Microsoft 365 Tenants Need Vanity Domains to Send External Email

Severe Limitations to be Applied to Outbound Email from MOERA Domains

On August 20, 2025, Microsoft announced their latest step to limit misuse of Exchange Online by spammers by limiting the ability of mailboxes with primary SMTP addresses based on a MOERA (Microsoft Online Exchange Routing Address) to send email to external recipients. For years, spammers have created Microsoft 365 tenants and promptly used the tenant to send email. New tenants come with a default sub-domain in the onmicrosoft.com domain, like spamforus.onmicrosoft.com (a MOERA domain).

New mailboxes created in the domain receive primary SMTP addresses based on the MOERA domain, like John.Smith@spamforus.onmicrosoft.com. All of this is deliberate and intended to allow new tenants to be able to send email. However, spammers take advantage of Microsoft’s email routing infrastructure to share their content with anyone they can reach. The consequence is that onmicrosoft.com domains have poor reputations, so much so that many tenants block all email from onmicrosoft.com domains to reduce the amount of spam that reaches user mailboxes.

Microsoft has acted elsewhere in Microsoft 365 to limit the communication horizon for trial tenants by blocking federated Teams chat. Receiving an unwanted chat from some unknown external sender is the rough equivalent of receiving email spam. It’s a distraction and interrupts real work, so actions to limit unwanted communications is always welcome.

In this case, Microsoft will introduce a new throttling restriction to limit tenants that use MOERA domains to 100 external recipients per 24-hour rolling window. That’s very restrictive because the limit applies to email sent across an entire organization. Once the threshold is reached, the Exchange transport system refuses to accept more outgoing email and responds to the sender with a non-delivery notification with a 550 5.7.236 code.

Throttling Starts in October 2025

As is normal when Microsoft introduces a new email send threshold for Exchange Online, the new limit will roll out from October 15, 2025, starting with trial tenants and slowly progressing through small and medium tenants until the final step on June 1, 2026, when the limit applies to tenants with more than 10,000 accounts with paid Exchange licenses (“paid seats”).

The solution to avoid throttling is to acquire a regular domain and add it as an accepted domain for Exchange Online in the Microsoft 365 admin center (Figure 1). Sometimes these domains are referred to as “vanity” domains because they become part of an organization’s branding strategy, much like we use the office365itpros.com for email and this site.

I can’t imagine running a Microsoft 365 tenant with more than 10,000 accounts that doesn’t use a regular domain. It’s not as if acquiring a domain is expensive. Many cost less than $50/year from a domain registrar like Godaddy.com or WordPress.com.

Finding MOERA Senders

Microsoft recommends using the message trace facility to find e mail sent using a tenant’s MOERA domain. That’s certainly one way to approach the problem, but it won’t reveal all the problem mailboxes. A better idea is to use the Get-ExoMailbox cmdlet to search for mailboxes whose primary SMTP address uses the MOERA domain. This code shows how to look for user, shared, and group mailboxes that need to have their primary SMTP address updated to a regular domain. The code excludes mailboxes created for accounts in other tenants in a multi-tenant organization.

Get-EXOMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox, SharedMailbox, GroupMailbox | Where-Object {$_.PrimarySmtpAddress -like "*.onmicrosoft.com*" -and $_.PrimarySMTPAddress -notLike "*#EXT*"} | Sort-Object DisplayName | Format-Table DisplayName, PrimarySmtpAddress, RecipientTypeDetails -AutoSize

DisplayName               PrimarySmtpAddress                         RecipientTypeDetails
-----------               ------------------                          --------------------
"Popeye" Doyle            Popeye.Doyle@o365maestros.onmicrosoft.com   UserMailbox
Adele Vance               AdeleV@o365maestros.onmicrosoft.com         UserMailbox
Alain Charnier            Alain.Charnier@o365maestros.onmicrosoft.com UserMailbox
Break Glass               Break.Glass@o365maestros.onmicrosoft.com    UserMailbox
Buddy Russo               Buddy.Russo@o365maestros.onmicrosoft.com    UserMailbox

Later, the code can be used to find the affected mailboxes before updating their primary SMTP address with a new address belonging to the regular domain. For example, if the new domain is Beachdums.com, the command to update a mailbox is something like this:

Set-Mailbox -Identity Buddy.Russo@o365maestros.onmicrosoft.com -WindowsEmailAddress Buddy.Russo@beachdums.com

To ensure that messages addressed to the previous address can be delivered, Exchange Online keeps the address in the EmailAddresses property of the mailbox.

The Microsoft article contains other points that need to be attended to after switching domains. None of these are difficult tasks, but detail is important.

Good Change

The battle against spam is longstanding and permanent. Microsoft is closing as many holes as possible to make Exchange Online a poor host for spammers to target. Closing off the MOERA hole is a good step forward that shouldn’t cause too much pain for legitimate tenants. That is, if you don’t use MOERA domain addresses for outbound email.

---

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.