Microsoft Restricts Use of OnMicrosoft Domains for Outgoing Emails

Microsoft has announced significant changes to its email sending policies that will restrict the use of default onmicrosoft.com domains for email delivery.

The new policy, set to roll out over multiple phases through June 2026, aims to combat spam abuse and improve overall email deliverability across the Microsoft 365 ecosystem.

Organizations using these default domains will face a strict limit of 100 external recipients per day, forcing many to migrate to custom domains for business communications.

Microsoft will implemented aggressive throttling on MOERA (Microsoft Online Email Routing Address) domains, limiting organizations to 100 external recipients per 24-hour rolling window.

This represents a dramatic reduction from current unlimited usage of onmicrosoft.com domains. When organizations exceed this threshold, they will receive NDR (Non-Delivery Report) messages with error code 550 5.7.236 for any attempts to send external emails while throttled.

The policy change addresses a persistent spam problem where malicious actors exploit newly created tenants to send bulk spam from onmicrosoft.com addresses before Microsoft can intervene.

This abuse has degraded the collective reputation of the shared onmicrosoft domain space, affecting legitimate users’ email deliverability.

The company emphasizes that these default domains were originally designed for testing purposes, not regular business communications.

Phased Rollout Based on Organization Size

Microsoft will implement the new restrictions through a carefully structured timeline based on Exchange seat counts.

Trial tenants will be the first affected starting October 15, 2025, followed by organizations with fewer than 3 seats on December 1, 2025.

The rollout continues progressively: organizations with 3-10 seats face restrictions on January 7, 2026, while those with 11-50 seats are affected by February 2, 2026.

Larger organizations receive additional time to prepare, with those having 51-200 seats restricted starting March 2, 2026, and organizations with 201-2,000 seats affected by April 1, 2026.

The largest organizations with 2,001-10,000 seats face restrictions on May 4, 2026, while enterprises with over 10,000 seats have until June 1, 2026.

Microsoft will send Message Center notifications one month before each phase begins.This process will impact user authentication credentials, requiring updates to configured devices and applications.

Mandatory Migration

Organizations must take immediate action to avoid disruption by purchasing and implementing custom domains for email sending.

Critical migration steps include setting custom domains as the default domain in the Microsoft 365 admin center and updating primary SMTP addresses for all mailboxes to use custom domain aliases.

Several Microsoft services require specific attention during migration, including the Bookings app, which must be reconfigured to send invitations from custom domains rather than MOERA addresses.

The Sender Rewriting Scheme (SRS) feature may also fallback to MOERA domains if they remain set as default domains. Organizations can analyze their current MOERA traffic using Message Trace features in the Exchange Admin Center to identify affected email flows.

The policy change represents Microsoft’s broader effort to improve email security and deliverability across its platform, similar to recent initiatives including tenant-wide external recipient rate limits that restrict outbound email volume.

Organizations that fail to migrate to custom domains risk significant disruption to their email communications once throttling begins.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Microsoft Restricts Use of OnMicrosoft Domains for Outgoing Emails appeared first on Cyber Security News.