After our recent post Introducing more control over Direct Send in Exchange Online, there have been more questions about scenarios that are not actually Direct Send such as senders being able to igno...
Updated Aug 07, 2025
Version 7.0
Blog Post
Since you've indicated that the post has been removed pending review of feedback, I'm submitting a new comment with specific feedback for you:
- Stop referring to "Direct Send" unless you can define clearly what that it means in this context. Most recently the definitions you've given don't hold up when considering all the possibilities.
- Stop claiming that this an inherent SMTP vulnerability. Technically true but totally meaningless. We're relying on MS to put sensible defaults in place to prevent obvious vulnerabilities.
- Address what EVERYONE should do about this, not just customers with a certain type of configuration should do. This vulnerability affects all tenants.
- Consider renaming the setting to "Allow unauthenticated SMTP submissions from any IP address" instead of "direct send" - that is the behavior that I expect to see from this setting
- Make this the default setting for new tenants. I generally don't want to allow this unless there is a specific reason, so it shouldn't be allowed by default.