Blog Post

Exchange Team Blog
8 MIN READ

Introducing more control over Direct Send in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Apr 28, 2025

Update 8/12/2025: Added the FAQ to the post. Also, to help shed more light on the Direct Send feature, we published a newer post called Direct Send vs sending directly to an Exchange Online tenant.

Direct Send is a method used to send emails directly to an Exchange Online customer’s hosted mailboxes from on-premises devices, applications, or third-party cloud services using the customer’s own accepted domain. This method does not require any form of authentication because, by its nature, it mimics incoming anonymous emails from the internet, apart from the sender domain.

The Direct Send method assumes that customers have properly configured SPF, DKIM, and DMARC for their tenants. It is critical that an administrator updates their SPF record by adding the source IP address where the device, application, or third-party service will send from to prevent emails from being flagged as spam. If SPF is not properly configured, any email sent using Direct Send will likely be flagged as spam.

While SPF provides protection from spoofing of your domains, we recommend customers use a Soft Fail SPF configuration due to the possibility of valid routing scenarios falling foul of SPF failures. As such, no feature existed to block Direct Send traffic for the many customers who have no need to use it. To this end we have developed the Reject Direct Send setting for Exchange Online and are announcing the Public Preview for this feature today.  

Reject Direct Send setting

By its definition, Reject Direct Send covers anonymous messages sent from your own domain to your organization’s mailboxes. Enabling this setting will block any email sent to your tenant that is sent anonymously using an address that matches one of your accepted domains. The sending domain being an accepted domain in your tenant is a straightforward and easy condition to evaluate. For the sending domain, we are talking specifically about the P1 Mail From envelope sender address here. The P2 From header is not checked by this feature. “Anonymous” in this context means that the messages are not attributed to any mail flow connector when they are sent to Exchange Online.

Direct Send traffic may include 3rd party services that you have given permission to use your domain or one of your own email applications hosted on-premises. To avoid having these messages rejected when this feature is enabled, they need to be authenticated.  This is done by creating a partner mail flow connector that matches the certificate (recommended) or IPs used to send the messages.  Learn more about partner connectors here: Configure mail flow using connectors in Exchange Online.

Admins may currently not be tracking all senders who currently use Direct Send, but a good place to start would be with your domain’s SPF record. Any senders using Direct Send without being a part of the accepted domain’s SPF record will already be having a tough time getting messages delivered successfully into recipients’ inboxes.

How to enable this setting

By default, the new opt-in RejectDirectSend setting is set to False.  To enable the Reject Direct Send feature, Exchange Online administrators can run the following PowerShell cmdlet:

Set-OrganizationConfig -RejectDirectSend $true

The change should propagate out to our entire service within 30 minutes. With the feature enabled, any received Direct Send messages will see the following message:

550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources

Unless Direct Send is re-enabled again, any messages that hit this error will need a partner connector created to authenticate their source as an approved sender.

Public Preview and Release Roadmap

This feature is being released as a Public Preview for admins to test and provide feedback. Some customers may not have the confidence to enable it due to a lack of tracking of Direct Send senders to their organization. Feedback including feature requests and bug reports may be sent to the follow address: directsend-feedback[AT]microsoft.com. Note: Feedback submitted here will not receive a reply. If you need to engage us with questions or issues regarding the feature, please comment below or go through the regular support channels.

You can also use the Exchange Online Feedback Portal to submit feature requests that other customers can then vote on. This avenue provides us with an extra layer of information to help make decisions on features.

We are working on creating a report for Direct Send traffic that admins can use to get an overview of what traffic will be impacted. This will make it easier for admins to identify and act on any legitimate traffic and enable the feature with confidence. We will provide updates here for that work. There is no fixed date for General Availability (GA) of this feature as it will depend on the feedback received. A separate communication will be sent out to announce GA.

We also plan to enable this feature in the future for new tenants by default. This is part of our effort to make your organizations more secure by default. Note that the plan includes new tenants being unable to disable this feature as we move to deter use of unauthenticated Direct Send traffic.

Known Issues

  • There is a forwarding scenario that could be affected by this feature. It is possible that someone in your organization sends a message to a 3rd party and they in turn forward it to another mailbox in your organization. If the 3rd party’s email provider does not support Sender Rewriting Scheme (SRS), the message will return with the original sender’s address. Prior to this feature being enabled, those messages will already be punished by SPF failing but could still end up in inboxes. Enabling the Reject Direct Send feature without a partner mail flow connector being set up will lead to these messages being rejected outright.
  • If you are using the Azure Communication Services (ACS) to send emails to your tenant, and if those emails are sent using a “MAIL FROM” address that is one of your Microsoft 365 accepted domains, enabling RejectDirectSend would block those emails sent to your Microsoft 365 tenant. A solution to treat ACS traffic as trusted with respect to the Reject Direct Send setting has been completed and is rolling out to our service. This functionality should be available worldwide by November 1, 2025.  In case the domains used to send emails from ACS are not one of the Microsoft 365 accepted domains or sub-domains, enabling RejectDirectSend should not have an impact on ACS traffic. If ACS email traffic is using an Exchange Online domain where the MX is pointed to a 3rd party service, please refer to the FAQ’s below, which provide instructions on mail connectors required to enable traffic in Exchange Online. 

Conclusion

We invite Exchange admins to try out the feature and provide feedback that we can use to validate it and proceed to offering this feature for General Availability.

FAQs

Must all customers enable the -RejectDirectSend parameter to consider themselves protected?
No. This parameter joins many layers of protection in Microsoft 365. It gives customers the strict ability to outright reject incoming Direct Send traffic they have not approved. With a properly configured tenant and domain, spoofed emails will fall foul of existing authentication checks that are in place to deflect suspicious messages away from inboxes to junk folders or quarantine depending on settings. It is still true that without this layer your tenant is adequately protected against messages spoofing your own domains. Even with this setting enabled, those existing protection mechanisms are relied on to protect your mailboxes from other 3rd party domain spoofing that is not considered Direct Send.

Customers who have pointed their MXes elsewhere should have already followed the advice here: Mail flow best practices when using a third-party cloud service with Exchange Online. All customers should be following the recommendations in Anti-spoofing protection for cloud mailboxes to protect them from spoofing.

Does the RejectDirectSend setting work even when the MX is pointed to a 3rd party service?
Yes, it works when the MX is pointed to a 3rd party service or when it is directly pointed to Exchange Online; there is no dependency on MX location. However, the recommended configuration when your MX points elsewhere is to have a connector is set up to receive the traffic from that service and exclude other traffic. With the recommended tenant configuration of a connector only allowing the 3rd party service traffic, there is no possibility of unauthenticated Direct Send traffic reaching you and the Reject setting will never be utilized.

The MX record of our domain is pointing to a 3rd party service, and someone is directly sending email to our tenant bypassing the MX. Will -RejectDirectSend setting help us lock down our Exchange Online tenant to only accept mail from your third-party service?
No, -RejectDirectSend will only reject emails where the P1 sending domain (envelope sender), is an accepted domain in the tenant unless these are attributed to a configured Inbound connector.

If you do not want anyone to bypass your MX which is pointed to a 3rd party service, you can achieved this by creating an Inbound connector as recommended on step 4 in the support article mail flow best practices when using a third-party cloud service with Exchange Online using either TlsSenderCertificateName (preferred) or SenderIpAddresses parameters (you need to mention the Certificate presented by the 3rd party or the IP Address of the 3rd party), then set the corresponding RestrictDomainsToCertificate or RestrictDomainsToIPAddresses parameters to $True. With this configured, only mail that passes through the inbound connector is allowed into your tenant, otherwise it will be rejected. To know more, please refer to Direct Send vs sending directly to an Exchange Online tenant.

We enabled -RejectDirectSend and created inbound connector for our partner that needs to send from our accepted domain. How can we confirm if the email from the partner is really attributing to that connector?
To see if the email from the partner is attributed to the connector, you can send a test email from the partner and run the following command (give it some time after sending the email so that the data is populated)

Get-MessageTracev2 -MessageId "your message ID here" | Get-MessageTraceDetailv2 | fl

In the output, you should be able to see the connector name similar to the following:

You can also see the connector name under email entity page (it will show the GUID of the connector).

We enabled RejectDirectSend, but the 3rd party vendor that needs to send from our accepted domain doesn't have static IP ranges or a dedicated certificate that we can associate with a connector. How can we block the Direct Send but also allow this 3rd party vendor to send email to our users using our accepted domain?
If the 3rd party vendor doesn’t have IP ranges or a dedicated certificate, or you need more customization, you might consider using a Transport rule to quarantine or redirect Direct Send instead of blocking at the org config using RejectDirectSend setting. With a Transport rule, you could add exceptions specific to the 3rd party vendors. For example, if the 3rd party vendors stamp a unique X-header you could use that. Here is an example of similar transport rule:

  • If the message is received from ‘Outside the Organization’ and the sender domain is ‘contoso.com’ deliver to hosted quarantine
  • Except if the message headers (add header and value).

(You can add any other action instead of quarantine)

What permission is required to set the RejectDirectSend parameter under organization config (Set-OrganizationConfig -RejectDirectSend $true/$false)
Editing the setting requires an administrator with the role "Organization Configuration" assigned.

How does RejectDirectSend affect P1 sending domain addresses that are a subdomain of an accepted domain?
-RejectDirectSend will impact email from P1 address that is a subdomain of an Accepted Domain, if that Accepted Domain has "Accept mail for all subdomains" enabled (MatchSubDomains=TRUE).

 

Changes to this post:

  • 10/6/2025: Added more detail about treating ACS traffic as 'trusted'
  • 8/29/2025: Added a subdomain of accepted domain FAQ
  • 8/12/2025: Added another known issue and FAQ to the post
  • 8/4/2025: added a reference to What is Direct Send and how to secure it
  • 7/30/2025: made a few clarifications in the text based on frequently asked questions in comments.

Microsoft 365 Messaging Team

Updated Oct 06, 2025
Version 13.0

121 Comments