Microsoft has backed away from planned changes to Exchange Online after customers objected to limits designed to curb outbound email abuse.

In its cancellation announcement, Microsoft said: "Customers have shared that this limit creates significant operational challenges, especially given the limited capabilities of bulk sending offerings available today.

"Your feedback matters, and we're committed to solutions that balance security and usability without causing unnecessary disruption."

The plan, announced in 2024, would impose daily restrictions to Exchange Online. New tenants' cloud-hosted mailboxes would face an external recipient rate (ERR) limit of 2,000 recipients per 24 hours, applied per user/mailbox to "help reduce unfair usage and abuse of Exchange Online resources."

The restrictions also aimed to curb spam flowing from compromised Exchange Online accounts.

The original blueprint targeted newly created tenants starting January 1, 2025, with existing tenants' cloud-hosted mailboxes facing limits between July and December 2025. As customers struggled to adapt, however, Microsoft repeatedly delayed the timeline into 2026. Now, the company has scrapped those plans entirely as it develops a better approach to the issue.

The problem is that customers have legitimate reasons to exceed the limit - some integrations would fail under the restrictions, making the proposal a blunt instrument.

Nevertheless, Microsoft isn't abandoning the effort. "We plan to address these issues in ways that are less disruptive to your business workflows," the company said.

"This means smarter, more adaptive approaches that protect the service while respecting your operational needs."

• Microsoft sharpens the blocking axe for Exchange Web Services
• Microsoft threatens to ram Copilot into Exchange Server on-prem
• Exchange Online will start archiving your oldest emails before your inbox bursts
• Microsoft pops legacy Exchange public folders on the chopping block

Exchange Online already enforces a recipient rate limit of 10,000, and the 2,000 external recipient limit was designed as a sub-limit within that.

Other email vendors have also imposed limits to curb abuse. In 2024, Google added requirements for senders of 5,000+ daily messages to Gmail accounts, including mandatory unsubscribe options for marketing emails.

Microsoft deserves credit for responding to customer concerns – it suggested Azure Communication Services for Email as an alternative, but that clearly didn't meet every customer's business needs. The counting method also proved problematic. Microsoft said: "If you sent 100 emails to the same 5 external recipients, it would count as 500 external recipients," which could easily cause integration headaches for sysadmins.

So while the company gets a thumbs-up for stepping back from its initial plans, it gets two thumbs down for a lack of detail on what it will do next. Administrators with solutions that violate the service restrictions should consider themselves warned. This problem isn't going away, and Microsoft will be back with an alternative strategy soon enough. ®