Update 8/12/2025: Added the FAQ to the post. Also, to help shed more light on the Direct Send feature, we published a newer post called Direct Send vs sending directly to an Exchange Online tenant.
...
Updated Feb 04, 2026
Version 15.0
Blog Post
When will you allow to change MX record for *.onmicrosoft.com domains ?
This is a major issues for organizations that want to use third party services as a MX receiver.
Using onmicrosoft.com domain externally is not a good idea, but some things just happened organically many years ago.
Why is it that some Microsoft generated notifications completely ignore MX record and instead are just submitted into mailbox with MAPI action.
This includes:
Planner comments (that can be identified via header X-MS-TrafficTypeDiagnostic containing "EE_PlannerComment")
Teams/Skype voicemail notifications (that can be identified via header X-MS-TrafficTypeDiagnostic containing "EE_FirstParty-Skype")
You say it is so easy to secure email delivery when using external MX record - just make a connector from my MX service and reject everything else.
In this case, all that legitimate traffic listed above will be blocked.
This means we cannot "block everything else" and instead has to do transport rules to selectively relay traffic to external MX provider.
These rules must have all sorts of crazy rules and exceptions.
Inconsistency of your services is part of the problem why securing Exchange Online is not easy.
Arindam_Thokder
Microsoft
MicrosoftGrzeWier - Reject direct send have no impact on emails just submitted into mailbox with MAPI action. Email submitted directly into mailbox with MAPI action does not use SMTP and thus does not use MX.