Customizable Recipient Limits in Office 365

OK, using client-side filters, shame on you!

Go easy on them @Vasil Michev :)

Finally this feature is enabled in Exchange Online and is very useful. Thanks 

I doubt efficiency of this this feature, to expand limitation. Is it possible to send a email to so many recipients, even 500 recipients(default limitation number) , without identified as SPAM sender by various Office 365 security functions?

Hello @TakuyaHirose 

As per my observation and experience in working in this related field, a user with sending even 50 mail also treat as spam. 

In on-premises Exchange, we can modify the recipients' limit but in Exchange online there is by default limit to 500. Why Microsoft make it default 500 don't know? But now it's better to modify and need to decrease for security purposes.  

   If we can sent mail even up to 500 recipients without spam it will be the best solution for bulk mail.

Good news, but this limit is still far from expectation. 

For instance the HR can't address email to All the users of our tenant ( about 17.000) for legitimate announcement or  important communication....

 This could perhaps be out of scope for this, but how can I limit the amount of e-mail sent OUT.

An example is internal to internal spam- when they hit the limit they're restricted. How can I lower their limit so they're restricted sooner to limit the scope of their attacks? 

Hi,

it is possible to change it to "unlimited"? Because is see unlimited options for few mailboxes already.

Thanks

matejs88

"Unlimited" in this case would translate 400 (used to be 500, before it was silently lowered to 400) to 1000 (the new default, up from the old default of 500).

Can't imagine why 0 isn't allowed, instead we can only go as low as 1.  It's a miss for sure. 

EDIT:  My bad, the 400 is Recipient ProxyAddress limit.  The new RecipientLimit default is 1000, which is double the previous of 500, so I have no complaints there, sorry for the misinfo in my first sentence.

From a few talks with MS, it varies on the user and the campaign being sent. I had two users, both compromised and sent about 9K spam e-mails each. One got off they 9K in about 2 minutes, the other was restricted from sending. It was the same email (content and subject). 

Why one was flagged and the other was not is beyond me, and I was told those limits are like guidelines. They can still send more, much more, quickly, just something flagged the other one and restricted the user, but the other one was...fine? Eh. 

@abhounyo

If you are trying to send to 17,000 users from a single message, you could try using a distribution list.   That only counts as one recipient.  A moderated DL or one with sending restrictions will also mitigate any "reply-all" storms you might encounter.

From a GDPR perspective it would be useful to be able to specify different limits for To, Cc and Bcc. The reason for this is that many external addresses in To and Cc might pose a privacy incident if the subject/body has a medical context. For instance a mail to a medical support group, if the recipient sees other e-mail addresses, they might incur that those people suffer from the same illness.  The best way to avoid this, is use the Bcc field for those e-mails (apart from using a mailinglist). So we would like to keep To and Cc numbers low, while Bcc number can be large.

Hi @beamzer,

using RestrictExtRecips tool you can limit only TO:/CC: recipients.

I don't have those buttons in my modern EAC exchange admin center :

set recipients limit and others are missing, please guys suggest anything i should do to get them (i already opened a support ticket at microsoft but they are not calling me back)

Same issue for me.

As microsoft never answered me i hope you'll enjoy my answer as i had the issue and solved it quite simply

the trick is quite simple though i'm surprised no one answered

anyhow here is how to get it 

in the modern EAC you have to tick first the dot on the top of the list so you can select ALL mailboxes 

once done you'll get the 3 dots ... and you'll be able to access it 

I'm sending an email in a java program and got the too many recipients  error. However, after I set the recipient limit to 1000. I still got the same error. There are 507 recipients and the email can only be sent successfully after I reduce the number of recipient down to 500. Anyone knows why? Thanks in advance.

How long does it takes for the changes to take effect?

In the old days of on-premise Exchange servers, we can set "MessageRateLimit" and "MessageRateLimit" for more detailed management.

However, O365 cannot support these parameters now, hope to restore the functions of these two parameters.

Hi All

How does the above fit in with Outbound SPAM policies in a Hybrid setup?

With an outbound spam policy I can set a recipient limit also and set up alert policies to notify admins etc

Surely this is the best way as we can target security groups or even an all user group for tenant wide recipient list

@amyabul @The_Exchange_Team 

The recipient limit is unfortunately not helpful for us.  We would like to be able to LOWER the recipient RATE limit on all but a few select mailboxes- accounts have a recipient limit of 500, but the only thing that stops a compromised account is actually the recipient rate limit- we want to be able to set that to 1000 (maybe less) as the average user is not sending more than a few hundred emails a day, it's only those sending campaigns that need to send 10,000 in a day. Can we please modify the recipient RATE limit?

Hi All,

I am still having a challenge with the maximum number of emails that can be sent in a day. the cap is 10,000 which to my organisation is way lower. Is it possible to move this figure to 50,000 or 100,000 per day considering that we are a financial organization and we do send a lot of emails daily to our customers?

I would appreciate your support on this issue.

As a college, our student accounts are frequently compromised and used to send phishing attacks against other students.  Setting a recipient limit would not help as each message only has one recipient.  As mentioned above, is there a way to set the message send rate so the bad actor can't send hundreds of messages before the blocked sender feature kicks in?

Hi Everyone,

I can confirm that the Modern EAC as the same problem as the older version pointed out by @Fred74270 back in 2020. The workaround is slightly different but pretty much the same in operation.

I suspect the reason for this is the recipient limit is now a global setting and cannot be set per mailbox anymore. This is annoying and a security hole a mile wide @The_Exchange_Team please take note: I would much rather have specific accounts e.g. sales or marketing or HR set to the larger limit and everyone else shut down to a handful of recipients in case they get compromised. As it stands now I am having to toggle this back to the lower limit after the higher one has been used for a mass mailing.

New version workaround as follows. The three dots menu has been removed from the Modern EAC.  Selecting all accounts with the first tick box adds a new button "Recipient Limit" to the top row. This will open a dialog box which allows the setting of a recpient limit globally. Mine was blank so I am assuming the global default is 100. 

In addition to limiting the number of recipients, Microsoft needs to make it easier to limit the rate.  We see compromised accounts that send out hundreds of messages, but with one recipient at a time, so the recipient limit would not help.

@rhupf yes very much agreed. I am just going through the settings of our various policies to make sure that happens.