Microsoft to tackle spam by restricting Exchange Online bulk email
Need to send to more than 2,000 external recipients in 24 hours? Time to start looking for an alternative
For the first time, Microsoft will apply daily restrictions to Exchange Online in an effort to staunch the flow of spam from the service.
Starting from January 1, 2025, Exchange Online will begin enforcing an External Recipient Rate (ERR) limit of 2,000 recipients in 24 hours for cloud-hosted mailboxes of all newly created tenants. Between July and December 2025, Microsoft will start applying the limit to the cloud-hosted mailboxes of existing tenants.
Microsoft emphasized that the limit applies to external recipients. The existing recipient rate limit of 10,000 recipients is unchanged.
"Exchange Online does not support bulk or high-volume transactional email," Microsoft said. "We have not enforced limiting of bulk email until now, but we plan on doing so with the introduction of an External Recipient Rate limit. The ERR limit is being introduced to help reduce unfair usage and abuse of Exchange Online resources."
Customers who exceed the limit will be directed to the Azure Communication Services for Email, which, according to Microsoft, "is designed specifically for high volume email sent to recipients external to your tenant."
According to Microsoft's documentation, the recipient rate limit applies per user, and the company advises customers who need to send "legitimate bulk commercial email," such as newsletters, to use a third-party tool.
- Happy 20th birthday Gmail, you're mostly grown up – now fix the spam
- Spam crusade lands charity in hot water with data watchdog
- Microsoft takes another run at closing Exchange brute-force security hole
- 'Millions' of spammy emails with no opt-out? That'll cost you $650K, Experian
Exchange Online has tripped over newly applied spam rules in recent months. In March, some emails from the service were blocked for Yahoo and AOL users after stricter restrictions were applied. Earlier this month, users with Outlook.com country domains found their emails treated as spam and prevented from reaching Gmail destinations.
From February 1, Google added rules aimed at email senders who dispatch more than 5,000 messages per day to Gmail accounts. As well as requiring SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) email authentication for the domain, Google also said that marketing messages must support one-click unsubscribe.
One Exchange Online user described the update as a "major change," while others sought clarification over where the rule would be applied. There are also legitimate integration scenarios that might breach the limit.
We contacted Microsoft for more details and will update this piece with any new information. ®