Blog Post

Exchange Team Blog
8 MIN READ

Introducing more control over Direct Send in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Apr 28, 2025
Update 8/12/2025: Added the FAQ to the post. Also, to help shed more light on the Direct Send feature, we published a newer post called Direct Send vs sending directly to an Exchange Online tenant. ...
Updated Oct 06, 2025
Version 13.0
announcements
exchange online
security
tips 'n tricks
transport
Arindam_Thokder's avatar
Arindam_Thokder
Icon for Microsoft rankMicrosoft
Jul 16, 2025

If the email is blocked by Direct Send control, you won't be able to trace the message, because it will be blocked at the protocol layer with the following error-

The server response was: 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources.
The fact that you are able to run message trace for the message means it is not blocked by the Direct Send control.

Having said that, to see the connector data, you can run the following command (give it some time after sending the email so that the data is populated)
> Get-MessageTrace -MessageId "your message ID here" | Get-MessageTraceDetail | fl 

In the output, you should be able to see the connector name like following-

You can also see the connector name under Email entity page (it will show the GUID of the connector)



N-Auxility's avatar
N-Auxility
Copper Contributor
Jul 18, 2025

How do we handle external sources that can send email in name of accepted domains (covered by SPF, DKIM and DMARC), but for which a connector is not possible or difficult to achieve? I am talking about third party platforms that are using cloud/hosted email services for distribution of email. I do not deem it to be wise to define connectors for these type of mails, for it will allow uncontrolled inbound traffic from these services going unchecked by DMARC coverage (namely DKIM, as SPF would be equally flawed for these types of setups)?
I guess this is expected behavior given what is outlined in the blogpost, but is there really no way for Microsoft to achieve this on Exchange Online side by for example having the protocol layer pass on an 'evaluation' to an intermediate layer which dictates the mail was received via Direct-Send or not. Then DMARC compliance should be evaluated and determine whether the email should be delivered to the inbox or not?
We are seeing this phenomenon with multiple of our clients who are taking the step to disabling Direct-Send.