Microsoft puts the squeeze on onmicrosoft.com freeloaders

Microsoft has issued a warning to companies using the onmicrosoft.com domain for emails: get your domain sorted out or face throttling.

Some opt to stick with the onmicrosoft.com domain, and these impending changes could have a severe impact ...

As of October 15, Microsoft has announced that it will begin throttling emails. The limit will be set to 100 external recipients per organization per 24-hour rolling window. From December 1, Microsoft will start rolling out the restrictions across tenants, starting with tenants with fewer than three seats and eventually reaching tenants with more than 10,001 seats by June 2026.

The problem the Windows maker is trying to deal with is spammers exploiting a newly created tenant and sending out bursts of spam email before the company can intervene. This activity means that the onmicrosoft.com domain can be flagged as suspect or, as Microsoft puts it, "degrades this shared domain's reputation."

The domain onmicrosoft.com (and others like it, such as onmicrosoft.de) is automatically provided when an organization creates a new Microsoft 365 tenant. The plan is that administrators can quickly test out connectivity and create users in the new tenant, for example theregister.onmicrosoft.com.

The expectation is that an organization will then add its own domain going forward. However, some opt to stick with the onmicrosoft.com domain, and these impending changes could have a severe impact. Up until now, there were no limits on these Microsoft Online Email Routing Address (MOERA) domains for delivery.

• Microsoft reportedly cuts China's early access to bug disclosures, PoC exploit code
• Microsoft continues Control Panel farewell tour
• Not again! Microsoft blames config tweak for 365 outage in parts of North America
• Microsoft makes MCP in Visual Studio GA but researchers warn of risks

Organizations using a MOERA domain have therefore been given notice that a migration is needed. A custom domain needs to be acquired, non-test emails must only use this custom domain, and, if the tenant's default domain is set to a MOERA domain, it must be changed to the custom domain.

Mailboxes will also need to have their primary SMTP addresses changed to use the custom domain alias. This could cause headaches where changing the primary SMTP address has an impact on the username, necessitating credential updates across devices and applications.

While Microsoft's stated goal is laudable, the change could ramp up the workload of affected administrators. A number of its products are reaching the end of their support cycles, including many versions of Windows 10, at the same time as the throttling is set to begin. If an organization is still using a MOERA domain, a migration will need to be factored into planning to avoid hitting the limits. ®