Blog Post

Exchange Team Blog
8 MIN READ

Introducing more control over Direct Send in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Apr 28, 2025

Update 8/12/2025: Added the FAQ to the post. Also, to help shed more light on the Direct Send feature, we published a newer post called Direct Send vs sending directly to an Exchange Online tenant.

Direct Send is a method used to send emails directly to an Exchange Online customer’s hosted mailboxes from on-premises devices, applications, or third-party cloud services using the customer’s own accepted domain. This method does not require any form of authentication because, by its nature, it mimics incoming anonymous emails from the internet, apart from the sender domain.

The Direct Send method assumes that customers have properly configured SPF, DKIM, and DMARC for their tenants. It is critical that an administrator updates their SPF record by adding the source IP address where the device, application, or third-party service will send from to prevent emails from being flagged as spam. If SPF is not properly configured, any email sent using Direct Send will likely be flagged as spam.

While SPF provides protection from spoofing of your domains, we recommend customers use a Soft Fail SPF configuration due to the possibility of valid routing scenarios falling foul of SPF failures. As such, no feature existed to block Direct Send traffic for the many customers who have no need to use it. To this end we have developed the Reject Direct Send setting for Exchange Online and are announcing the Public Preview for this feature today.  

Reject Direct Send setting

By its definition, Reject Direct Send covers anonymous messages sent from your own domain to your organization’s mailboxes. Enabling this setting will block any email sent to your tenant that is sent anonymously using an address that matches one of your accepted domains. The sending domain being an accepted domain in your tenant is a straightforward and easy condition to evaluate. For the sending domain, we are talking specifically about the P1 Mail From envelope sender address here. The P2 From header is not checked by this feature. “Anonymous” in this context means that the messages are not attributed to any mail flow connector when they are sent to Exchange Online.

Direct Send traffic may include 3rd party services that you have given permission to use your domain or one of your own email applications hosted on-premises. To avoid having these messages rejected when this feature is enabled, they need to be authenticated.  This is done by creating a partner mail flow connector that matches the certificate (recommended) or IPs used to send the messages.  Learn more about partner connectors here: Configure mail flow using connectors in Exchange Online.

Admins may currently not be tracking all senders who currently use Direct Send, but a good place to start would be with your domain’s SPF record. Any senders using Direct Send without being a part of the accepted domain’s SPF record will already be having a tough time getting messages delivered successfully into recipients’ inboxes.

How to enable this setting

By default, the new opt-in RejectDirectSend setting is set to False.  To enable the Reject Direct Send feature, Exchange Online administrators can run the following PowerShell cmdlet:

Set-OrganizationConfig -RejectDirectSend $true

The change should propagate out to our entire service within 30 minutes. With the feature enabled, any received Direct Send messages will see the following message:

550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources

Unless Direct Send is re-enabled again, any messages that hit this error will need a partner connector created to authenticate their source as an approved sender.

Public Preview and Release Roadmap

This feature is being released as a Public Preview for admins to test and provide feedback. Some customers may not have the confidence to enable it due to a lack of tracking of Direct Send senders to their organization. Feedback including feature requests and bug reports may be sent to the follow address: directsend-feedback[AT]microsoft.com. Note: Feedback submitted here will not receive a reply. If you need to engage us with questions or issues regarding the feature, please comment below or go through the regular support channels.

You can also use the Exchange Online Feedback Portal to submit feature requests that other customers can then vote on. This avenue provides us with an extra layer of information to help make decisions on features.

We are working on creating a report for Direct Send traffic that admins can use to get an overview of what traffic will be impacted. This will make it easier for admins to identify and act on any legitimate traffic and enable the feature with confidence. We will provide updates here for that work. There is no fixed date for General Availability (GA) of this feature as it will depend on the feedback received. A separate communication will be sent out to announce GA.

We also plan to enable this feature in the future for new tenants by default. This is part of our effort to make your organizations more secure by default. Note that the plan includes new tenants being unable to disable this feature as we move to deter use of unauthenticated Direct Send traffic.

Known Issues

  • There is a forwarding scenario that could be affected by this feature. It is possible that someone in your organization sends a message to a 3rd party and they in turn forward it to another mailbox in your organization. If the 3rd party’s email provider does not support Sender Rewriting Scheme (SRS), the message will return with the original sender’s address. Prior to this feature being enabled, those messages will already be punished by SPF failing but could still end up in inboxes. Enabling the Reject Direct Send feature without a partner mail flow connector being set up will lead to these messages being rejected outright.
  • If you are using the Azure Communication Services (ACS) to send emails to your tenant, and if those emails are sent using a “MAIL FROM” address that is one of your Microsoft 365 accepted domains, enabling RejectDirectSend would block those emails sent to your Microsoft 365 tenant. A solution to treat ACS traffic as trusted with respect to the Reject Direct Send setting has been completed and is rolling out to our service. This functionality should be available worldwide by November 1, 2025.  In case the domains used to send emails from ACS are not one of the Microsoft 365 accepted domains or sub-domains, enabling RejectDirectSend should not have an impact on ACS traffic. If ACS email traffic is using an Exchange Online domain where the MX is pointed to a 3rd party service, please refer to the FAQ’s below, which provide instructions on mail connectors required to enable traffic in Exchange Online. 

Conclusion

We invite Exchange admins to try out the feature and provide feedback that we can use to validate it and proceed to offering this feature for General Availability.

FAQs

Must all customers enable the -RejectDirectSend parameter to consider themselves protected?
No. This parameter joins many layers of protection in Microsoft 365. It gives customers the strict ability to outright reject incoming Direct Send traffic they have not approved. With a properly configured tenant and domain, spoofed emails will fall foul of existing authentication checks that are in place to deflect suspicious messages away from inboxes to junk folders or quarantine depending on settings. It is still true that without this layer your tenant is adequately protected against messages spoofing your own domains. Even with this setting enabled, those existing protection mechanisms are relied on to protect your mailboxes from other 3rd party domain spoofing that is not considered Direct Send.

Customers who have pointed their MXes elsewhere should have already followed the advice here: Mail flow best practices when using a third-party cloud service with Exchange Online. All customers should be following the recommendations in Anti-spoofing protection for cloud mailboxes to protect them from spoofing.

Does the RejectDirectSend setting work even when the MX is pointed to a 3rd party service?
Yes, it works when the MX is pointed to a 3rd party service or when it is directly pointed to Exchange Online; there is no dependency on MX location. However, the recommended configuration when your MX points elsewhere is to have a connector is set up to receive the traffic from that service and exclude other traffic. With the recommended tenant configuration of a connector only allowing the 3rd party service traffic, there is no possibility of unauthenticated Direct Send traffic reaching you and the Reject setting will never be utilized.

The MX record of our domain is pointing to a 3rd party service, and someone is directly sending email to our tenant bypassing the MX. Will -RejectDirectSend setting help us lock down our Exchange Online tenant to only accept mail from your third-party service?
No, -RejectDirectSend will only reject emails where the P1 sending domain (envelope sender), is an accepted domain in the tenant unless these are attributed to a configured Inbound connector.

If you do not want anyone to bypass your MX which is pointed to a 3rd party service, you can achieved this by creating an Inbound connector as recommended on step 4 in the support article mail flow best practices when using a third-party cloud service with Exchange Online using either TlsSenderCertificateName (preferred) or SenderIpAddresses parameters (you need to mention the Certificate presented by the 3rd party or the IP Address of the 3rd party), then set the corresponding RestrictDomainsToCertificate or RestrictDomainsToIPAddresses parameters to $True. With this configured, only mail that passes through the inbound connector is allowed into your tenant, otherwise it will be rejected. To know more, please refer to Direct Send vs sending directly to an Exchange Online tenant.

We enabled -RejectDirectSend and created inbound connector for our partner that needs to send from our accepted domain. How can we confirm if the email from the partner is really attributing to that connector?
To see if the email from the partner is attributed to the connector, you can send a test email from the partner and run the following command (give it some time after sending the email so that the data is populated)

Get-MessageTracev2 -MessageId "your message ID here" | Get-MessageTraceDetailv2 | fl

In the output, you should be able to see the connector name similar to the following:

You can also see the connector name under email entity page (it will show the GUID of the connector).

We enabled RejectDirectSend, but the 3rd party vendor that needs to send from our accepted domain doesn't have static IP ranges or a dedicated certificate that we can associate with a connector. How can we block the Direct Send but also allow this 3rd party vendor to send email to our users using our accepted domain?
If the 3rd party vendor doesn’t have IP ranges or a dedicated certificate, or you need more customization, you might consider using a Transport rule to quarantine or redirect Direct Send instead of blocking at the org config using RejectDirectSend setting. With a Transport rule, you could add exceptions specific to the 3rd party vendors. For example, if the 3rd party vendors stamp a unique X-header you could use that. Here is an example of similar transport rule:

  • If the message is received from ‘Outside the Organization’ and the sender domain is ‘contoso.com’ deliver to hosted quarantine
  • Except if the message headers (add header and value).

(You can add any other action instead of quarantine)

What permission is required to set the RejectDirectSend parameter under organization config (Set-OrganizationConfig -RejectDirectSend $true/$false)
Editing the setting requires an administrator with the role "Organization Configuration" assigned.

How does RejectDirectSend affect P1 sending domain addresses that are a subdomain of an accepted domain?
-RejectDirectSend will impact email from P1 address that is a subdomain of an Accepted Domain, if that Accepted Domain has "Accept mail for all subdomains" enabled (MatchSubDomains=TRUE).

 

Changes to this post:

  • 10/6/2025: Added more detail about treating ACS traffic as 'trusted'
  • 8/29/2025: Added a subdomain of accepted domain FAQ
  • 8/12/2025: Added another known issue and FAQ to the post
  • 8/4/2025: added a reference to What is Direct Send and how to secure it
  • 7/30/2025: made a few clarifications in the text based on frequently asked questions in comments.

Microsoft 365 Messaging Team

Updated Oct 06, 2025
Version 13.0

121 Comments

  • FuriousHaggis's avatar
    FuriousHaggis
    Brass Contributor

    Please provide an update as to how we can accurately search for Direct Send emails in our environments. We have reletively complicated routing with hybrid setup and 3rd party gateway at MX using inbound connectors and have had issues with tenant attribution and directionality in the past. A report in the EAC would be nice, a KQL query would do! Thanks.

  • BoundPlanet's avatar
    BoundPlanet
    Copper Contributor

    Greetings - Do you have any news, notes, commentary, or words to the wise regarding mitigating threat actors abusing the Direct Send feature? Is there any anticipated holistic action on Microsoft's part to address the issue? The ability to bypass filtering mechanisms and other safeguards feels like a fairly significant problem given that a great number of domains have had no attention given to SPF, DKIM, or DMARC, nor do many tenants have any security configuration beyond the defaults in place.

    It reminds me a bit of when logging was not a default feature, and legacy tenants had no logging. If you were lucky enough to know about this BEFORE it was an issue, you were golden. Else, you are sorta out of luck.

    https://www.varonis.com/blog/direct-send-exploit

    • Arindam_Thokder's avatar
      Arindam_Thokder
      Icon for Microsoft rankMicrosoft

      Hello Choseph​ - does the account has permission to run the command? To eliminate any Permission and RBAC issue, can you try running the command using a global admin account? 

  • Get-OrganizationConfig | fl *directsend*

    RejectAnonymousDirectSend : False
    RejectDirectSend          : True

    But you can only set the Parameter -RejectDirectSend.

    What is the RejectAnonymousDirectSend and why can't it be set via PowerShell?

    Kind Regards
    Andres

    • Arindam_Thokder's avatar
      Arindam_Thokder
      Icon for Microsoft rankMicrosoft

      RejectAnonymousDirectSend was an old name of the attribute. It does not work now and will be deprecated.

  • jvanbeusekom's avatar
    jvanbeusekom
    Brass Contributor

    Since it is now able to classify Direct Send connections separately from regular inbound SMTP mail, will there also be reporting or logging capabilities available to administrators to view which devices or IP addresses are using Direct Send? This would be very useful for auditing and security monitoring, and if it can be turned off or not. 

    • Matthias Kirsch's avatar
      Matthias Kirsch
      Copper Contributor

      That would be really useful and necessary to prepare properly. Would be highly appreciated if you could make a statement on that, thanks!

      • SeanMSFT's avatar
        SeanMSFT
        Icon for Microsoft rankMicrosoft

        As mentioned in the post: "We are working on delivering features to provide optics for what Direct Send traffic is coming into your organizations." over and above regular Message Trace queries.

  • CLAMSA's avatar
    CLAMSA
    Copper Contributor

    So, are we saying today anyone spoof accepted domain with direct send to exchange online? I understand most email for accepted domains is allowed thru anonymous channel, but for email to be send with accepted domain thru Exchange Online don't we have to come in Authenticated?

  • Hi,

    please, what is the behavior if P1 (Mail From) domain is SPF verified (but not accepted domain) and P2 (From) domain is different and accepted domain?

    Thanks. Raffa!

      • RaffaColavecchi-MVP's avatar
        RaffaColavecchi-MVP
        Iron Contributor

        Thanks for answer so...

        This "new feature" it's similar to this flag into Inbound antispam policy: "SPF record: hard fail" but only for accepted domain.

        It's more understandable to have one more flag: "SPF record: hard fail for accepted domain".

         

        But with this new feature we can't solve a real problem: an attacker can send a spoofed email with P1 domain SPF verified and P2 accepted domain. The email doesn't enter inside internal mailbox (thanks to honor DMARC policy) but why this malicious email will be forwarded to external recipients?

         

        Can we have the option: RejectDMARCalways $true    😅

        Thanks.