Cutting Off Spammer Opportunities in Domains

The fight against spam is an ongoing and constant battle that’s not going to finish anytime soon. Spammers constantly search for new techniques to defeat the barriers erected by Microsoft and tenants. A recent development is the amount of spam generated from Microsoft 365 tenants set up by spammers as a platform to send their rubbish to unwilling recipients.

The way things work is that spammers sign up for a new tenant, either a developer tenant (which comes with free licenses), or a normal tenant, and promptly start to send emails. A normal Microsoft 365 tenant is usually the better option for spammers because Microsoft imposes a lower threshold for the volume of outbound messages for developer tenants.

Microsoft recently moved to stop the abuse of developer tenants by insisting that those who sign up for a developer tenant must have a valid Visual Studio subscription. “Valid” means that the person who signs up for the tenant must provide a credit card. It’s not clear if this step is to dissuade spammers as it’s always possible to use a stolen or otherwise compromised credit card for the short period that spammers need to send as many messages as possible before they are detected and stopped.

Fallback Domains

In any case, tenants report that they see a large volume of messages coming from domains. Interestingly, a recent update (in preview) allows tenants to have up to five domains. The original service domain added when creating the tenant counts as one and is the fallback domain, or the default routing domain for the tenant.

To add a new domain, go to the Domains section under Settings in the Microsoft 365 admin center. Select the current fallback domain and then the option to add a new domain (Figure 1).

Add a new domain to a Microsoft 365 tenant
Figure 1: Add a new domain to a Microsoft 365 tenant

Enter the name of the domain you want. Microsoft 365 checks if the domain is available (not already assigned to another tenant) and if so, adds it to the set owned by the tenant (Figure 2) and sends an email confirmation to all global administrators. Once the tenant has five domains, it is blocked from adding more. Currently, there isn’t a way to remove an domain.

Specifying the name for a new domain.
Figure 2: Specifying the name for a new domain

All the domains owned by a tenant can be used for SMTP proxy addresses for mail-enabled objects. For instance, is a routable address that Exchange can use to deliver email to the mailbox that is assigned the address.

Obviously, some customer demand exists to justify support for multiple domains for tenants. Perhaps it’s to support the needs of organizations with multiple operating units. In any case, you can make any of the domains the fallback domain for the tenant by selecting the domain and choosing the Make fallback domain option.

Switching fallback domains has no effect on the SMTP addresses for existing mail-enabled objects. However, the new fallback domain becomes the source for MOERA (Microsoft Online Exchange Routing Address), which means that new mailboxes and Microsoft 365 groups receive a proxy address for the fallback domain. For instance, if you create a Microsoft 365 group called “Insurance Assessors,” the group will have an address like in its set of proxy addresses.

Being able to create up to five domains per tenant might give spammers more flexibility in how they send email. Who knows if this is a contributing factor in the perception that more spam circulates from addresses?

Suppressing Email

Some valid messages come from addresses. For instance, system-generated notifications sent to external addresses come from the Postmaster. By default, the postmaster address defined in the transport configuration is blank and Exchange Online uses an address from the fallback domain. You can update the configuration for a tenant to set any address you like. The address doesn’t have to belong to a mailbox.

Set-TransportConfig -ExternalPostmasterAddress

Apart from traffic such as system notifications, few “regular” messages that users would want to receive come from addresses. At least, that’s the assertion made by many commentators. I think there’s value in the idea as I cannot think of anyone who sends me email using their fallback address.

If you consider the theory accurate, then it’s reasonable to say that your tenant should not allow any traffic from addresses to flow through into user inboxes. The easiest way to apply such a restriction is to create a mail flow (transport rule) to either block messages or divert them into the quarantine. I’ve been using such a rule for about a month and haven’t noticed any issues.

Mail flow rule to redirect messages from domains to the quarantine.
Figure 3: Mail flow rule to redirect messages from domains to the quarantine

The rule I use (Figure 3) is simple:

  • Look for messages where the from address is from an domain.
  • Redirect the messages to the quarantine unless they come from two specified domains (that I use for testing).

Redirecting traffic to the quarantine allows the review of blocked messages to ensure that legitimate traffic isn’t held up. If quarantine policies allow, users can release quarantined messages. MC711335 (30 January 2024) says that an update to quarantine policies will allow users to mark emails from trusted senders so that Exchange Online Protection will no longer block them. This change should help organizations who want to move away from the Outlook junk email filter to tenant-wide spam control. Microsoft expects to complete deployment of the update worldwide by mid-March 2024.

An Array of Mail Flow Rules

I already use mail flow rules to suppress email from top-level domains popular with spammers and automate the process to add new domains to the blocked list with PowerShell. I also have mail flow rules to block administrator accounts from receiving email to lessen the chance that a phishing attempt might arrive in the mailboxes of highly-permissioned accounts. Blocking traffic from domains is just another tweak to my tenant’s email defense.

Adapting Defenses to Accommodate Change

Change happens all the time. Spammers change their techniques. Microsoft updates its software to resist spam and to introduce new facilities for tenants to use. The point is that tenant defenses against spam need to accommodate change too. Stay aware of what’s happening in the real world, what Microsoft is doing, and how others are adapting to new conditions, and then make your mind up about what to do, like adding a new mail flow rule.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to, Tony also writes at to support the development of the eBook. He has been a Microsoft MVP since 2004.


  1. John

    Armands, I had to make things a bit more complicated over the last few weeks, as there are some other exceptions and Microsoft’s “Bookings” feature manifests itself in different ways. My current Rule is:

    Apply this rule if:
    Includes these words in the sender’s address: ‘’
    and Is received from ‘Outside the organization’

    Except if:
    ‘Content-ID’ header contains ”bookings_reminder’ or ‘bookings_teams”
    or Includes these words in the sender’s address: ‘postmaster’ or ‘’
    or sender’s address domain portion belongs to any of these domains: ‘’
    or Includes these words in the message subject or body: ‘’ or ‘Microsoft Bookings’
    or ‘Content-Type’ header matches the following patterns: ‘text/plain; name=booking.ics’ or ‘method=CANCEL’ or ‘method=REQUEST’

  2. Chris

    I tried creating this rule, but it isn’t clear to me what options you selected to create the “apply if” and “except if”. I tried the message properties and message header properties, but the options didn’t seem to reflect what you set. Can you offer a pointer? Thanks.

    1. Avatar photo
      Tony Redmond

      Apply if the address in the message matches the pattern unless it comes from your own domain or any other domains known as good senders.

  3. John

    I started quarantining emails and it’s catching a ton of spam, thanks! But based on the last few weeks of data, I’ve also seen legit emails from the MS Bookings feature getting snagged, since Bookings seems to send messages by default from the sending tenant’s domain. So I added another Rule Exception that allows a “Content-ID” header of “”, which seems to be a common feature of those messages.

    1. John

      Whoops, looks like the Commenting engine filtered out the header value in my previous comment. The value is “bookings_reminder” surrounded by pointy-brackets.

      1. Armands

        Hello, John! It`s not working for me, can you please explain bit more? Only Header with anything related to Bookings is ” X-MS-TrafficTypeDiagnostic” containing example value of: “…6105:EE_BookingsEmail|DB1P…”. Creating rule with exception, based on this header is not working for me.

Leave a Reply