Sender Rewriting Scheme Upcoming Changes

Published Aug 10 2021 09:12 AM 13.6K Views

The implementation of SRS in Exchange Online has been available for over 2 years now, but it is something we still focus on to ensure that the feature is as comprehensive and concise as possible given the many ways there are to forward messages and different routing scenarios.

There are three upcoming changes in Exchange Online that will affect SRS:

1.     New on-premises connector setting

We are introducing a new SRS parameter on outbound on-premises connectors that allow admins to turn on SRS rewrites for messages using those connectors. Today, traffic to on-premises is not rewritten, as on-premises is considered part of the trust boundary where SPF checks should not take place. With some customers routing traffic out of their on-premises environments to the Internet, this setting provides a solution and traffic can be rewritten if needed. The new setting rolling out now, which can be configured by the New-OutboundConnector or Set-OutboundConnector cmdlets, is SenderRewritingEnabled.

2.     Change in rewriting for SMTP/mailbox forwarding

We are further consolidating our rewriting for message forwarding. Not all forwarded messages are rewritten using SRS today. Messages forwarded with SMTP or mailbox forwarding have their P1 Mail From address replaced with the forwarding mailbox address. This will change to using SRS rewriting instead.

This is a behavior change that may result in some disruptions. For one, SRS does not rewrite messages destined for on-premises while the current rewriting process does. This could cause forwarded messages sent to or via on-premises to be rejected by the final recipient or a filtering device along the way.  The setting in #1 has been provided to fix this gap and allow messages to still be rewritten after this change in behavior. This change is planned to begin rolling out starting October 1st. Our recommendation is that customers routing messages to the Internet via their on-premises servers should proactively enable the new setting on their connectors. You can find out more about SRS here.

3.     Skipping SRS if incoming message did not pass SPF

The rollout of the new relay pool (announced in the Message Center post MC266466) will result in some messages no longer being rewritten. The aim of SRS is to allow a message to pass SPF checks when it is forwarded or relayed to another destination. However, if the message did not pass SPF when it was received by Exchange Online, that result should be preserved. The relay pool rollout will ensure this. The change will also affect spoofed domains (messages sent using non-accepted domains) from on-premises which will be sent via the relay pool to break SPF. For the timeline, please refer to MC266466 and here.

The main effect to look out for with these upcoming changes is that messages leaving the service start getting rejected by the receiving party.

 

--The Exchange Team

8 Comments
Senior Member

Can someone tell me how to enable this feature? Does this feature work for distribution list with on-premises external email?

@triw_ Set-OutboundConnector Name -SenderRewritingEnabled:$true

 

Eventually the parameter is not yet available in your tenant as it is still in rollout phase.

Occasional Visitor

Does this also affect the forwarding set for shared mailboxes?

Occasional Visitor

We would like to understand what changes to the forwarding message headers:

 

today we have the following headers in the message

SMTP fowarding:

X-MS-Exchange-ForwardingLoop:  < this has the forwarding address>

Inbox rule forwarding:

X-MS-Exchange-Inbox-Rules-Loop: <this has the forwarding address>

 

Occasional Visitor

Can MS provide more information on the messages headers and what would change there  with some samples. that would be very helpful

Microsoft

@Rezakgharfara I'd recommend reading the following blog post to get a better understanding of these headers: 

 

Loop Prevention in Exchange Online Demystified - Microsoft Tech Community

Senior Member

Hi @Gregor Schillinger My understanding is the SRS feature will works with on-premises connectors only. Is it possible this feature works for outside organization distribution lists member without create a connector?

@triw_ this is not an on-prem setting. This is for cloudconnectors that route mails from cloud to on-prem via outboundconnectors. 

%3CLINGO-SUB%20id%3D%22lingo-sub-2632829%22%20slang%3D%22en-US%22%3ESender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2632829%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20implementation%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Ftroubleshoot%2Fantispam%2Fsender-rewriting-scheme%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESRS%20in%20Exchange%20Online%3C%2FA%3E%20has%20been%20available%20for%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fsender-rewriting-scheme-srs-coming-to-office-365%2Fba-p%2F607932%22%20target%3D%22_blank%22%3Eover%202%20years%20now%3C%2FA%3E%2C%20but%20it%20is%20something%20we%20still%20focus%20on%20to%20ensure%20that%20the%20feature%20is%20as%20comprehensive%20and%20concise%20as%20possible%20given%20the%20many%20ways%20there%20are%20to%20forward%20messages%20and%20different%20routing%20scenarios.%3C%2FP%3E%0A%3CP%3EThere%20are%20three%20upcoming%20changes%20in%20Exchange%20Online%20that%20will%20affect%20SRS%3A%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--382979017%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%3E1.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20New%20on-premises%20connector%20setting%3C%2FH2%3E%0A%3CP%3EWe%20are%20introducing%20a%20new%20SRS%20parameter%20on%20outbound%20on-premises%20connectors%20that%20allow%20admins%20to%20turn%20on%20SRS%20rewrites%20for%20messages%20using%20those%20connectors.%20Today%2C%20traffic%20to%20on-premises%20is%20not%20rewritten%2C%20as%20on-premises%20is%20considered%20part%20of%20the%20trust%20boundary%20where%20SPF%20checks%20should%20not%20take%20place.%20With%20some%20customers%20routing%20traffic%20out%20of%20their%20on-premises%20environments%20to%20the%20Internet%2C%20this%20setting%20provides%20a%20solution%20and%20traffic%20can%20be%20rewritten%20if%20needed.%20The%20new%20setting%20rolling%20out%20now%2C%20which%20can%20be%20configured%20by%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fnew-outboundconnector%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENew-OutboundConnector%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fset-outboundconnector%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESet-OutboundConnector%3C%2FA%3E%20cmdlets%2C%20is%20%3CSTRONG%3ESenderRewritingEnabled%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2104533816%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%3E2.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Change%20in%20rewriting%20for%20SMTP%2Fmailbox%20forwarding%3C%2FH2%3E%0A%3CP%3EWe%20are%20further%20consolidating%20our%20rewriting%20for%20message%20forwarding.%20Not%20all%20forwarded%20messages%20are%20rewritten%20using%20SRS%20today.%20Messages%20forwarded%20with%20SMTP%20or%20mailbox%20forwarding%20have%20their%20P1%20Mail%20From%20address%20replaced%20with%20the%20forwarding%20mailbox%20address.%20This%20will%20change%20to%20using%20SRS%20rewriting%20instead.%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20behavior%20change%20that%20may%20result%20in%20some%20disruptions.%20For%20one%2C%20SRS%20does%20not%20rewrite%20messages%20destined%20for%20on-premises%20while%20the%20current%20rewriting%20process%20does.%20This%20could%20cause%20forwarded%20messages%20sent%20to%20or%20via%20on-premises%20to%20be%20rejected%20by%20the%20final%20recipient%20or%20a%20filtering%20device%20along%20the%20way.%26nbsp%3B%20The%20setting%20in%20%231%20has%20been%20provided%20to%20fix%20this%20gap%20and%20allow%20messages%20to%20still%20be%20rewritten%20after%20this%20change%20in%20behavior.%20This%20change%20is%20planned%20to%20begin%20rolling%20out%20starting%20October%201%3CSUP%3Est%3C%2FSUP%3E.%20Our%20recommendation%20is%20that%20customers%20routing%20messages%20to%20the%20Internet%20via%20their%20on-premises%20servers%20should%20proactively%20enable%20the%20new%20setting%20on%20their%20connectors.%20You%20can%20find%20out%20more%20about%20SRS%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Foffice365%2Ftroubleshoot%2Fantispam%2Fsender-rewriting-scheme%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-297079353%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%3E3.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Skipping%20SRS%20if%20incoming%20message%20did%20not%20pass%20SPF%3C%2FH2%3E%0A%3CP%20data-unlink%3D%22true%22%3EThe%20rollout%20of%20the%20new%20relay%20pool%20(announced%20in%20the%20Message%20Center%20post%20%3CA%20href%3D%22https%3A%2F%2Fadmin.microsoft.com%2FAdminportal%2FHome%3Fref%3DMessageCenter%2F%3A%2Fmessages%2FMC266466%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMC266466%3C%2FA%3E)%20will%20result%20in%20some%20messages%20no%20longer%20being%20rewritten.%20The%20aim%20of%20SRS%20is%20to%20allow%20a%20message%20to%20pass%20SPF%20checks%20when%20it%20is%20forwarded%20or%20relayed%20to%20another%20destination.%20However%2C%20if%20the%20message%20did%20not%20pass%20SPF%20when%20it%20was%20received%20by%20Exchange%20Online%2C%20that%20result%20should%20be%20preserved.%20The%20relay%20pool%20rollout%20will%20ensure%20this.%20The%20change%20will%20also%20affect%20spoofed%20domains%20(messages%20sent%20using%20non-accepted%20domains)%20from%20on-premises%20which%20will%20be%20sent%20via%20the%20relay%20pool%20to%20break%20SPF.%20For%20the%20timeline%2C%20please%20refer%20to%20MC266466%26nbsp%3Band%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fhigh-risk-delivery-pool-for-outbound-messages%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EThe%20main%20effect%20to%20look%20out%20for%20with%20these%20upcoming%20changes%20is%20that%20messages%20leaving%20the%20service%20start%20getting%20rejected%20by%20the%20receiving%20party.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E--The%20Exchange%20Team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2632829%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20three%20upcoming%20changes%20in%20the%20service%20that%20will%20affect%20Sender%20Rewriting%20Scheme%20(SRS).%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2632829%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etransport%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2680039%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2680039%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20someone%20tell%20me%20how%20to%20enable%20this%20feature%3F%20Does%20this%20feature%20work%20for%20distribution%20list%20with%20on-premises%20external%20email%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2755255%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2755255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1136424%22%20target%3D%22_blank%22%3E%40triw_%3C%2FA%3E%26nbsp%3BSet-OutboundConnector%20%3CEM%3EName%3C%2FEM%3E%20-SenderRewritingEnabled%3A%24true%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEventually%20the%20parameter%20is%20not%20yet%20available%20in%20your%20tenant%20as%20it%20is%20still%20in%20rollout%20phase.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2833776%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2833776%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20also%20affect%20the%20forwarding%20set%20for%20shared%20mailboxes%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2834979%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2834979%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20would%20like%20to%20understand%20what%20changes%20to%20the%20forwarding%20message%20headers%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Etoday%20we%20have%20the%20following%20headers%20in%20the%20message%3C%2FP%3E%3CP%3ESMTP%20fowarding%3A%3C%2FP%3E%3CPRE%3EX-MS-Exchange-ForwardingLoop%3A%20%20%26lt%3B%20this%20has%20the%20forwarding%20address%26gt%3B%3C%2FPRE%3E%3CP%3EInbox%20rule%20forwarding%3A%3C%2FP%3E%3CPRE%3EX-MS-Exchange-Inbox-Rules-Loop%3A%20%26lt%3Bthis%20has%20the%20forwarding%20address%26gt%3B%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2834984%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2834984%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20MS%20provide%20more%20information%20on%20the%20messages%20headers%20and%20what%20would%20change%20there%26nbsp%3B%20with%20some%20samples.%20that%20would%20be%20very%20helpful%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2836743%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2836743%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1182307%22%20target%3D%22_blank%22%3E%40Rezakgharfara%3C%2FA%3E%26nbsp%3BI'd%20recommend%20reading%20the%20following%20blog%20post%20to%20get%20a%20better%20understanding%20of%20these%20headers%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Floop-prevention-in-exchange-online-demystified%2Fba-p%2F2312258%22%20target%3D%22_blank%22%3ELoop%20Prevention%20in%20Exchange%20Online%20Demystified%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 12 2021 08:30 AM
Updated by: