Forum Discussion

IBN22's avatar
IBN22
Copper Contributor
Oct 11, 2025

We have set RejectDirectSend to true

Hello Please i need your help on this issue. We have set RejectDirectSend to true, but it is still possible to send mail anonymously through tenant Last Friday 3 oct 2025 we configured the tenant ...
exchange online
Zohaib_Yousuf's avatar
Zohaib_Yousuf
MCT
Nov 30, 2025

Hi,

RejectDirectSend = $true does NOT block SMTP AUTH, MX inbound, or anonymous mail over the MX.

The RejectDirectSend setting only blocks unauthenticated outbound relay FROM your own Microsoft 365 tenant when using:

smtp.office365.com
port 25 or 587, no auth

It does NOT block mail coming into your tenant using the MX endpoint:
<tenant>.mail.protection.outlook.com

 

Because the MX endpoint must accept anonymous SMTP traffic—it's how email works on the internet.

Therefore:

Spoofing via MX is STILL POSSIBLE even with RejectDirectSend = True

And this is expected and cannot be blocked using that setting.

 

How SPF validation actually works

When someone sends mail from outside to your MX but spoofs @yourdomain.com, Microsoft 365 will:

Accept the connection anonymously (required)

Apply inbound anti-spoofing:

  • SPF
  • DKIM
  • DMARC
  • ARC
  • Composite Authentication

If you have DMARC = none, spoofing WILL be delivered.
If you have DMARC = quarantine or reject, spoofing WILL be blocked.

So the real fix is DMARC enforcement not RejectDirectSend.

Resources