) occurs when emails include groups, CC, BCC, internal, and external recipients. Choosing to use "Reply All" may release confidential information to the wrong people or cause mail storms between senders and recipients – sometimes bringing email servers to their knees.

When is it appropriate to use "Reply" or "Reply All"? In this article, I’ll explain what can be done to control this for both Exchange Server on-premises and Exchange Online, and what you can do to help end-users. Most of these controls actually fall upon the end-users, so training and leading them to do the right thing using MailTips is sometimes the only answer. As my fellow MVP, Ed Crowley, is famous for saying, “There are seldom good technological solutions to behavioral problems.”

There are several notable examples where users accidentally or unknowingly used "Reply All" when a simple reply would have been more appropriate.
  • On October 14, 1997, a Microsoft employee emailed a distribution list named “Bedlam DL3”, containing 13,000 users, asking to be removed from it. This led to a mail storm caused by multiple people sending “me-too” requests and others begging people to stop replying to all – using "Reply All," of course. It’s estimated that 15 million emails were sent in about an hour, generating 195GB of traffic. This incident led to the creation of the Message Recipient Limit feature in Exchange. Read more about this incident at “Me Too!” on the Exchange Team Blog.
  • On October 3, 2007, the U.S. Department of Homeland Security generated an email storm that caused more than 2.2 million messages to be sent and exposed the names of hundreds of security professionals. Read DHS Injects Itself with DDoS for more details.
  • In late August 2016, the New York Times internal email system experienced an email storm called the “replyallpocalypse” when someone was mistakenly put on an email thread and used “Reply All” asking to be removed. This led to an article in its own paper on September 2, 2016 saying, “When you are in this situation, the logical, expert opinion is: Do not hit ‘Reply All.’”
So, it’s interesting that Microsoft makes “Reply All” the default action in Outlook on the web (a.k.a. OWA). The following are the available technical controls and best practices for the organization around email replies.

Controls

There are several technical controls you can do, including changing the reply behavior in Exchange and Exchange Online.

Change "Reply All" behavior in OWA for Exchange Server

Exchange 2013+ uses Reply All as the default in Outlook on the web for all users. Use Exchange Cmdlet Extension Agents to change this to a simple Reply. This method instructs Exchange Server to run the Set-MailboxMessageConfiguration -IsReplyAllTheDefaultResponse $false cmdlet on the mailbox whenever the Create-Mailbox or Enable-Mailbox cmdlets are run.

First, create a new text file named ScriptingAgentConfig.xml with the following data:

<?xml version="1.0" encoding="utf-8" ?>
<Configuration version="1.0">
<Feature Name="MailboxProvisioning" Cmdlets="New-Mailbox, Enable-Mailbox">
<ApiCall Name="OnComplete">
if($succeeded) {
$Name= $ProvisioningHandler.UserSpecifiedParameters["Name"]
Set-MailboxMessageConfiguration $Name -IsReplyAllTheDefaultResponse $false
}
</ApiCall>
</Feature>
</Configuration>

Since this is an organization-wide setting you will need to copy this file to the %ExchangeInstallPath%\Bin\CmdletExtensionAgents folder on all Exchange servers in the organization.

Finally, enable the scripting agent so it will process the code whenever the New-Mailbox or Enable-Mailbox cmdlets are run:

Enable-CmdletExtensionAgent “Scripting Agent”

Change "Reply All" behavior in OWA for Exchange Online

Unfortunately, Cmdlet Extension Agents are not available in Exchange Online. The best we can do here is to run a remote PowerShell script to change the behavior of OWA for all EXO users.

First, run the following PowerShell one-liner to create an encoded file containing the admin credential information for Exchange Online:

New-Object System.Management.Automation.PSCredential(Get-Credential) | Export-Clixml "EXOCreds.xml"

Now you can run a PowerShell script to update all mailboxes in Exchange Online. Create a file called ReplyForAll.ps1 in the same folder where you created the EXOCreds.XML file above and run it from there:

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential (Import-Clixml -Path "EXOCreds.xml") -Authentication "Basic" –AllowRedirection
Import-PSSession $s
Get-Mailbox | Set-MailboxMessageConfiguration -IsReplyAllTheDefaultResponse $false
Remove-PSSession $s

Restrict groups

You may wish to configure groups to restrict the users or groups who are allowed to use them. This is especially important for large or important groups, such as “All Employees”. Edit the group in the Exchange Admin Center (EAC) and select the users or groups who can use this group in the Delivery Management section.

Use moderated groups

When moderation is configured, all incoming messages will be reviewed by moderators before delivery to group members. This is useful for important groups like “Executive Committee”. Moderators can approve or reject incoming messages. Configure this using the EAC in the Message Approval section of the group. 

Use MailTips

MailTips are informative messages displayed to users while they compose a message in either Outlook 2010+ or OWA. It’s important to note that MailTips do not work with mobile devices or other clients. If a potential issue is detected (like replying to a large group or external users), MailTips will notify users prior to sending the message. With the help of the information provided by MailTips, senders can adjust the message they are composing to avoid undesirable situations or non-delivery reports (NDRs).

There are several best practice recommendations around MailTips:

First, review Configure Organizational Settings for MailTips to understand how you can configure various settings that define how you use MailTips in your organization. Almost all MailTips configuration is done using PowerShell cmdlets. I recommend the following:

  • Enable MailTips in your organization: Set-OrganizationConfig -MailTipsAllTipsEnabled $true (the default setting is $true)
  • Enable MailTips for external recipients: Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true (default is $false)
  • Configure the large audience size for your organization: Set-OrganizationConfig -MailTipsLargeAudienceThreshold 25 (default is 25)
  • Enable MailTips that rely on group metrics data (i.e., large audience): Set-OrganizationConfig -MailTipsGroupMetricsEnabled $true (default is $true)

Group Metrics generation is a dark art. Exchange 2010 generates Group Metrics every Sunday +/- 2hours of midnight. Exchange 2013+ and Office 365 generate group metrics daily at a random time when the Exchange workload is light. There is no way to force generation. Group metrics are generated by the server hosting the arbitration mailbox with the GMGen attribute set to $true.

If you want to share your MailTips with a remote organization with whom you have an Organizational Relationship configured, run these two cmdlets:

  • Set-OrganizationRelationship -Identity RemoteOrgName -MailTipsAccessEnabled $true
  • Set-OrganizationRelationship -Identity RemoteOrgName -MailTipsAccessLevel All

User Training

Finally, you should instruct users how and when to use the proper reply techniques. Here are my best practices.

  • When sending an email to a large group where you don’t want replies to go to the group, send the email to yourself and BCC the group. That way, all replies will come to you, even if recipients hit Reply All.
  • Understand which recipients should be in the To, CC, and BCC fields. Use the To line for recipients to whom the email is directed, or if you expect a reply. Use the CC line for recipients who just need to be aware of the email, but have no action or you do not expect a reply.
  • Don’t use BCC – It usually only gets you into trouble, especially if the person who was BCC’d hits Reply All (as is the default with OWA). Thankfully, there’s a MailTip that warns the BCC user if they do that.

I hope this article helps you and your users make the best use of email communications and keeps those email storms at bay.

Jeff Guillet is the founder and CEO of EXPTA Consulting, and is a Microsoft Certified Solutions Master and Office Servers and Services MVP. He is the author of The EXPTA Blog, as well as a published author, contributing writer, and technical editor for more than a dozen technical books and other publications.


Exchange Online Security listing image

Reply All Storm Protection in Exchange Online

Image of Jaap Wesselius
Jaap Wesselius

25 years ago, I was working for Microsoft. And one morning we received a message with the subject...

Read more
Microsoft Office 365 Questions

Lies, Damn Lies, and Statistics Obfuscate Office 365 Numbers

Image of Tony Redmond MVP
Tony Redmond MVP

Only a statistician loves statistics and I am no statistician. However, it’s interesting to try to...

Read more