After our recent post Introducing more control over Direct Send in Exchange Online, there have been more questions about scenarios that are not actually Direct Send such as senders being able to igno...
Updated Aug 07, 2025
Version 7.0
Blog Post
We've been inundated by spoofed internal e-mails recently, and I'm not sure we ever enabled direct-send. But to mitigate we've created the transport rule above. But in our transport rule exception we do not have the option of:
- Except if: sender ip addresses belong to one of these ranges: ''MX records + on-premises IPs + other authorized IPs“
There is no rule which allows us to specify our own FQDN MX record, because the field validation only accepts IP addresses and CIDRs. So when we enable the transport rule all mail from remote senders go to quarantine.
Is the MX record a feature of some higher tiered plan? Or are we doing this wrong and must we find access to a powershell console to disabledirectsend $TRUE?
Thanks
Howdy gang and thanks, our MX record is not external to Microsoft, it's actually a tenant managed tenant-name.01e.mail.protection.outlook.com address. That name I'm guessing roundrobbins to many different internal Microsoft IPs. So even if we resolve one of them there may be others that send external mail to Quarantine.
As it stands now I think folks are able to submit mail from any old IP as long as they're mail from: email address removed for privacy reasons
and mail to: mailto:email address removed for privacy reasons
Thanks
- Mithun_Rathinam
Microsoft
If your MX record is pointed to Exchange Online Protection (EOP), the above mentioned transport rule method is not applicable for blocking anonymous internal domain traffic, by setting such exceptions . Instead, you can enable RejectDirectSend to block emails sent from an accepted domain to your organization’s mailboxes from unauthorized sources.. Otherwise, https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about helps by default.
In such case this Transport Rule is not a solution indeed - rather Advanced Hunting query returning results from EmailEvents table, with SenderMailFromAddress attribute specifying your domains. You would need to modify slightly an example query provided in the above article. This way you can determine messages delivered via Direct Send.
- Mithun_Rathinam
theronuser , In other words, you can exclude all trusted IPs from which you accept direct emails to Exchange Online Protection (EOP), such as IPs from third-party services (where the MX is pointed), on-premises servers, and other trusted sources.
theronuser, you just have to provide IP address(es) your MX record(s) resolve(s) to - not the record entry itself.
