After May 1, 2025, Exchange Online Meters Outbound Email to External Recipients
Microsoft’s announcement that they will introduce a tenant-wide external recipient rate limit (TERRL) is a follow-up for the plan to implement an external recipient rate (ERR) limit for individual mailboxes in October 2025. Both TERRL and ERR are there for a simple reason: to stop people abusing Exchange Online by sending excessive amounts of external email. Stopping abuse by users is the same reason that forced Teams to block external chat for trial tenants.
In this case, Microsoft wants to stop people spinning up a Exchange Online tenant and using it to send spam or other forms of unwanted email. The basic rule going forward is that you can send as much email as you like within your own tenant (as defined by the set of accepted domains for the tenant), but once you start sending to external recipients, including other Microsoft 365 tenants, the meter is ticking. Exchange Online will stop you sending further external email if the tenant exceeds its TERRL threshold and send back a non-delivery notification to say why.
An exception exists if your tenant is part of a multi-tenant organization (MTO). In this scenario, email sent between the tenants in the MTO doesn’t count against TERRL.
Imposing Thresholds on External Traffic
Trial tenants have a TERRL threshold of 5,000 measured over a 24-hour sliding window. The more paid Exchange Online licenses or Exchange Online Protection you buy, the larger the threshold as calculated by the formula:
500 * (Purchased Email Licenses^0.7) + 9500
In most cases, tenants pay for Exchange Online through the service plans included in a license like Office 365 E3 or Microsoft 365 E5.
For instance, Microsoft’s post says that a tenant with 100,000 Exchange licenses has a threshold of 1,560,639. In other words, if the limit is spread equally across all mailboxes in a tenant, each mailbox can send messages to between 15 and 16 external recipients during a 24-hour period. That might not seem a lot, especially when the full membership of distribution lists counts against the TERRL (for instance, if you send a message to a distribution list whose membership includes 65 internal members and 12 external recipients), the 12 external recipients count against TERRL. On the other hand, not every mailbox will send email to external recipients at the same time over the 24-hour sliding window, so TERRL shouldn’t impact mail flow. At least, that’s the theory.
Just in case, Microsoft is starting by imposing TERRL on small tenants (25 or fewer licenses) starting on March 3, 2025, moving next to tenants with 200 or fewer seats. Tenants with 500 or fewer licenses will come under the control of TERRL by March 17, 2025, and Microsoft will then have two weeks to make the final tweaks to thresholds before all tenants are covered starting March 31, 2025.
Update: On March 3, Microsoft announced a one month delay in the implementation of TERRL. They will now begin the enforcement schedule on April 3, 2025 to complete for all tenants by May 1, 2025.
Within a hybrid environment, email sent from Exchange Online to Exchange on-premises doesn’t count for TERRL if the domains used for the on-premises mailboxes have addresses belonging to accepted domains.
Don’t Use Exchange Online for Large Volumes of External Email
Microsoft simply doesn’t want users to send large volumes of email from standard mailboxes. If you need to send out external communications like marketing messages, Microsoft would prefer you to use a service like Azure Email Communications Service (ECS), a PAYG solution that’s part of Azure Communications Services. Lower levels of external email can be handled by Exchange Online High-Volume Email (HVE), but that solution is more focused on internal communication. HVE can send to up to 2,000 external recipients daily, and these messages don’t count against the TERRL. Messages sent from ECS don’t count either because these messages come from a different instance of Exchange Online.
And if ECS or HVE can’t help, there are many third-party email solutions available to handle external traffic.
Check and Check Again
There’s no doubt that the potential exists for some tenants to blow their TERRL thresholds. For instance, Microsoft notes that they double-count messages that are routed via a third-party email signature service and routed back (after a signature is applied) for final dispatch. Microsoft says that they don’t think this will be a problem because their telemetry shows that “only a relatively small number of tenants are currently exceeding their quota.” The double counting is intended to reduce the risk that bad actors spoof on-premises servers to send spam. Microsoft is investigating alternative solutions to avoid double-counting messages, something that will come as a relief to popular services like Code Two and Exclaimer.
New EAC Reports
Microsoft says that the Tenant Outbound External Recipients report in the Reports/Mail Flow section of the Exchange admin center will help tenants understand if TERRL affects the transmission of messages to external recipients with data for the tenant TERRL threshold, how close external mail traffic got to TERRL, and the number of external recipients that were blocked and didn’t receive email because the tenant exceeded TERRL. The new report is scheduled for deployment on a worldwide basis from February 25, 2025, and it could take a little time for the new report to appear everywhere.
Tenants can also run the Get-LimitsEnforcementStatus cmdlet from the Exchange Online management module (V3.7 or later) to see the current threshold for the tenant and the number of messages observed in the latest 24-hour window. As you can see, my tenant is well below the threshold at which TERRL will kick in.
Get-LimitsEnforcementStatus EnforcementEnabled : False Verdict : None Threshold : 10000 ObservedValue : 148
Poor Communications for TERRL Announcement
Even if you support the idea of restricting the ability of bad actors to use Exchange Online as a spam platform, it is poor practice to launch a major change with an announcement in the EHLO blog a week before the change begins to roll out. I can find no reference to a tenant external recipient rate limit in the Microsoft 365 roadmap, and there’s no mention of the change in a notification in the Microsoft 365 admin center. TERRL will likely come as a big surprise to tenant administrators.
Surprises can be happy. It’s entirely possible that the introduction of TERRL will pass tenants by without any impact. If user email isn’t blocked and administrators aren’t asked about non-delivery notifications that mention tenant restrictions, no one might know that TERRL is in place. Certainly, it seems like Microsoft is betting that its fabled telemetry is accurate and TERRL won’t affect the operations of “normal” tenants. Only bad actors will encounter the blocks, and the world will be a better place.
TERRL’s Coming. Be Prepared
It remains to be seen how many tenants will be affected by TERRL. I hope that Microsoft support can help these tenants if they have legitimate reasons why TERRL was breached. It would be a pity if a tenant was blocked sending external email for several hours just because one user did something silly, like send messages to a large distribution list of external recipients. I guess we’ll discover the subtilities and blind spots of TERRL over the next while. Be prepared to monitor the new report to detect any unjustified generation of large quantities of external email and consider moving these operations to a more dedicated solution, like ECS.
Why don’t they just prevent trial tenants from sending external mail indefinitely? The amount of spam our org gets from these *.onmicrosoft.com tenants is too high. We’ve made use of regular expressions on our MTAs to look at certain headers to weed out those spam messages, which has helped.
Because some of the onmicrosoft.com tenants are used for valid testing…
I have a transport rule that quarantines all email from onmicrosoft.com domains… I don’t see much spam.
Hi Tony, any chance you know if journaled email to an external journaling provider counts (or not) within an organizations TERRL limit?
I believe that any mail sent to an external recipient counts. But I will ask.
From Microsoft:
Not if set up via EXO journaling rules as shown here Manage journaling in Exchange Online | Microsoft Learn
Also noted in the FAQ on the blog post Introducing Exchange Online Tenant Outbound Email Limits | Microsoft Community Hub
Will journaling or Out of Office messages count against this quota?
No. Several types of messages sent to external recipients from your tenant won’t get counted against your tenant’s TERRL quota, including the following:
• Journaling messages
• Automatic Replies (including Out of Office)
• DSNs (NDRs, Delivery Receipts, Read Receipts)
• Messages sent using Azure Communication Services email and Exchange Online High-volume Email offerings
• Email notifications from Microsoft cloud applications e.g. SharePoint, Teams, Yammer
There has been a development, or some of the big costumers of MS have complained 😉 never the less:
“UPDATE 2/28/2025: The upcoming change is delayed and will take effect slightly later than expected. We’ll share more details as soon as we have a confirmed timeline.”
So let us all sit at the edge of our seats and wait for more detail’s
There’s been some problems rolling out the TERRL report. That’s the main reason why things are delayed, or so I have heard.
Microsoft has delayed the implementation by a month. TERRL will now be deployed worldwide by May 1, 2025.
Thank you Tony for this update – it’s useful to see the output for Get-LimitsEnforcementStatus; so far it looks like we are well below the threshold for our tenant.
Hopefully MS will make the more detailed report available soon…
A litle more elaboration on the following:
“Within a hybrid environment, email sent from Exchange Online to Exchange on-premises doesn’t count for TERRL if the domains used for the on-premises mailboxes have addresses belonging to accepted domains”
So if we currently have a setup where we have busisness solution that just connects to Onprem Exchange to send mails but does not have Onprem Mailbox, and it is using a Accepted Domain, will that count?
Next if we create or move a Mailbox back to Onprem Exchange and the sender add is this mailbox, could that be a possible solution?
The transport system evaluates messages as they pass through its pipeline to determine whether they count against TERRL. If the destination domain for a message is not an accepted domain registered for the Microsoft 365 tenant, it counts against TERRL no matter where the message originates from. Once it passes through the transport pipeline, a message can be counted.
is Get-LimitsEnforcementStatus available to everyone, I have updated to 3.7 and am receiving the error:
Get-LimitsEnforcementStatus : The term ‘Get-LimitsEnforcementStatus’ is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
It’s entirely possible that something might not have been provisioned to your tenant yet to allow the cmdlet to run. It is available in my tenant, which is configured for targeted release so updates turn up faster.