Exchange Online Adds New Control to Enhance Email Protection for Businesses

Microsoft has introduced a new Reject Direct Send feature in public preview for Exchange Online. This new setting should help organizations strengthen protection against unauthorized email traffic.

In Exchange Online, the Direct Send feature allows users to send emails directly to their organization’s mailboxes from on-premises devices, applications, or third-party cloud services using their accepted domain. This method doesn’t require authentication, which makes it suitable for devices and applications that can’t authenticate. It’s primarily used for sending emails internally within organizations.

However, the Direct Send feature could be vulnerable to spam and spoofing if SPF (Sender Policy Framework) records are not properly configured, which could result in spam issues. Moreover, Direct Send doesn’t support sending emails to external recipients and does not have sent items.

How does the Reject Direct Send feature work?

Microsoft has introduced the Reject Direct Send feature to enhance email security by blocking unauthenticated messages that appear to come from accepted domains. This feature ensures that only authenticated emails, which are verified through mail flow connectors, are allowed. It helps prevent security issues (like domain spoofing and unauthorized email traffic) common with the Direct Send method.

How to enable the Reject Direct Send setting in Exchange Online?

Currently, the Reject Direct Send feature is available as an opt-in experience for Exchange Online customers. Administrators can enable this setting by running the following PowerShell cmdlet: Set-OrganizationConfig -RejectDirectSend $true.

Keep in mind that it could take up to 30 minutes before this change is reflected across a tenant. Once this setting is enabled, messages sent through Direct Send will trigger the following error message: 550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources. Any messages that encounter this error will require a partner connector to be configured. A partner connector is a configuration in Exchange Online that authenticates the source of the email.

Microsoft will actively gather user feedback while the Reject Direct Send feature is in preview for commercial customers. Going forward, the company plans to make this feature the default for all new Exchange Online tenants. However, Microsoft has warned that enabling Reject Direct Send without a partner mail flow connector will result in the rejection of messages forwarded by third parties without SRS support.

In recent years, Microsoft has made significant efforts to strengthen Exchange Online security. In June 2023, the company disabled Remote PowerShell (RPS) for all customers. Microsoft also plans to disable Exchange Web Services (EWS) by October 2026.