Direct Send is a bug, not a feature!
Direct Send enabled... Fully configured SPF, DKIM, DMARC(p=quarantine sp=quarantine pct=100), with Org, partner and "relay" connectors secured to specific IPs and we were getting Direct Send "SPAM".
Direct Send disabled and valid emails passing DMARC on those same locked down connectors are being blocked ! "Diagnostic-Code: smtp;550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources."
How can I authorize sources other than with locked down connectors?????
So enabled, direct send bypasses connectors and SPF/DKIM/DMARC, but disable it and it blocks things on those same connectors that pass all inspections...
Our testing so far appears to tie at least some of the rejected by DS messages when they are send from a valid tenant mailbox address to another valid tenant mailbox address. Sending from an invalid tenant address on the same domain may/does not get blocked.
valid1@domain to valid2@domain fails. invalid@domain to valid@domain works.