Table of Contents
SMTP AUTH Client Connections Deprecated in 2025 Together with Introduction of a New External Recipient Rate Limit
The Exchange development team has clearly been busy lately. On April 15, 2024, they announced two major changes:
- The deprecation of basic authentication for client submission (SMTP AUTH) in September 2025.
- The imposition of a new external recipient rate limit (ERR limit) from January 1, 2025.
Microsoft says that both announcements are part of the work to protect Exchange Online.
SMTP AUTH and Basic Authentication
The announcement about the demise of SMTP AUTH is not unexpected. For the past several years, Microsoft has steadily removed basic authentication (sending plain text credentials over a network connection) for email connectivity protocols. SMTP AUTH was left untouched by the previous initiative because this protocol is used by apps and devices to submit email for processing by Exchange Online (hence the client submission moniker). For instance, multifunction devices like printer/scanners can submit messages to inform users when their jobs are complete. Apps often submit email to transmit the results of processing to users. This includes the use of the PowerShell Send-MailMessage cmdlet.
The route forward is for developers to replace basic authentication with OAuth. It’s a perfectly acceptable resolution if developers are available to fix the problem. I suspect that organizations will discover that many apps and devices are unable to transmit messages when Microsoft imposes the block to close off basic authentication for SMTP connections in September 2025. And in some cases, it might not be possible to get an update to allow multifunction devices to continue to send email.
To help, Microsoft says that they will update the SMTP AUTH Clients Submission Report in the Exchange admin center to indicate the protocol used to submit messages. They plan to follow up with message center notifications to tenants that continue to use SMTP AUTH in January 2025 to say that they must make changes. In August 2025, a final countdown notice will be issued to tell tenants still using SMTP AUTH that the block is about to descend.
The plan seems good, but human nature has the potential to get in the way. It’s well known that many tenant administrators are not as diligent (or curious) as they should be in reading message center notifications and reacting where action is necessary. The previous project to remove basic authentication from email connection protocols ran into this problem and it’s possible that Microsoft will need to delay the final depreciation. Nevertheless, the die is cast and people should realize that SMTP AUTH is on the way out, and soon.
The HVE Alternative
Microsoft positions the new High Volume Email (HVE) feature as an alternative for customers who cannot move to OAuth authenticated SMTP connections. Announced in preview on April 1, 2024, HVE will allow apps and devices to connect to a different SMTP endpoint with basic authentication and send messages. Azure Communication Services is another alternative.
The downside of both suggestions is that using these services will cost where sending email using SMTP AUTH is free. Microsoft will point to the need to secure and protect Exchange Online and their long-held position that Exchange Online is not intended for bulk email as justification for diverting customers to HVE and Azure Communication Services. It’s a defensible position in some respects, but at the end of the day, it depends on how much the transition and ongoing operations cost.
Clamping Down on External Email
Speaking of HVE, it’s also associated with the introduction of an external recipient rate (ERR) limit. Today, the Exchange Online recipient rate limit controls the number of individual recipients for outgoing messages that can be on messages sent from a mailbox. The current rate is 10,000 recipients daily. When computing the number of recipients in a day, a distribution list or Microsoft 365 group counts as a single recipient.
The recipient rate limit has been in place for years. What’s different is the amount of email generated by spammers who sign up for Microsoft 365 tenants and use low-cost licenses to create and send email. The spammers can transfer licenses from mailbox to mailbox to send more email or send from shared mailboxes, which don’t need licenses unless they have an archive or need a 100 GB quota.
Spam doesn’t stay inside a tenant. It goes to external recipients. Today, the recipient rate limit allows a single mailbox to send to 10,000 individual recipients (or a lot more if distribution lists are used). Imposing the ERR at 2,000 messages (for new tenants from 1 January 2025 followed by existing tenants from July 2025) is a way to make Exchange Online less attractive to spammers. Microsoft’s announcement doesn’t cover whether this rate applies to email sent across a connector to Exchange on-premises servers in a hybrid environment. Other scenarios remain to be parsed out over the coming months.
However, I think the ERR is a short-term sticking plaster. I cannot believe that the world’s largest software company cannot implement a spam check in the transport pipeline to detect and block outbound spam – or at least, severely throttle outbound email that seems to be spam. You’d hope that a Copilot for Spam could detect and suppress spamming but given the ongoing problems Exchange Online Protection has in detecting some obvious malware that reaches user inbox, perhaps this is hoping for too much.
An Ongoing Battle
What’s for sure is that Microsoft continues to apply a squeeze on behaviors considered to conflict with the terms of service for Exchange Online or the real need to keep email secure for the over 400 million paid Office 365 seats. I don’t think we can quibble too much with initiatives to make email work better, even if some doubts exist about quite how the steps Microsoft is taking now.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.