Administration - Configuring Direct Send in Microsoft 365

Original Mimecast Article
This article contains information on configuring Direct Send in Microsoft 365, its purpose, functionality, security considerations, and steps to enable or disable it, including SPF, DKIM, and Mimecast integration settings.

Prerequisites

• You have a Mimecast Basic Administrator role.
• You are a Microsoft 365 Administrator.

What is Microsoft Direct Send?

Microsoft Direct Send is a method used within Microsoft 365 (Exchange Online) that allows emails to be sent directly from on-premises devices, applications, or third-party services to users’ mailboxes hosted in Exchange Online. This approach bypasses the need for an SMTP relay or connector, making it a straightforward option for sending emails to recipients within the same organization. However, it is vulnerable to abuse due to its lack of authentication and reliance on SMTP, making it a target for spam, phishing, and spoofing attacks.

Purpose and Functionality

• Purpose: Direct Send is primarily designed to facilitate the delivery of emails from on-premises systems (like printers, scanners, or business applications) to Exchange Online mailboxes. It is especially useful for organizations with hybrid environments, or those needing to integrate on-premises applications with cloud-based email services.
• Functionality: Direct Send allows these devices or applications to send emails directly to Exchange Online, without additional configuration, such as setting up SMTP relays or connectors. This simplifies the process and reduces potential points of failure.

Configuring Direct Send

You can configure Direct Send in Microsoft 365, by using the following steps:

1. View How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 and follow Microsoft's instructions for setting up Direct Send.
2. Update your domain's SPF ( Sender Policy Framework) record to include the IP address of your sending device application.

• 
  
  • Validate your record using our SPF Record Checker.

1. Ensure DKIM authentication is configured for your domain.

• 
  
  • Validate your DKIM Record with our DKIM Checker.

1. Confirm the domain's DMARC record is set up correctly using our DMARC Record Checker.

 

Quarantine Messages

Use a Transport Rule to Quarantine Direct Send Messages from Unauthorized IPs (Optional).

 

Note:

This mail flow rule will redirect any messages sent via Direct Send to the M365 Hosted Admin Quarantine. Be sure to add all authorized Direct Send and Mimecast Sending IPs to the rule to ensure mail isn't held.

 

You can use an Exchange Online mail flow (transport) rule to identify and quarantine emails sent via Direct Send from unauthorized IP addresses. This approach will prevent spam or spoofed messages that bypass your secure gateways.

 

Steps to Create the Rule

1. Go to Exchange Admin Center (EAC):

• 
  
  • Navigate to Exchange Admin Center and sign in as an admin.

1. Create a New Mail Flow Rule:

• 
  
  • Go to Mail Flow | Rules.
  • Click + Add a rule and select Create a new rule.

1. Configure the Rule Conditions:

• 
  
  • Name: Give the rule a descriptive name, such as "Quarantine Direct Send Messages from unauthorized IPs".
  • Apply this rule if...
  • Select Apply to all messages.
• Do the following...
  • Select Redirect the message to.
  • Select Hosted Quarantine.
• Except if...
  • Select The sender.
  • Select IP addresses is in any of these ranges or exactly matches.
  • Add exceptions for your authorized IP addresses (e.g., your on-premises IPs, partner connectors, or other trusted sources) and Mimecast sending IP addresses.

Administration - Data Centers & URLs

Ensure that you add ALL authorized IPs to this exceptions list.

• Or
  • Select The message headers...
  • Select includes any of these words.
  • Select Enter text. Specify the header name X-MS-Exchange-Organization-AuthAs.
  • Select Enter words. Enter Internal.
  • Click Next.

 

 

1. Set rule settings:

• 
  
  • Rule mode...
    • Select Test without Policy Tips to monitor traffic that hits the rule.
      • Select Enforce when you are ready to turn the transport rule on.
    • Select a Severity level for logging purposes in MS Defender.
    • Select Stop processing more rules.
    • Select Header or Envelope.
    • Add a description in the Comments section.
    • Click Next.

 

 

1. Save and Enable the Rule:

• 
  
  • Review your settings and save the rule.
  • Ensure the rule is enabled, and the Mail flow Priority Rule is 0.

This approach ensures that only messages from trusted sources are delivered, and any suspicious Direct Send attempts from unauthorized IPs are held for admin review.

Important Notes

• Regularly update your list of authorized IPs as your environment changes.
• Test the rule with non-critical accounts before full deployment to avoid false positives.

Turning Off Direct Send

You may consider turning off Direct Send, to increase your organization's security posture. Please note that it may affect the following scenarios when turned off:

• Many organizations use Direct Send for multifunction devices (like printers and scanners), or on-premises applications to send emails (such as notifications, reports, or alerts) directly to internal mailboxes. Disabling Direct Send will block these emails if they are sent anonymously using your accepted domains, potentially breaking workflows that rely on this method.
• Direct Send bypasses connectors and some email authentication checks (like SPF, DKIM, and DMARC). When you disable Direct Send, emails that previously bypassed these checks may now be blocked, even if they would have passed inspection through other routes. This could result in legitimate internal emails being rejected if not properly reconfigured.
• If you turn off Direct Send, you may need to reconfigure your devices and applications to use authenticated SMTP relay or other supported methods. This can require additional administrative effort and may not be supported by all legacy devices.
• Out of Office and Microsoft-generated notifications may be routed through Direct Send. Disabling the service may result in internal notifications being rejected.

Turning Off Direct Send in Your Microsoft 365 Tenant

You can disable Direct Send, by using the following steps:

1. Open PowerShell and connect to Exchange Online using the following command:

   Connect-ExchangeOnline

   (You may need to install the Exchange Online module if you haven't already.)
2. Enable the Reject Direct Send feature, by running the following cmdlet to enable the feature that blocks Direct Send:

   Set-OrganizationConfig -RejectDirectSend $true

   This setting will block any email sent to your tenant that is sent anonymously using an address that matches one of your accepted domains.

Monitoring

• Review the Bounced and Rejected Messages Queues in the Mimecast Administration Console to ensure any legitimate traffic like Digest Sets are not rejected by your Microsoft 365 environment.
  Bounced Messages related to Direct Send will contain an SMTP Error like:

  550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources.

• Review the Historical Message Trace Logs in the Exchange Admin Center, for errors related to emails sent to your Microsoft 365 tenant via Direct Send.

Please see the following resources from Microsoft for more information about Direct Send:

• Direct Send vs sending directly to an Exchange Online tenant
• Introducing more control over Direct Send in Exchange Online