Introducing more control over Direct Send in Exchange Online

Really frustrated with this. We've got several customers that have issues with DirectSend (DS) messages coming from their own domain, but not from any legitimate IP's. This seems like a serious loophole. Rejecting Direct Send is a pain in the butt because if you use a lot of external services (Constant Contact, Zendesk, Shopify, etc) then you have to jump through hoops to figure out some method to allow these DirectSend messages to come through. So, if we've got 4 or 5 different "vendors" that send legitimate email, we have to figure out what kind of transport rules, or connectors to set up, and often the vendors themselves have no clue how to do this and honestly there's not much clarity from Microsoft or vendors how to set this up right.

Right now my best effort is to leave DS enabled and just have messages SPF Hard Fail and go to Junk. However, that's not a solution when we get DS messages with malicious calendar invites/meetings that have malicious attachments as they still get processed regardless of going to Junk because Microsoft in their infinite wisdom has broken/removed the ability for users to block calendar invites from getting automatically processed. And that's discussion for another day.

I tried Transport rules using X- headers and allowing legitimate DS messages through, but that doesn't work. Blocking messages via transport rules hasn't been working. Maybe I don't know wth I'm doing.

All I know is that it shouldn't be this hard to get bad messages blocked. The fact that DirectSend is being massively exploited in the first place means there's an issue with the process and should be solved at the Microsoft level.