Forum Discussion
We have set RejectDirectSend to true
Hello
Please i need your help on this issue.
We have set RejectDirectSend to true, but it is still possible to send mail anonymously through tenant
Last Friday 3 oct 2025 we configured the tenant not to allow DirectSend from anonymous sources by setting the RejectDirectSend value to true using Powershell command.
When we check the status with the Get-command it looks like it is set but it is not working - it is still possible to spoof emails by sending through the mx record as anonymous.
1 Reply
Hi,
RejectDirectSend = $true does NOT block SMTP AUTH, MX inbound, or anonymous mail over the MX.
The RejectDirectSend setting only blocks unauthenticated outbound relay FROM your own Microsoft 365 tenant when using:
smtp.office365.com
port 25 or 587, no authIt does NOT block mail coming into your tenant using the MX endpoint:
<tenant>.mail.protection.outlook.comBecause the MX endpoint must accept anonymous SMTP traffic—it's how email works on the internet.
Therefore:
Spoofing via MX is STILL POSSIBLE even with RejectDirectSend = True
And this is expected and cannot be blocked using that setting.
How SPF validation actually works
When someone sends mail from outside to your MX but spoofs @yourdomain.com, Microsoft 365 will:
Accept the connection anonymously (required)
Apply inbound anti-spoofing:
- SPF
- DKIM
- DMARC
- ARC
- Composite Authentication
If you have DMARC = none, spoofing WILL be delivered.
If you have DMARC = quarantine or reject, spoofing WILL be blocked.So the real fix is DMARC enforcement not RejectDirectSend.
