Microsoft Announces Tenant-Level External Recipient Rate Limit for Exchange Online

After March 31, 2025, Exchange Online Meters Outbound Email to External Recipients

Microsoft’s announcement that they will introduce a tenant-wide external recipient rate limit (TERRL) is a follow-up for the plan to implement an external recipient rate (ERR) limit for individual mailboxes in October 2025. Both TERRL and ERR are there for a simple reason: to stop people abusing Exchange Online by sending excessive amounts of external email. Stopping abuse by users is the same reason that forced Teams to block external chat for trial tenants.

In this case, Microsoft wants to stop people spinning up a Exchange Online tenant and using it to send spam or other forms of unwanted email. The basic rule going forward is that you can send as much email as you like within your own tenant (as defined by the set of accepted domains for the tenant), but once you start sending to external recipients, including other Microsoft 365 tenants, the meter is ticking. Exchange Online will stop you sending further external email if the tenant exceeds its TERRL threshold and send back a non-delivery notification to say why.

An exception exists if your tenant is part of a multi-tenant organization (MTO). In this scenario, email sent between the tenants in the MTO doesn’t count against TERRL.

Imposing Thresholds on External Traffic

Trial tenants have a TERRL threshold of 5,000 measured over a 24-hour sliding window. The more paid Exchange Online licenses or Exchange Online Protection you buy, the larger the threshold as calculated by the formula:

500 * (Purchased Email Licenses^0.7) + 9500

In most cases, tenants pay for Exchange Online through the service plans included in a license like Office 365 E3 or Microsoft 365 E5.

For instance, Microsoft’s post says that a tenant with 100,000 Exchange licenses has a threshold of 1,560,639. In other words, if the limit is spread equally across all mailboxes in a tenant, each mailbox can send messages to between 15 and 16 external recipients during a 24-hour period. That might not seem a lot, especially when the full membership of distribution lists counts against the TERRL (for instance, if you send a message to a distribution list whose membership includes 65 internal members and 12 external recipients), the 12 external recipients count against TERRL. On the other hand, not every mailbox will send email to external recipients at the same time over the 24-hour sliding window, so TERRL shouldn’t impact mail flow. At least, that’s the theory.

Just in case, Microsoft is starting by imposing TERRL on small tenants (25 or fewer licenses) starting on March 3, 2025, moving next to tenants with 200 or fewer seats. Tenants with 500 or fewer licenses will come under the control of TERRL by March 17, 2025, and Microsoft will then have two weeks to make the final tweaks to thresholds before all tenants are covered starting March 31, 2025.

Within a hybrid environment, email sent from Exchange Online to Exchange on-premises doesn’t count for TERRL if the domains used for the on-premises mailboxes have addresses belonging to accepted domains.

Don’t Use Exchange Online for Large Volumes of External Email

Microsoft simply doesn’t want users to send large volumes of email from standard mailboxes. If you need to send out external communications like marketing messages, Microsoft would prefer you to use a service like Azure Email Communications Service (ECS), a PAYG solution that’s part of Azure Communications Services. Lower levels of external email can be handled by Exchange Online High-Volume Email (HVE), but that solution is more focused on internal communication. HVE can send to up to 2,000 external recipients daily, and these messages don’t count against the TERRL. Messages sent from ECS don’t count either because these messages come from a different instance of Exchange Online.

And if ECS or HVE can’t help, there are many third-party email solutions available to handle external traffic.

Check and Check Again

There’s no doubt that the potential exists for some tenants to blow their TERRL thresholds. For instance, Microsoft notes that they double-count messages that are routed via a third-party email signature service and routed back (after a signature is applied) for final dispatch. Microsoft says that they don’t think this will be a problem because their telemetry shows that “only a relatively small number of tenants are currently exceeding their quota.” The double counting is intended to reduce the risk that bad actors spoof on-premises servers to send spam. Microsoft is investigating alternative solutions to avoid double-counting messages, something that will come as a relief to popular services like Code Two and Exclaimer.

New EAC Reports

Microsoft says that the Tenant Outbound External Recipients report in the Reports/Mail Flow section of the Exchange admin center will help tenants understand if TERRL affects the transmission of messages to external recipients with data for the tenant TERRL threshold, how close external mail traffic got to TERRL, and the number of external recipients that were blocked and didn’t receive email because the tenant exceeded TERRL. The new report is scheduled for deployment on a worldwide basis from February 25, 2025, and it could take a little time for the new report to appear everywhere.

Tenants can also run the Get-LimitsEnforcementStatus cmdlet from the Exchange Online management module (V3.7 or later) to see the current threshold for the tenant and the number of messages observed in the latest 24-hour window. As you can see, my tenant is well below the threshold at which TERRL will kick in.

Get-LimitsEnforcementStatus

EnforcementEnabled     : False
Verdict                : None
Threshold              : 10000
ObservedValue          : 148

Poor Communications for TERRL Announcement

Even if you support the idea of restricting the ability of bad actors to use Exchange Online as a spam platform, it is poor practice to launch a major change with an announcement in the EHLO blog a week before the change begins to roll out. I can find no reference to a tenant external recipient rate limit in the Microsoft 365 roadmap, and there’s no mention of the change in a notification in the Microsoft 365 admin center. TERRL will likely come as a big surprise to tenant administrators.

Surprises can be happy. It’s entirely possible that the introduction of TERRL will pass tenants by without any impact. If user email isn’t blocked and administrators aren’t asked about non-delivery notifications that mention tenant restrictions, no one might know that TERRL is in place. Certainly, it seems like Microsoft is betting that its fabled telemetry is accurate and TERRL won’t affect the operations of “normal” tenants. Only bad actors will encounter the blocks, and the world will be a better place.

TERRL’s Coming. Be Prepared

It remains to be seen how many tenants will be affected by TERRL. I hope that Microsoft support can help these tenants if they have legitimate reasons why TERRL was breached. It would be a pity if a tenant was blocked sending external email for several hours just because one user did something silly, like send messages to a large distribution list of external recipients. I guess we’ll discover the subtilities and blind spots of TERRL over the next while. Be prepared to monitor the new report to detect any unjustified generation of large quantities of external email and consider moving these operations to a more dedicated solution, like ECS.