Blog Post

Exchange Team Blog
7 MIN READ

Direct Send vs sending directly to an Exchange Online tenant

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Aug 04, 2025

After our recent post Introducing more control over Direct Send in Exchange Online, there have been more questions about scenarios that are not actually Direct Send such as senders being able to ignore a domain’s MX record and send directly to an Exchange Online tenant. This post tries to address those questions.

How does mail flow work in Exchange Online?

Exchange Online is a cloud environment where organizations (tenants) can host mail services by signing up for a Microsoft 365 subscription that includes Exchange Online service. The tenant admin can set up users, and assign them a license, so they can use mail services.

Any tenant with an active Exchange Online subscription will have an endpoint that is automatically created for use by customers to configure their MX records. That endpoint is an easy-to-use replacement to having to use IP addresses. For example:

contoso-com.mail.protection.outlook.com

Note: This endpoint is not supposed to be a secret, and anyone can guess what it is. There is no security threat in anyone knowing this publicly facing endpoint. This endpoint has no authentication associated with it. It simply resolves to the IP addresses of our service. Someone could send an email to Contoso’s endpoint and address it to the mailbox of a different tenant and that email would be attributed to the actual recipient’s tenant in case where the tenants’ regions allow it.

For example, Contoso and Fabrikam are two different tenants hosted in Exchange Online. A sender uses contoso-com.mail.protection.outlook.com to connect to Exchange Online and sends an email to a fabrikam.com mailbox. That email is delivered directly to Fabrikam’s tenant and mailbox and Contoso’s tenant is not involved. Their (Contoso's) endpoint merely resolved to a shared IP used in the service. 

We receive numerous claims of emails being relayed from one tenant to another by using this method which is incorrect. No relaying takes place from one tenant to the other.

While we offer a fully featured protection suite as part of Exchange Online and millions of customers trust us to receive emails directly, some customers choose more complex routing configurations that include setting their MX records to point to other filtering and relay services before emails are routed to Exchange Online.

Customers who choose to introduce complex routing into their mail flow need to understand the ramifications of doing so and take action to change the default behavior with which Exchange Online operates. As email was designed, by default, we accept all emails addressed to your mailboxes that are sent directly to us.  

For organizations with complex mail routing needs, administrators can create custom connectors and mail flow rules to configure their mail flow. To learn more about connectors and mail flow rules in Exchange Online, you can check the following articles:

What is "Direct Send"?

Direct Send, as defined in the blog post linked above in detail, is the term used for sending emails directly to your mailboxes from a domain you own without any user or on-premises connector authentication. Direct Send is a method of sending emails to yourself when other options are not viable. If a customer does not use this method, we introduced a setting to turn it off so that any bad actors trying to spoof your own domains and send emails to your mailboxes are rejected outright. Direct Send emails could be sent to the MX record endpoint we provide or the endpoint that 3rd party service provide so that emails first route to them.

Direct Send and how to disable it is described in more detail in the blog post: Introducing more control over Direct Send in Exchange Online | Microsoft Community Hub.

Further information on how to use Direct Send for sending emails from a device or application can be found here: How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Learn

What Direct Send is not

Given the definition above, there is a scenario customers have been bringing up that is not “Direct Send” but the more general concept of sending directly to an Exchange Online tenant. With the publicly known and accessible Exchange Online provided endpoint, anyone on the internet can send emails to your tenant by default. That is how email works. Customers who introduce complex routing to their mail flow may define that ability as a “loophole” and might not like it. If that is the case, it’s a situation created by a configuration decision (complexity was added into email routing) which then needs to be closed.

How to secure against sending directly to your Exchange Online tenant when your MX is not pointed to Exchange Online?

In some cases where MX records for a domain are pointing to a service other than Microsoft 365, organizations may not want email to be delivered directly via their Exchange Online endpoint or may want to limit such email to ensure it is processed in a predefined way.

The recommended solution to secure this “email sent directly to your public Exchange Online endpoint” path is to configure the service to reject messages unless they come through defined inbound mail flow connectors. This can be achieved by creating an Inbound connector as recommended on step 4 in the support article mail flow best practices when using a third-party cloud service with Exchange Online to limit traffic to the specified connector by including the “RestrictDomainsToCertificate” or “RestrictDomainsToIPAddresses” depending on the connector type. With this configured, only mail that passes through an inbound connector is allowed into your tenant, otherwise it will be rejected. The above steps should be sufficient to protect against direct delivery to your tenant. However, you can also choose to enable “Reject Direct Send”, which will reject any emails where the P1 sending domain, envelope sender, is an accepted domain in the tenant unless these are attributed to a configured Inbound connector. For more details about this feature and how to implement it, please see the following article: Introducing more control over Direct Send in Exchange Online | Microsoft Community Hub.

“What if we are not ready to lock down the tenant or enable Reject Direct Send?”

If you are concerned about rejecting unknown legitimate mail traffic by securing sending directly, we recommend that you create a transport rule that quarantines or redirects all mail that is not coming from the remote IPs you approved.

Here is an example of mail flow rule configurations that could be used. The recommendation is to set the mail flow rule priority to zero to be processed before any other rules and enable “Stop Processing more rules”.

Please note that this example is simplified and that every organization may need to adapt the mail flow rule to their existing mail flow configuration and requirements. If any assistance is required with mail flow rule configuration, please contact Microsoft Support.

This mail flow rule will quarantine all emails, not coming from MX records IPs or on-premises IPs or from other authorized IPs sending emails directly to Exchange Online with or without a connector.

Rule parameters are:

  • Apply this rule if: Apply to all messages
  • Do the following: Deliver the message to the hosted quarantine and Stop processing more rules
  • Except if: sender ip addresses belong to one of these ranges: ''MX records + on-premises IPs + other authorized IPs“

OR

  •  'X-MS-Exchange-Organization-AuthAs' header contains ''Internal''

To do this through PowerShell, you can use the following command:

New-TransportRule -Name "Redirect to quarantine if not coming from known IPs" -Quarantine $true -ExceptIfHeaderContainsMessageHeader 'X-MS-Exchange-Organization-AuthAs' -ExceptIfHeaderContainsWords 'Internal' –ExceptIfSenderIpRanges ‘MX records + on-premises IPs + other authorized IPs ' -StopRuleProcessing $true -Priority 0

“How can we see all emails sent directly to our tenant (i.e. not through a connector)?”

There are a few ways to generate reports with emails received without an Inbound connector. For organizations that don’t have an Inbound connector created for the emails received from the 3rd party service used as MX records, the reports will include these emails too, so they need to be filtered out.

The following options are helpful when the MX is pointed to a third-party service. If the MX is pointed directly to Exchange Online, these options may display all inbound emails.

Option 1: Use the Historical Message Trace to generate a report with all inbound emails received without a connector. The report can be generated for the last 90 days:

Start-HistoricalSearch -ReportTitle DirectSendMessages -StartDate 07/01/2025 -EndDate 07/24/2025 -ReportType ConnectorReport -ConnectorType NoConnector -Direction Received -NotifyAddress admin@contoso.com

To generate the same report as above from the UI, you can use the Inbound messages report from Exchange Admin Center > Reports > Mail flow. Inbound messages and Outbound messages reports in the new EAC in Exchange Online | Microsoft Learn (Please note the exceptions where messages will not be included in these reports).

Option 2: Organizations that have Defender for Office P2 subscription can use Threat Explorer and Advanced Hunting to generate additional reports

If you use the following filter in Threat Explorer, it’ll show all emails received in the tenant without a connector and it can be generated for the last 30 days:

Directionality = Inbound, Connector > equals none of > list all the Inbound connectors in the tenant comma separated (without quotes).

Use the following queries in Advanced Hunting then use Export to CSV.

EmailEvents
|where Timestamp > ago(30d)
|where EmailDirection == 'Inbound' and Connectors == '' and isnotempty(SenderIPv4)
|project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, NetworkMessageId, EmailDirection, Connectors, SenderIPv4,

A query to summarize and count emails per sending IP address:

EmailEvents
| where EmailDirection == "Inbound" and Timestamp>= ago(30d) and Connectors == "" and isnotempty(SenderIPv4)
| summarize count() by SenderIPv4

Microsoft 365 Messaging Team

Updated Aug 07, 2025
Version 7.0
exchange online
hybrid
protocols
security
tips 'n tricks
transport

119 Comments

Show More
  • Marcin K.'s avatar
    Marcin K.
    Brass Contributor
    Aug 07, 2025

    Dear Community

    I would like one thing to be clarified, as it confuses me. In case of scenario where MX record points directly to M365 (company.mail.onmicrosoft.com) - what happens if I set RejectDirectSend to true? Does it stop also "normal", legitimate emails from Gmail for example, from being delivered to internal recipients?

    Sorry if it seems to be a stupid question but I see some ambiguity around "Direct Send" term. Some people refer to it only in the context of emails with MailFrom (P1) address belonging to an internal (accepted) domain. But if I read it properly, Direct Send endpoint is responsible for all emails delivered to M365, if MX points to Microsoft. I will be grateful for clarification.

     

    Best Regards 

    Marcin 

    • Mithun_Rathinam's avatar
      Mithun_Rathinam
      Icon for Microsoft rankMicrosoft
      Aug 07, 2025

      Marcin K.​ No, if you set RejectDirectSend to $True, it will block any anonymous messages sent from your own domain to your organization’s mailboxes that are not routed through an inbound connector. This setting does not affect emails from external domains like gmail.com.

      • Direct Send: Refers to anonymous messages sent from your own domain to your organization’s mailboxes. Direct Send emails could be sent to the MX record endpoint we provide contoso-com.mail.protection.outlook.com) or the endpoint that 3rd party service provide so that emails first route to them.
      • Email sent directly to your public Exchange Online endpoint: This refers to any anonymous messages from external senders (e.g., gmail.com) sent to the EXO Public endpoint directly, (ex: contoso-com.mail.protection.outlook.com) even when MX is pointed to 3rd party.

       

      • fireandblood's avatar
        fireandblood
        Copper Contributor
        Aug 07, 2025

        Why haven't you included a report or query for those of us with MX pointed directly to Exchange Online? You have left us with no visibility into emails that are a significant security risk. The queries provided are returning all emails, which is not helpful.

  • SillyGooseHere's avatar
    SillyGooseHere
    Copper Contributor
    Aug 07, 2025

    Also, I haven't gotten a response from direct send feedback .. so, I'll post it here.  

    We're seeing a NDR to the end user for each attempt that lands in junk email when Reject is $true.  

    • SillyGooseHere's avatar
      SillyGooseHere
      Copper Contributor
      Aug 11, 2025

      I'm bumping myself up because this NDR issue looks to be ignored by Microsoft even after giving feedback.

  • MarkLH69's avatar
    MarkLH69
    Copper Contributor
    Aug 07, 2025

    Good article, thanks for updating it.

    I believe the reason so many clients "chose" to implement "complex mail routing" initially was that, in the early years, Exchange Online Protection was very inadequate at stopping spam and even malware on occasions. We went through this pain for some time.

    Granted it is a lot better now, though we still had to add Check Point Harmony protection (via mail flow connectors) in order to get adequate protection (once we moved our MX records away from ProofPoint).

     

  • Secret_Work_Persona's avatar
    Secret_Work_Persona
    Copper Contributor
    Aug 07, 2025

    Our MX records point to a 3rd party service, and we have a Partner Inbound connector for it with defined IP addresses and RestrictDomainsToIPAddresses is currently $false. We are considering our options including enabling that setting. However, we have other Inbound Partner connectors for specific senders with their IP addresses and the restriction on those is also set to $false.

    To lock down our organization must we enable RestrictDomainsToIPAddresses on all Partner Inbound connectors, or is it a global setting that is effective across the organization when it's set on the first connector?

    The multiple Partner Inbound connectors were set up before I joined the org and those folks are gone. Is there any advantage or disadvantage to having multiple Partner connectors if the settings are the same other than the IP Addresses? Without a purpose different than the others, they feel redundant.

    Thank you for clarifying Direct Send and its behavior.

    • Mithun_Rathinam's avatar
      Mithun_Rathinam
      Icon for Microsoft rankMicrosoft
      Aug 07, 2025

      Secret_Work_Persona​ , Having multiple inbound partner connectors is acceptable based on your requirements.

      However, to lock down your tenant, you can configure the RestrictDomainsToIPAddresses setting in the inbound partner connector that uses a sender domain of * and includes the IP addresses of your third-party service. This ensures that:

      • While other connectors for specific senders continue to accept emails from their respective sources ( For ex: Direct send to MX record endpoint)
      • The connector with the restriction will reject any emails that originate from unauthorized sources, even if they claim to be from your domain.
      • Secret_Work_Persona's avatar
        Secret_Work_Persona
        Copper Contributor
        Aug 07, 2025

        Thank you for the response. So I'm clear, enabling the RestrictDomainsToIPAddresses setting on one inbound connector locks down the tenant even though that setting is not set on other inbound connectors.

  • mroh67's avatar
    mroh67
    Copper Contributor
    Aug 07, 2025

    It’s clear the definition of “Direct Send” keeps changing as criticism mounts. This feels more like PR than real technical clarity. Why does this new stance seem to shift more blame toward admins and third-party security services, when the actual issue is with your service—not theirs? Those providers reject these messages if sent direct, but Exchange Online allows them. Please address the root cause, not just redefine terms.

    • Mithun_Rathinam's avatar
      Mithun_Rathinam
      Icon for Microsoft rankMicrosoft
      Aug 07, 2025

      The definition remains unchanged. However, the document has been updated to provide greater clarity based on the confusion we observed.

      • Direct Send: Refers to anonymous messages sent from your own domain to your organization’s mailboxes. Direct Send emails could be sent to the MX record endpoint we provide contoso-com.mail.protection.outlook.com) or the endpoint that 3rd party service provide so that emails first route to them.
      • Email sent directly to your public Exchange Online endpoint: This refers to any anonymous messages from external senders (e.g., gmail.com) sent to the EXO Public endpoint directly, (ex: contoso-com.mail.protection.outlook.com) even when MX is pointed to 3rd party.

       

      Regarding Direct send - We also plan to enable this feature in the future for new tenants by default. This is part of our effort to make your organizations more secure by default. Note that the plan includes new tenants being unable to disable this feature as we move to deter use of unauthenticated Direct Send traffic. Ref - Introducing more control over Direct Send in Exchange Online | Microsoft Community Hub 

       

      • mroh67's avatar
        mroh67
        Copper Contributor
        Aug 07, 2025

        "remains unchanged" and then proceeds to describe how it was changed, excluding behavior that the previous description included. 👍

         

        Previously, there was a heading "How to secure Direct Send?" that now calls it something else. 

         

        You know what you did. 

  • StringFolk's avatar
    StringFolk
    Copper Contributor
    Aug 06, 2025

    Since you've indicated that the post has been removed pending review of feedback, I'm submitting a new comment with specific feedback for you:

    1. Stop referring to "Direct Send" unless you can define clearly what that it means in this context. Most recently the definitions you've given don't hold up when considering all the possibilities.
    2. Stop claiming that this an inherent SMTP vulnerability. Technically true but totally meaningless. We're relying on MS to put sensible defaults in place to prevent obvious vulnerabilities.
    3. Address what EVERYONE should do about this, not just customers with a certain type of configuration should do. This vulnerability affects all tenants.
    4. Consider renaming the setting to "Allow unauthenticated SMTP submissions from any IP address" instead of "direct send" - that is the behavior that I expect to see from this setting
    5. Make this the default setting for new tenants. I generally don't want to allow this unless there is a specific reason, so it shouldn't be allowed by default.
  • jberg7120's avatar
    jberg7120
    Copper Contributor
    Aug 06, 2025

    Arindam_Thokder​ Isn't that dangerous though to turn on something like that requires no authentication?  I mean we're obviously seeing spoofing attacks happening because of this feature.  Why couldn't this function be developed as a separate connector giving the exchange admin control over it so it doesn't leave the tenant email environment vulnerable?  I would think having an Inbound Connector that I could select as a 'DirectSend Connector' would make sense if I wanted to utilize this instead of making it a global thing.  At least with that being built into a connector could or have the option to enforce TLS, authentication, etc.

    • Arindam_Thokder's avatar
      Arindam_Thokder
      Icon for Microsoft rankMicrosoft
      Aug 06, 2025

      If we do not allow email sent to users without authentication, how would mailboxes in a tenant receive external email like from Hotmail/Gmail/Yahoo etc? 

      • StringFolk's avatar
        StringFolk
        Copper Contributor
        Aug 07, 2025

        ...by denying anonymous senders the ability to submit MAIL FROM commands for accepted domains, while allowing remote domains to submit messages and then routing them through something to check SPF, DKIM, DMARC?

  • StringFolk's avatar
    StringFolk
    Copper Contributor
    Aug 06, 2025

    I'm not really buying the "all SMTP servers behave this way" argument. Sure that's true out of the box, but try sending an unauthenticated message through the primary Gmail server and you'll get an error 5.7.0 Authentication Required. 

     

    Can you clarify what the specific recommendations are for tenants that DO point MX directly to the smart host? Obviously we can't enable RejectDirectSend in these cases, and some orgs may not be ready to enforce DMARC alignment. Sure would be helpful to just reject messages that aren't authenticated...

     

    The article https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365 makes a distinction between "Client SMTP Submission" and "DirectSend", but it seems in reality there is no difference between the two. I would like to allow the former and disallow the latter, but I can't understand how to do that.

    • Arindam_Thokder's avatar
      Arindam_Thokder
      Icon for Microsoft rankMicrosoft
      Aug 06, 2025

      StringFolk​ - There is a huge difference between "Client SMTP Submission" and "DirectSend". Client SMTP Submission allows relay. Using this method, you can submit an email to your tenant to any external domain. DirectSend on the other hand does not allow relay, using direct send, you can only send email to recipients in your own domain. Anything else will cause an 5.7.0 Authentication Required error (just like Gmail example you mentioned). 

      • StringFolk's avatar
        StringFolk
        Copper Contributor
        Aug 06, 2025

        Arindam_Thokder​ But as I understand it, for internal recipients, the only difference in the two is whether the client specifies authentication credentials; if not, the submission is considered DirectSend UNLESS there is a connector set up, right? So if I have a tenant whose domain's MX records point to their smart host, and I only want to allow messages that 1) Use an IP-authenticated connector (e.g. copiers), 2) Are internally generated (e.g. from Sharepoint) or 3) Are submitted by smtp clients using modern auth, how would I accomplish that? 

    • jberg7120's avatar
      jberg7120
      Copper Contributor
      Aug 06, 2025

      StringFolk​ I agree.  It seems odd to me to hear "this is the way SMTP operates" from some of the Microsoft guys.  What's the point of adding in this feature if you're going to say "this is the way SMTP operates" with this feature.  I mean what's the point?  If there's a 'default send connector' built in that "operates SMTP" (I promise I'm not trying to be snarky or sarcastic with my quotes.  Just trying to understand), then what would this feature even be used for?  It seems like another default incoming/outgoing connector built in.  It's almost like you're trying to re-invent the wheel here.

      • StringFolk's avatar
        StringFolk
        Copper Contributor
        Aug 06, 2025

        jberg7120​ I think part of the issue is that these terms aren't well defined. Since there is only a single endpoint for all types of SMTP submission, there really is no systematic differentiation between the different types. Instead, a combination of factors is used to determine whether a submission is allowed. Some of these factors are visible/manageable by tenant admins via mail flow rules and connectors, but others are not (e.g. allow internal recipients only for unauthenticated submissions). That means that the definition of "Direct Send" doesn't really match what they've said here, which is essentially "Sending directly to the endpoint." -- not untrue, but also true of both IP-based connectors and authenticated smtp client submission.

  • jberg7120's avatar
    jberg7120
    Copper Contributor
    Aug 06, 2025

    I had a ticket open with a 3rd party Microsoft vendor that alluded to the possibility that the 'mydomain.mail.onmicrosoft.com' records were the reason for the spoofing attacks in how they are able to find that our domain/tenant exists in the M365 cloud.  Then the attacker used the DirectSend for the attack.  I opened a ticket with Microsoft to have those MX records updated since we don't own the .onmicrosoft.com domain.  Why is it that we can't change those MX records?  That would would help tremendously to ensure that ALL of our stuff is not pointing directly to the cloud.  

    With that being said, we personally follow and have strict SPF, DKIM, and DMARC in place and this attack STILL bypassed all of those.  When I analyzed the message headers, they stated ALL failed... including ARC, and yet a couple of messages still go through.  So anything regarding that DirectSend was protected by these is false.

    Here's what I think we all need to see changed is the tenant lockdown... all tenants, need to be treated like an on-premise system.  I get that there are things in place like Defender, Forefront, etc, but if I have a 3rd party (i.e Barracuda, Proofpoint, etc), and I want that to be front door, I should have the means and control to ensure ALL emails flow through only the front door.  That's the way my on-premise is setup.  There are no windows or other doors that it can be accessed.  My tenant needs to be the same.  Introducing features like this and have a 'default' inbound connector that a tenant admin cannot control or touch only leaves to more vulnerability.  Yes I know Microsoft publishes articles on best practice and how to secure your tenant, but it should closed off completely by default.  I shouldn't have to make changes in the defender portal anti-spam policies if I have other protections in place.  I do have an inbound connector built to reject all emails coming directly to the tenant.  In hindsight, I should not have to build that.  I should not see messages quarantined in the Microsoft defender because of attempted access through an open protocol/port that I can't control or is on by default.

    • SillyGooseHere's avatar
      SillyGooseHere
      Copper Contributor
      Aug 07, 2025

      are you positive your anti-phishing policy has 'honor dmarc' set to reject/quarantine and high confidence phishing to quarantine/reject?  What none of these MS blogs and other articles state very clearing is that: 

      There is no direct send issue if:

      1. you have dmarc setup in dns to reject/quarantine with proper alignment
      2. your O365 anti-phishing policies have the proper reject/quarantine setting as mentioned above

       

      I have done multiple tests, we do not have DirectSendReject to $true,  O365 properly quarantines or rejects 99% (depending on the domain I test with) of the emails when it looks like it's a direct send attack in the headers (99% of my test emails are quarantined/rejected). I am dealing with them on the remaining percentage that gets delivered.

    • Mithun_Rathinam's avatar
      Mithun_Rathinam
      Icon for Microsoft rankMicrosoft
      Aug 06, 2025

      jberg7120​ 

      The *.mail.onmicrosoft.com domain is automatically assigned to a Microsoft 365 tenant and used internally by Microsoft for mail routing (especially in hybrid setups). You can't change or remove its MX records because Microsoft owns and manages the onmicrosoft.com domain and its DNS records , tenants have no control over them.

      Attackers may exploit DirectSend if the tenant is misconfigured, but the MX record itself isn’t the root cause; it’s about how your tenant is configured to accept mail.

      Additional explanations have already been shared with you in other chats by me and Arindam.

  • Renat Matveev's avatar
    Renat Matveev
    Brass Contributor
    Aug 06, 2025

    Big disrespect for "DirectSend" enabled by default for all. It's a shame. We received tons of phishing emails from "our users" to our internal users. I checked Exchange On-premise, no issues, no submits of phishing emails there. Then I checked Exchange Online... Phishing sent from random non-MS IPs (from OVH cloud, for example), using DirectSend. With violation of SPF, DMARC, DKIM. With our users in "From" and "To" fields. Exchange Online submits all these scams and delivers them as legitimate emails. Without "This email is external" headers. Proofpoint Antispam on our MX addresses? Centralized routing via Exchange On-premise without allowing sending and receiving by ExO cloud? Microsoft don't care, ExO submits emails without authentication. Invalid SPF, violation of DMARC? Pff...

    3 months of active exploitation by spammers and phishers (https://www.varonis.com/blog/direct-send-exploit ). Instead of emergency disabling "feature" for all you are writing an article "What is Direct Send and how to secure it". 4 trillion dollars company...

     

    • Mithun_Rathinam's avatar
      Mithun_Rathinam
      Icon for Microsoft rankMicrosoft
      Aug 06, 2025

      Renat Matveev​ , This hasn't been enabled recently. Direct Send really is how any SMTP server works, it listens on port 25 and accepts messages addressed to recipients within the tenant's accepted domains. However, by design, the basic SMTP protocol is inherently vulnerable to spam and spoofing, as it lacks built-in mechanisms to prevent such abuse. Implementing strong SPF, DKIM, and DMARC policies can significantly reduce the risk of unauthorized emails. That said, when your MX records point to a third-party service, it's always recommended to lock down your Exchange Online (EXO) tenant, as outlined in Step 4 of our documentation https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud . With this configured, only mail that passes through an inbound connector is allowed into your tenant, otherwise it will be rejected.

      4. Lock down your Exchange Online organization to only accept mail from your third-party service.

      Create and configure a Partner inbound connector using either TlsSenderCertificateName (preferred) or SenderIpAddresses parameters, then set the corresponding RestrictDomainsToCertificate or RestrictDomainsToIPAddresses parameters to $True. Any messages that are smart-host routed directly to Exchange Online will be rejected (because they didn't arrive over a connection using specified certificate or from the specified IP addresses).

      Microsoft understands the recent concerns around Direct Send, and while the attention is valid, it's important to clarify that SPF validation does occur for Direct Send messages. These emails are also subject to Compauth evaluation, and the final verdict can vary depending on how the domain’s MX records are configured.

      So, while the reaction may seem heightened in some cases, it has helped surface scenarios where tenants may not be fully locked down, especially when inbound connectors aren't properly configured. This awareness has led to positive action, with many organizations now taking steps to strengthen their mail flow security. We believe the conversation is valuable and are committed to providing clear guidance to help secure Direct Send paths effectively.

      • MJ-2050's avatar
        MJ-2050
        Copper Contributor
        Aug 06, 2025

        I call BS on this one. We have SPF, DKIM and DMARC locked down and these messages still got through. 
        We setup a partner connector, since we use an email gateway, with IPs, however, even if you specify IPs the connector still allows ALL traffic through UNLESS you configure "RestrictDomainsToIPAddresses parameters to $True" via powershell. I mean to allow admins to add IPs to the connector via the GUI and not give them the "checkbox" to restrict the connector to those IPs is beyond me... very frustrating. 

        If we didn't have a partner connector, then how do we lock this down if Exchange allows all of these spoofed emails in, even with strict PF, DKIM, and DMARC controls? In reality the only way is to enable direct-send block. Such poor design. MSFT deserves to get all the flak for this poor design...  disable this by default instead of exposing EVERY O365 tenant to drive-by-phishing attacks. 

        Why do folks add Abnormal Security on top of O365 or 3rd party email gateways in front of O365.... It's because O365 security is garbage...