Sender Rewriting Scheme Upcoming Changes

Published Aug 10 2021 09:12 AM 9,053 Views

The implementation of SRS in Exchange Online has been available for over 2 years now, but it is something we still focus on to ensure that the feature is as comprehensive and concise as possible given the many ways there are to forward messages and different routing scenarios.

There are three upcoming changes in Exchange Online that will affect SRS:

1.     New on-premises connector setting

We are introducing a new SRS parameter on outbound on-premises connectors that allow admins to turn on SRS rewrites for messages using those connectors. Today, traffic to on-premises is not rewritten, as on-premises is considered part of the trust boundary where SPF checks should not take place. With some customers routing traffic out of their on-premises environments to the Internet, this setting provides a solution and traffic can be rewritten if needed. The new setting rolling out now, which can be configured by the New-OutboundConnector or Set-OutboundConnector cmdlets, is SenderRewritingEnabled.

2.     Change in rewriting for SMTP/mailbox forwarding

We are further consolidating our rewriting for message forwarding. Not all forwarded messages are rewritten using SRS today. Messages forwarded with SMTP or mailbox forwarding have their P1 Mail From address replaced with the forwarding mailbox address. This will change to using SRS rewriting instead.

This is a behavior change that may result in some disruptions. For one, SRS does not rewrite messages destined for on-premises while the current rewriting process does. This could cause forwarded messages sent to or via on-premises to be rejected by the final recipient or a filtering device along the way.  The setting in #1 has been provided to fix this gap and allow messages to still be rewritten after this change in behavior. This change is planned to begin rolling out starting October 1st. Our recommendation is that customers routing messages to the Internet via their on-premises servers should proactively enable the new setting on their connectors. You can find out more about SRS here.

3.     Skipping SRS if incoming message did not pass SPF

The rollout of the new relay pool (announced in the Message Center post MC266466) will result in some messages no longer being rewritten. The aim of SRS is to allow a message to pass SPF checks when it is forwarded or relayed to another destination. However, if the message did not pass SPF when it was received by Exchange Online, that result should be preserved. The relay pool rollout will ensure this. The change will also affect spoofed domains (messages sent using non-accepted domains) from on-premises which will be sent via the relay pool to break SPF. For the timeline, please refer to MC266466 and here.

The main effect to look out for with these upcoming changes is that messages leaving the service start getting rejected by the receiving party.

 

--The Exchange Team

2 Comments
Frequent Visitor

Can someone tell me how to enable this feature? Does this feature work for distribution list with on-premises external email?

@triw_ Set-OutboundConnector Name -SenderRewritingEnabled:$true

 

Eventually the parameter is not yet available in your tenant as it is still in rollout phase.

%3CLINGO-SUB%20id%3D%22lingo-sub-2632829%22%20slang%3D%22en-US%22%3ESender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2632829%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20implementation%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Ftroubleshoot%2Fantispam%2Fsender-rewriting-scheme%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESRS%20in%20Exchange%20Online%3C%2FA%3E%20has%20been%20available%20for%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fsender-rewriting-scheme-srs-coming-to-office-365%2Fba-p%2F607932%22%20target%3D%22_blank%22%3Eover%202%20years%20now%3C%2FA%3E%2C%20but%20it%20is%20something%20we%20still%20focus%20on%20to%20ensure%20that%20the%20feature%20is%20as%20comprehensive%20and%20concise%20as%20possible%20given%20the%20many%20ways%20there%20are%20to%20forward%20messages%20and%20different%20routing%20scenarios.%3C%2FP%3E%0A%3CP%3EThere%20are%20three%20upcoming%20changes%20in%20Exchange%20Online%20that%20will%20affect%20SRS%3A%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--382979017%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%20id%3D%22toc-hId--382979018%22%3E1.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20New%20on-premises%20connector%20setting%3C%2FH2%3E%0A%3CP%3EWe%20are%20introducing%20a%20new%20SRS%20parameter%20on%20outbound%20on-premises%20connectors%20that%20allow%20admins%20to%20turn%20on%20SRS%20rewrites%20for%20messages%20using%20those%20connectors.%20Today%2C%20traffic%20to%20on-premises%20is%20not%20rewritten%2C%20as%20on-premises%20is%20considered%20part%20of%20the%20trust%20boundary%20where%20SPF%20checks%20should%20not%20take%20place.%20With%20some%20customers%20routing%20traffic%20out%20of%20their%20on-premises%20environments%20to%20the%20Internet%2C%20this%20setting%20provides%20a%20solution%20and%20traffic%20can%20be%20rewritten%20if%20needed.%20The%20new%20setting%20rolling%20out%20now%2C%20which%20can%20be%20configured%20by%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fnew-outboundconnector%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENew-OutboundConnector%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fset-outboundconnector%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESet-OutboundConnector%3C%2FA%3E%20cmdlets%2C%20is%20%3CSTRONG%3ESenderRewritingEnabled%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2104533816%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%20id%3D%22toc-hId-2104533815%22%3E2.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Change%20in%20rewriting%20for%20SMTP%2Fmailbox%20forwarding%3C%2FH2%3E%0A%3CP%3EWe%20are%20further%20consolidating%20our%20rewriting%20for%20message%20forwarding.%20Not%20all%20forwarded%20messages%20are%20rewritten%20using%20SRS%20today.%20Messages%20forwarded%20with%20SMTP%20or%20mailbox%20forwarding%20have%20their%20P1%20Mail%20From%20address%20replaced%20with%20the%20forwarding%20mailbox%20address.%20This%20will%20change%20to%20using%20SRS%20rewriting%20instead.%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20behavior%20change%20that%20may%20result%20in%20some%20disruptions.%20For%20one%2C%20SRS%20does%20not%20rewrite%20messages%20destined%20for%20on-premises%20while%20the%20current%20rewriting%20process%20does.%20This%20could%20cause%20forwarded%20messages%20sent%20to%20or%20via%20on-premises%20to%20be%20rejected%20by%20the%20final%20recipient%20or%20a%20filtering%20device%20along%20the%20way.%26nbsp%3B%20The%20setting%20in%20%231%20has%20been%20provided%20to%20fix%20this%20gap%20and%20allow%20messages%20to%20still%20be%20rewritten%20after%20this%20change%20in%20behavior.%20This%20change%20is%20planned%20to%20begin%20rolling%20out%20starting%20October%201%3CSUP%3Est%3C%2FSUP%3E.%20Our%20recommendation%20is%20that%20customers%20routing%20messages%20to%20the%20Internet%20via%20their%20on-premises%20servers%20should%20proactively%20enable%20the%20new%20setting%20on%20their%20connectors.%20You%20can%20find%20out%20more%20about%20SRS%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Foffice365%2Ftroubleshoot%2Fantispam%2Fsender-rewriting-scheme%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-297079353%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%20id%3D%22toc-hId-297079352%22%3E3.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Skipping%20SRS%20if%20incoming%20message%20did%20not%20pass%20SPF%3C%2FH2%3E%0A%3CP%20data-unlink%3D%22true%22%3EThe%20rollout%20of%20the%20new%20relay%20pool%20(announced%20in%20the%20Message%20Center%20post%20%3CA%20href%3D%22https%3A%2F%2Fadmin.microsoft.com%2FAdminportal%2FHome%3Fref%3DMessageCenter%2F%3A%2Fmessages%2FMC266466%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMC266466%3C%2FA%3E)%20will%20result%20in%20some%20messages%20no%20longer%20being%20rewritten.%20The%20aim%20of%20SRS%20is%20to%20allow%20a%20message%20to%20pass%20SPF%20checks%20when%20it%20is%20forwarded%20or%20relayed%20to%20another%20destination.%20However%2C%20if%20the%20message%20did%20not%20pass%20SPF%20when%20it%20was%20received%20by%20Exchange%20Online%2C%20that%20result%20should%20be%20preserved.%20The%20relay%20pool%20rollout%20will%20ensure%20this.%20The%20change%20will%20also%20affect%20spoofed%20domains%20(messages%20sent%20using%20non-accepted%20domains)%20from%20on-premises%20which%20will%20be%20sent%20via%20the%20relay%20pool%20to%20break%20SPF.%20For%20the%20timeline%2C%20please%20refer%20to%20MC266466%26nbsp%3Band%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fhigh-risk-delivery-pool-for-outbound-messages%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EThe%20main%20effect%20to%20look%20out%20for%20with%20these%20upcoming%20changes%20is%20that%20messages%20leaving%20the%20service%20start%20getting%20rejected%20by%20the%20receiving%20party.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E--The%20Exchange%20Team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2632829%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20three%20upcoming%20changes%20in%20the%20service%20that%20will%20affect%20Sender%20Rewriting%20Scheme%20(SRS).%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2632829%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etransport%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2680039%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2680039%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20someone%20tell%20me%20how%20to%20enable%20this%20feature%3F%20Does%20this%20feature%20work%20for%20distribution%20list%20with%20on-premises%20external%20email%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2755255%22%20slang%3D%22en-US%22%3ERe%3A%20Sender%20Rewriting%20Scheme%20Upcoming%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2755255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1136424%22%20target%3D%22_blank%22%3E%40triw_%3C%2FA%3E%26nbsp%3BSet-OutboundConnector%20%3CEM%3EName%3C%2FEM%3E%20-SenderRewritingEnabled%3A%24true%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEventually%20the%20parameter%20is%20not%20yet%20available%20in%20your%20tenant%20as%20it%20is%20still%20in%20rollout%20phase.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 12 2021 08:30 AM
Updated by: