Skip to content

Exchange Limit Changes in 2025

Yesterday Microsoft announced changes to Exchange sending limits. It sounds like individual sender recipient limits remain in-place but organizational (tenant-wide) limits will be implemented as well. This is interesting for a few reasons:

  • This is a long overdue change
  • This should make Microsoft mail delivery better
  • The impact should be minimal
  • What this means for the outbound anti-spam policy

A long overdue change

If you have been a Microsoft customer for a while, a Microsoft developer, or a frequenter on r/sysadmin you will be well aware of some of the cybersecurity incidents Microsoft has faced in recent years. These have lead Microsoft's CEO to state the need for "prioritizing security above all else", enforcing security on their customers, and taking other steps such as the removal of dev/test tenants.

Your organization may take cybersecurity seriously, have a line item on the budget for it, a 24/7 SOC, etc. but many customers with a Microsoft tenant don't and this impacts everyone on the service.

Making email delivery better

Did you know that when you send email Microsoft doesn't always send it from the same server? That likely seems obvious to some, you imagine a farm of servers that Microsoft maintains for the sole purpose of sending emails. You would be correct, but what you may not know is those servers are in pools. There are three known pool types:

  • Standard pool
  • High-risk pool
  • Relay pool

This is important because if your email is going out from the same IP address as someone who is sending thousands of spam messages, other vendors and email providers will start to block that IP address and impact your mail's successful delivery! To combat that Microsoft already puts suspicious email into a different pool. By simply limiting the amount of mail sent via Exchange (This is not a bulk mailing service!) this should make their processing better.

Minimal impact

I will be the first to say that no environment is perfect, and I have seen scenarios where someone will be impacted by this. But Microsoft has stated multiple times that the telemetry they have suggests the impacted customers will be quite minimal with this change. I think that remains to be seen but I would imagine most organizations impacted haven't configured things correctly.

MDO's Outbound Spam Policy

As far as I can tell, the outbound spam policy is not impacted by this change. There appears to still be a rate limit per sender as well as per tenant. To me this makes the outbound anti-spam policy much more important than it already was.

  1. Imagine you're a small organization with 25 licenses giving you a daily limit just above 14,000 messages. With a misconfigured outbound policy 2 users being compromised will block external emails from being sent for 24 hours.
  2. For larger orgs that enact an outbound policy, I imagine the attacks from attackers will change when they figure this out. Only external emails are impacted by this change, not internal. So let's imagine you have 10,000 licenses, with an outbound limit just above 320,000 external messages, and your outbound spam policy limited to 200 external recipients. What changes might an attacker look at...
    1. They might realize outbound limits are too limiting, and they might turn to internal phishing
    2. They switch to a combo of internal and external phishing. For an unprivileged account, it's hard to know what the limit is, but that doesn't matter when a lot of attacks like this are scripted. When they compromise accounts they may attempt to send 10,000 external emails, maybe only 200 go out. But they will also send 10,000 internal emails. And anyone they compromise then becomes a new set of external emails they can send out.

That is speculation but when protections get implemented attackers get more sophisticated, or they switch targets, so I fully expect to see changes to how Microsoft environments are compromised with this change.

Summary

Overall this is a good change in my opinion, I do wish the timeline was lengthier and the report they mention was already available at the time of announcement, but for now we must rely on the PowerShell command.

I don't believe I have any followers or audience on this site but I will add updates to this post as more details come to light. I will note that there are also new limits coming per inbox starting October 2025, so Microsoft is really buckling down on Exchange external emails and I imagine this won't be the last that we see this year.