In any organization, protecting your email domain is critical. One common problem many admins face is that devices, apps, or third-party services sometimes send emails using your domain — without any authentication.
Even worse, bad actors can try to spoof your domain this way, leading to security risks, spam issues, and loss of trust.
Until now, there wasn’t a simple way to block these unauthenticated emails if you weren’t using Direct Send.
That’s why Microsoft has introduced a new feature — Reject Direct Send — now available in Public Preview for Exchange Online.
This blog explains what it is and how to enable it.
What is Direct Send in Exchange Online?
Direct Send is when emails are sent straight to Exchange Online mailboxes from devices, apps, or third-party services using your organization’s domain — without logging in or authenticating.
It’s designed for convenience, but it also opens the door for unauthenticated email traffic, which can cause spam or security issues if not managed carefully.
- No authentication is needed.
- It mimics incoming emails from the internet, but uses your domain.
- SPF, DKIM, and DMARC are expected to be set up to protect your domain — but not everyone has perfect setups.
What Does the “Reject Direct Send” Feature Do?
With Reject Direct Send enabled:
- Exchange Online blocks any anonymous emails that claim to come from your accepted domain.
- Only authenticated emails — verified by a mail flow connector — will be allowed through.
This helps you:
- Stop spoofed or unauthorized emails.
- Make your organization’s email flow more secure.
- Have better control over what gets into your mailboxes.
How to Enable Reject Direct Send
By default, the Reject Direct Send setting is OFF.
Here’s how you can turn it on:
- Connect to Exchange Online PowerShell.
- Run the below command:
powershellCopyEditSet-OrganizationConfig -RejectDirectSend $true
That’s it!
The setting will apply across your organization within about 30 minutes.
Once enabled, any unauthorized Direct Send attempts will fail with this error:
550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources
Important Things to Know
- If you have legitimate senders (like on-prem apps or devices) using Direct Send, you must set up a Partner Connector to authenticate them.
Learn how to set up connectors here. - Forwarding Scenarios:
If an external party forwards a message back into your domain (and they don’t use Sender Rewriting Scheme — SRS), the email could get rejected.
Before enabling, review your mail flow if you rely heavily on external forwarding.
Final Thoughts
If you want tighter security and better control over your domain’s email flow, this is a feature you should start testing now.
Even if you aren’t ready to turn it on permanently, start preparing: audit your senders, set up partner connectors where needed, and get ahead of any potential issues.
Reject Direct Send is a big step forward in protecting your email environment — and your brand’s reputation.
