Update 8/12/2025: Added the FAQ to the post. Also, to help shed more light on the Direct Send feature, we published a newer post called Direct Send vs sending directly to an Exchange Online tenant.
...
Updated Aug 29, 2025
Version 12.0
Blog Post
I would like to submit this as sort of a peer review. This article is not meant to be applied to companies utilizing 3rd party AntiSpam, i.e. Barracuda/Mimecast/Proofpoint although it does discuss them. For them we have been locking down their connectors when applicable.
I have been utilizing a method similar to the method described in the “How can we see all emails sent directly to our tenant (i.e. not through a connector)?” portion of What is Direct Send and how to secure it. We start by running a message trace summary report, inbound, for the past 90 days. One report for each domain in the tenant with the recipient being *@domain.com. Combine the .csvs, and filter the sender for any domains in the tenant. These are emails which are being sent from currently unauthenticated sources. Emails sent via internal/"your org" connectors do not appear to show on these reports and would be unaffected by disabling direct send according to this article, whereas external/"partner org" connectors do show on this report. Once we have verified and authenticated legitimate sources, we should be able to block direct send. This is a leg up on the Mail Flow Rule I have seen described as it will allow for 90 days, up to 100 thousand emails per domain, worth of historical data to be analyzed instead of just the emails we have received since the rule was implemented. It is also better than the inbound connector report for clients without a 3rd party AntiSpam described in What is Direct Send and how to secure it as it gives more insightful reporting, such as originating IP address and Subject, which can be used to determine if the sender is a system that needs to be authenticated with a connector.
Let me know if you see any holes in this theory.