I'm looking for advice on how to handle outbound email limits in Exchange after a recent incident. We had a situation where someone used an Exchange-connected service to send a high volume of emails, which led us to hit the 24-hour outbound email limit. This was frustrating because we already have a bulk sending service that could have handled it. It all started about 18 hours ago, so we only faced a 4-hour downtime before we could resume sending emails. We're implementing a bulk sending policy to prevent this from happening again, but I worry that individuals could still do something similar in the future. I'm particularly interested in automating a system that would disable email sending for the entire tenant if we approach a certain threshold. The idea is to proactively stop all sending to avoid hitting the full limit, allowing us to review the situation and take corrective action before re-enabling email. Given that the recent incident involved around 30k messages across nearly 100 accounts, monitoring at the account level would be too disruptive. I'd rather have a temporary company-wide outage than a full day of no email.
4 Answers
Seriously, how did one user access that many email accounts? That's a huge security concern.
Have you thought about using a third-party spam filter? Many of them offer rate-limiting policies that could help manage your outbound rates effectively.
I'm pushing for this too but need to check how those filters work. There's a chance they might not count toward the Tenant External Recipient Rate Limit since they're set up outside of Exchange.
Have you considered using Defender for Office 365? Implementing an outbound spam policy can really help you manage limits by restricting the amount any single user can send. This way, if someone exceeds that number, they get blocked from sending until the next day, rather than putting the whole tenant at risk.
That approach has worked wonders for us! It doesn't just warn users; it effectively stops the emails from sending. Plus, an admin can always override it if absolutely necessary.
The downside is if you're spreading limits too thin, like setting it at 250 recipients per day, it could cause issues for daily operations. We're also looking to set some per-user limits, but they need to be balanced to avoid future incidents.
You're facing a complex issue. Remember that the outbound limits operate on a sliding 24-hour window. To be honest, this sounds less like a technical problem and more of a human resources one. Why were they sending that many emails?
I get that perspective. It's true that even if the problem was identified, we still had to deal with the limit. Immediate action won't reverse a 24-hour lockout.
It's vital to think ahead. A soft limit might prevent disruptions in the future, as I’d prefer a brief email halt for an hour over a full day of downtime.
It was through automation from a third-party platform with an Exchange connector. They decided to send out a mass email, ignoring the bulk sending service we have.