Microsoft Bolsters Exchange Online Security with New External Recipient Rate Limit Feature

Cloud Computing

Key Takeaways:

  • Microsoft’s Exchange Online service will introduce a daily limit of 2,000 external recipients in 2025.
  • New Exchange Online customers will see the external recipient limit enforced in January 2025, followed by existing tenants in July 2025.
  • Basic authentication for client submission (SMTP AUTH) will be deprecated in September 2025.

Microsoft takes a pivotal step in improving security with the introduction of a daily external recipient limit for Exchange Online customers. Starting in January 2025, the company will enforce a daily Exchange Online bulk email limit of 2,000 external participants to curb spamming and misuse of resources.

The recipient rate limit is a security feature in Exchange Online designed to prevent users and applications from sending excessive amounts of emails from a single mailbox. Currently, the recipient rate limit is set at 10,000 individual recipients per day for both internal and outbound messages. It’s worth noting that each distribution list or Microsoft 365 group is counted as one recipient.

The new external recipient rate (EER) limit feature is designed to prevent spamming and misuse of Exchange Online resources. Microsoft intends to implement this limit for cloud-hosted mailboxes of new customers starting on January 1, 2025, followed by existing tenants in July 2025. However, the company didn’t clarify whether this limit also applies to emails sent through a connector to Exchange on-premises servers in hybrid environments.

“Exchange Online enforces a Recipient Rate limit of 10,000 recipients. The 2,000 ERR limit will become a sub-limit within this 10,000 Recipient Rate limit. There is no change to the Recipient Rate limit. If you send to less than 2,000 external recipients in a 24 hour period, you will still be able to send to 10,000 total recipients,” the Exchange team explained.

Microsoft notes that Exchange Online customers with a cloud-hosted mailbox that needs to exceed the ERR limit should move to Azure Communication Services for Email instead. The feature allows businesses to integrate email capabilities into their applications for sending high-volume transactional, bulk, and marketing emails.

Exchange Online to retire Basic auth for Client Submission (SMTP AUTH) in 2025

Microsoft has also detailed its plans to deprecate basic authentication for client submission (SMTP AUTH) in September 2025. Basic auth is a legacy authentication method that is vulnerable to phishing, credential theft, and brute-force attacks.

In 2019, Microsoft began phasing out support for basic authentication in email connectivity protocols, recommending customers to switch to modern authentication (OAuth2) methods. However, this change did not impact Client Submission (SMTP AUTH), as it is heavily relied upon by various applications and devices to submit emails for processing through Exchange Online.

In September, Microsoft will update the SMTP AUTH Clients Submission Report in the Exchange admin center to specify the protocol used for submitting emails to Exchange Online. The company intends to notify customers still using Basic auth with Client Submission (SMTP AUTH) about this upcoming change in January 2025, with a final reminder scheduled for August 2025.

Microsoft advises that organizations who are unable to transition to OAuth authenticated SMTP connections should use the High Volume Email service for sending a large volume of internal messages. Alternatively, businesses may opt for Azure Communication Services. However, it’s important to note that organizations will need to pay to use both services.