Update 8/12/2025: Added the FAQ to the post. Also, to help shed more light on the Direct Send feature, we published a newer post called Direct Send vs sending directly to an Exchange Online tenant.
...
Updated Oct 06, 2025
Version 13.0
Blog Post
A colleague of mine shared https://www.reddit.com/r/sysadmin/comments/1mdqn17/comment/n65sg9o/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button on how to monitor what is actually being sent to your tenant via Direct Send via a clever Transport rule. I set it up for myself, so far so good. Using this method to "test" and see what is coming at us using Direct Send before I enable RejectDirectSend in EXO without have exceptions in place for legitimate traffic.
Blocking the sending IP from the header data (the IP that comes after the (127.0.0[.]1) in the header) in my Anti-Spam default policy has proven very effective at stopping this traffic for my tenant completely, until the next IP relay is used of course.
Alisdair Douglas
Microsoft
MicrosoftIf your MX points to EOP then a restrictive DMARC policy will do it for your domains. If policy action is none then you can use the TABL spoof list with a wildcard to block any internal spoof
Keep in mind that a DMARC policy of NONE is equivalent to not having one at all! :)
