After our recent post Introducing more control over Direct Send in Exchange Online, there have been more questions about scenarios that are not actually Direct Send such as senders being able to igno...
Updated Aug 07, 2025
Version 7.0
Blog Post
Hi Microsoft 365 Messaging Team,
Appreciate Microsoft's support for Direct Send - It's great feature when MX points to a 3rd-Party service. While still their was possible workaround to restrict using partner connector. However, when MX points to Exchange Online Protection, there's increased risk.
We'd love to see Microsoft:
- Enforce TLS by default during SMTP handshake.
- Apply SPF, DKIM, and DMARC checks to all emails, even those from internal-looking domains received externally
- Provide admin controls and reporting for these scenarios
Other 3rd Party providers like ProofPoint, Fireeye, and Google block or flag such emails by default before its getting delivered to user mailbox. Similar safeguards in EOP would greatly reduce spoof and phishing risk. Which will be significant changes and benefits customers to move the dependency relaying through other 3rd party services.
Mithun_Rathinam
Microsoft
MicrosoftIf the MX points to EOP, then SPF, DKIM, and DMARC are enforced, even for internal-looking domains and honored if properly configured in the Anti-Phishing policy.
TLS is enabled by default but not enforced; admins can control this setting.
Admin controls and reporting are available here:
https://learn.microsoft.com/en-us/defender-office-365/reports-email-security
You can also refer to this documentation for how protections work against intra-org and cross-domain spoofing attacks:
https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-about
If you're specifically looking for Direct Send reports, we'll share more once we have internal updates.