Microsoft has announced significant restrictions on email sending capabilities for organizations using default onmicrosoft.com domains, implementing a throttling system that limits external email delivery to 100 recipients per organization every 24 hours.
The policy change, announced through the Exchange Team Blog, aims to prevent spam abuse while encouraging organizations to migrate to custom domains for improved email deliverability and brand representation.
Key Takeaways
1. Microsoft limits onmicrosoft.com domains to 100 external emails daily.
2. Targets cybercriminals exploiting new tenants, protecting shared domain reputation.
3. Organizations must purchase custom domains, rollout phases through June 2026.
Email Throttling Imposed
Microsoft’s new policy specifically targets MOERA (Microsoft Online Email Routing Address) domains, which are automatically assigned when organizations create new Microsoft 365 tenants.
These default domains, such as contoso.onmicrosoft.com, have become attractive targets for cybercriminals who exploit newly created tenants to send spam bursts before detection systems can intervene.
The throttling mechanism will trigger NDR (Non-Delivery Report) messages with error code 550 5.7.236 when organizations exceed the 100 external recipient limit within the rolling 24-hour window.
Internal messaging remains unaffected, and the restriction applies only to external recipients after any distribution list expansions are calculated.
This technical implementation ensures that legitimate testing and internal communications continue uninterrupted while preventing large-scale spam operations.
The shared reputation model of onmicrosoft domains has created significant deliverability challenges for legitimate users.
Because all organizations share variations of the same domain namespace, malicious activity from one tenant can negatively impact email deliverability for all other users on the platform.
Phased Rollout Timeline
Microsoft has established a structured rollout schedule beginning with trial tenants on October 15, 2025, and progressing through different organization sizes based on Exchange seat counts.
The implementation will conclude with tenants having over 10,001 seats by June 1, 2026. Organizations with fewer than three seats will face restrictions starting December 1, 2025, followed by progressively larger organizations through the first half of 2026.
Technical migration involves several critical steps including purchasing custom domains through authorized registrars, configuring DNS validation, and updating primary SMTP addresses on all mailboxes.
Organizations must also address specific scenarios where MOERA domains might be inadvertently used, including Sender Rewriting Scheme (SRS) configurations, Microsoft Bookings notifications, and various Microsoft 365 service integrations.
Administrators can analyze current MOERA email traffic using the Message Trace feature in Exchange Admin Center with wildcard sender addresses to identify potential impacts before the restrictions take effect.
Organizations are strongly advised to begin migration planning immediately, as the throttling limits will significantly impact any business operations currently dependent on MOERA domains for external communications.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Microsoft to Limit Onmicrosoft Domain Usage for Sending Emails appeared first on Cyber Security News.
.webp?w=0&resize=0,0&ssl=1 "Hackers Can Exfiltrate Windows Secrets and Credentials Silently by Evading EDR Detection")
