Microsoft Plans to Impose a Per Day Limit on Exchange Online Bulk Emails to Reduce Spam

per day limit for bulk senders
DMARC Report
Microsoft Plans to Impose a Per Day Limit on Exchange Online Bulk Emails to Reduce Spam

Starting January 1, 2025, Microsoft Exchange Online users will have to change their plans as a limit of 2,000 external recipients per 24 hours will be implemented. This is because the platform was never designed for high-volume transactional emails. So, this decision has been taken with respect to that and not to overburden the resources.

The limitation will be unfolded in two phases-

  • The First Phase (January 1, 2025): The primary phase will affect the cloud-hosted mailboxes of all newly created tenants.
  • The Second Phase (July-December 2025): The second phase will expand the limit to all existing cloud-hosted mailboxes.

The Recipient Rate Limit

email campaigns

The daily recipient limit remains at 10,000, which means users can send emails to up to 10,000 recipients within 24 hours. However, the number of external recipients, those outside your organization, should not exceed 2,000. For organizations requiring larger-scale email campaigns beyond this limit, Microsoft suggests switching to Azure Communication Services for Email. This service supports high-volume emailing, accommodating millions of emails per month, and is designed specifically for bulk communication needs.

In April 2024, the Department of Homeland Security (DHS) released a report sharing a big data breach by Microsoft that culminated in a cyberattack on its Exchange Online platform in July 2023. 

 The Cyber Safety Review Board (CSRB) prepared the report, which highlighted weaknesses in Microsoft’s security practices and offered recommendations for the company and the cloud service industry as a whole.

Deploy DMARC As a Personal Effort Towards Email Security

While Google, Yahoo, Microsoft, and other similar platforms are doing their best by rolling out new policies to make email exchange a safer practice, you, as a domain owner, should also do your bit. Start by implementing SPF, DKIM, and DMARC, as these protocols collectively ensure that only authorized emails sent from your domain land in the inboxes of recipients while also confirming that nobody tampered with the emails’ contents in transit. 

Image sourced from

DMARC also provides a mechanism for domain owners to receive feedback reports called DMARC aggregate and forensic reports. These reports basically give insights into how your emails are being perceived by recipients’ mailboxes and if a threat actor is sending unsolicited emails without your consent.

DMARC is built on SPF and DKIM by providing a way for domain owners to specify how receiving servers should handle emails that fail authentication. A domain owner creates a DMARC policy in the domain’s DNS settings, specifying whether to allow, quarantine, or reject emails that fail SPF and/or DKIM checks.

email security

You can also adjust the percentage of the policy tag by observing the number of false positives and false negatives. If you receive too many of these reports and are fed up with managing them effectively, then we can help you with this. We will monitor these reports and send you aggregated versions. To know more about our services, reach out to us. Meanwhile, you can also check out our resources to learn more about email authentication.  

Similar Posts