New Sender-Recipient Limits for Exchange Online Coming in September 2021

Stopping a Flood of Email to Mailboxes

Microsoft began the process of clamping down on high-volume mailboxes earlier this year. The process is still rolling out as Microsoft gradually imposes the limit (which was always documented but not enforced). Mailboxes which receive more than 3,600 messages in an hour are blocked from receiving further messages for an hour and senders receive a non-delivery notification with code 5.2.122. This limit applies to messages received from any source, including people in the same tenant, and is designed to stop Exchange Online mailboxes filling up because of problems with automated mailers, like those used by applications to notify people about the progress of jobs.

Clamping Down on Individual Senders

In message center notification MC272450 posted July 23, Microsoft says that they will introduce a further restriction in September 2021. Like the previous restriction, the reason specified is to block single-sender mail storms and deter DoS attacks. The big difference is that the focus moves from messages coming from all sources to messages coming from a specific external source. To do this, Exchange Online tracks sender-recipient pairs (SRPs). As messages arrive in a mailbox, Exchange Online notes the sender and builds a table of SRPs. If a single sender sends more than 33% of the overall threshold (1,200 of 3,600), Exchange Online stops accepting messages from that sender to the mailbox for an hour. The mailbox continues to receive messages from other senders.

The exception is that the limit does not apply to messages sent from an Exchange Online mailbox in the same tenant. The limit does apply to:

  • Messages from Exchange on-premises mailboxes in the same tenant.
  • Exchange Online messages from other Office 365 tenants.
  • Messages from any other email system.

Blocked senders will receive non-delivery notifications with a 5.2.121 code. The mailbox owner will get a message to tell them that their mailbox has stopped receiving messages from the sender for an hour (the countdown starts once Exchange Online detects the problem). and administrators will be able to see the affected mailboxes in the Mailbox exceeding receiving limits report (aka Hot Recipients) in the Reports (Mail Flow) section of the Exchange admin center (Figure 1).

If your Exchange Online tenant has any hot recipients, they'll turn up in this report
Figure 1: If your Exchange Online tenant has any hot recipients, they’ll turn up in this report

Microsoft suggests that Exchange administrators ask the mailbox owners why they receive so much email from the blocked sender.

Time to Review Email Generation by Applications

Microsoft says that this change will stop a malicious user blocking email flow to a mailbox. In other words, an attacker can’t try to stop someone receiving legitimate email by generating a flood of email to their mailbox. They also note that only a small percentage of mailboxes hut the SRP limit currently. My feeling is that the origins of most email likely to be blocked by the SRP limit come from applications generating frequent notifications and other updates. The tightening of the overall limit and the introduction of the new SRP limit is a good wake-up call for organizations to review the rate of email generation by applications and remove messages which are not strictly necessary.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

One Reply to “New Sender-Recipient Limits for Exchange Online Coming in September 2021”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.