Default Microsoft 365 Domains Face 100-Email Daily Limit Starting October

Organizations still using default Microsoft 365 email domains face severe throttling starting this October. The restrictions target the onmicrosoft.com domain that Microsoft 365 automatically assigns to new tenants, limiting external messages to 100 recipients per day starting October 15. Microsoft blames spammers who exploit new tenants for quick spam bursts before detection. Affected organizations must acquire custom domains and update primary SMTP addresses across all mailboxes -- a process that requires credential updates across devices and applications.

Re: Microsoft Told Us We Had To Use A Microsoft Ac

[sixminuteabs]

Hey dumbass, read TFS again and check back this has nothing to do with your stupid rant

Re:

[snowshovelboy]

Lol, what? Why are you sending over 100 emails daily from your login account?

Re:

[samwichse]

100 recipients, even.

Re:Enshitify, Enshitify, Enshitify

[Tony Isaac]

What about this do you see as a negative thing? The original concept was crap, not the new change. It was ripe for spam exploitation. Having to register an actual domain, will make it more expensive for spammers, and that's a good thing.

Re:

[CoachS]

I'm not sure if you understand what this story is. This is for people who have already bought a Microsoft 365 tenant but haven't assigned a real domain name to it so they're just using the default ".onmicrosoft.com" domain. No real business should do that.

This doesn't force people to any platform. The only thing it "forces" them to is to buy or use an actual domain (which they'd probably buy from a 3rd party domain registrar anyhow) if they want to send a lot of email.

Re:

[Tony Isaac]

It's not just dollars, but time investment. Spammers want to send spam as cheaply and with as little work as possible. The higher the cost, and the more work involved, the lower the spam counts will be.

There's a reason you only get a handful of junk postal mail promotions a day: All those envelopes and stamps cost time and money to produce. Spam is too cheap to send.

Re: Enshitify, Enshitify, Enshitify

[Big Hairy Gorilla]

Microsoft has been playing both sides of the spam game since the cloud was a thing ... shocking, I know.

Re:

[Tony Isaac]

While that may be true, it doesn't make this specific change a bad thing.

Re:

[Big Hairy Gorilla]

Sure you're probably right.. if it cuts down on spam, because if it costs bad actors $$ to stay in the game, it probably will cut down on spam. Amen.
On the other hand, perhaps MS should also consider making the supply side of spam harder to access... might be a better strategy, at least one that gets to the root of the problem vs "here's a band aid" after you've been burned.

Re:

[Tony Isaac]

What's your suggestion to make the supply-side harder to access?

Re:

[Big Hairy Gorilla]

My impression is that ... something I read... that spammer can get a one month free cloud instance trial, and they spend the first hour of the free trial installing their spam stuff and the remaining 729 hours blasting out spam as fast as possible. Lather, rinse, repeat. Automate that process, and you're getting free supply side compute power for your spam operation.

I'm going to say that the most valuable company in the world could probably figure out a way to stop that. Also, I haven't read MS terms of se

Re:

[Tony Isaac]

Microsoft and the other tech giants, are already spending billions fighting spam and malware. https://louisvillegeek.com/new... [louisvillegeek.com]. It's a hard problem to solve, even with tons of money.

I too have seen proposals for requiring postage. It seems like a great idea, until you look at the details. Who exactly is going to process payments? Who's going to force payments to happen? What is the definition of a message that would incur postage? Just email? WhatsApp? Facebook Messenger? Teams messages? Texts? No matter w

Re:

[Big Hairy Gorilla]

Again, can't disagree... the postage thing is like the ID thing... who pays for an independent service? Who watches the watchers?

I would suggest that Microsoft could do this. Correct me if I'm wrong.. Wasn't MS behind DKIM .. wasn't that a MS initiative?
Again, correct me if I'm wrong, but that did cut down significantly on spam... So then, I'm saying if there was a business will (and there isn't) MS, FB, Goo, could agree on some industry standards, collaborate on an RFC... It comes down to management will t

Re:

[Tony Isaac]

Yahoo and Cisco, actually. https://en.wikipedia.org/wiki/... [wikipedia.org]

The accusation that MS is "playing both sides" is completely false. They have nothing to gain by covertly enabling spammers. Too many people are scrutinizing their work. If Microsoft were really doing this, they would be shaming them publicly. Instead, those who want to shame Microsoft, are rather asserting that MS "isn't doing enough" to block spam. But who is to define "enough"? The reality is, nobody has conquered this. Even the US Postal Servic

Re:

[Big Hairy Gorilla]

MS has plenty to gain by playing both sides. If there is no supply side of spam then you wouldn't have a problem that they can help you solve... for a price. I think if you're saturating your bandwidth, someone should be asking questions.

They can claim that they can't do anything about what individual customers are doing and they'll also claim they can't get or disseminate information about their customers because "privacy". There's another both sides thing... they don't seem to mind invading your privacy i

May everyone using Office/Outlook 365

[rtkluttz]

Or any non-self hosted cloud in general, get what they deserve. We are using internally hosted Zimbra collaboration and Nextcloud. Screw Microshaft. We are happily saving hundreds of thousands JUST ON EMAIL ALONE.

Re:

[CoachS]

If you have tens of thousands of users and an IT staff to manage your own hosted cloud and servers then that's great for you.

For "Joe's Landscaping" who has 13 people and outsources their IT from Geek Squad it's almost always going to be better to just use Microsoft 365 out of the box.

Nothingburger

[EvilSS]

If your "business" is sending out emails as user@business.onmicrosoft.com instead of user@busness.com then you should take your business more seriously. Yes it saves you $20 a year for a domain registration but it also makes your emails look unprofessional and probably gets them tagged as spam. And if your company is so small that you don't feel you need a domain, then the 100 email a day limit probably won't affect you anyway.

If you take out trial and test/dev tenants, I'd be shocked if even 1% of 365 orgs are using the onmicrosoft addresses as their primary email domains. It was never meant to be used that way, it was to allow for new tenants to have a way to setup a tenant and if needed migrate emails before attaching their custom domain(s).

Re:

[mysidia]

If your "business" is sending out emails as user@business.onmicrosoft.com instead of user@busness.com then you should take your business more seriously.

It's absolutely fine, though. If you're paying that $20 a month for your 1000 employees or whatever... Your money should be as good to Microsoft as anyone else's -- it should not matter whether you opt for a custom domain or their in-place domain.

What I really mean is a 100 message limit sucks for any legitimate user affected by it, And it is NOT a leg

Re:

[EvilSS]

It's really not fine though. Microsoft never meant for it to be used that way they just never enforced it because they didn't think anyone would be dumb enough to actually use it for production accounts. And I guarantee you no 1000 employee company is using the onmicrosoft as their primary email. That would be insane.

I do agree the trial tenants are the real problem, and they have put limits on them this year of 5,000 recipients a day. I think that's still too high and it should be limited to the 100 pe

Re:

[thegarbz]

If you're paying that $20 a month

It's $20/year not per month. Microsoft isn't do this to cover costs of infrastructure.

Re:

[mysidia]

It's $20/year not per month. Microsoft isn't do this to cover costs of infrastructure.

No.. not at all. There is no way you can get whole year of service for $20. Even the absolute bare minimum plan is $150 per user license per year. The monthly rate most businesses have to pay is more than $20 a month actually and the lowest end plan is at least $12.

Re:

[PsychoSlashDot]

It's $20/year not per month. Microsoft isn't do this to cover costs of infrastructure.

No.. not at all. There is no way you can get whole year of service for $20. Even the absolute bare minimum plan is $150 per user license per year. The monthly rate most businesses have to pay is more than $20 a month actually and the lowest end plan is at least $12.

What's being talked about is the cost of a "custom" domain. Not the M365 services themselves. Those are constant meaning that they don't change because of this new policy.

A domain plus DNS hosting is peanuts, and Microsoft doesn't sell them. Encouraging tenants to brand their usage with a real domain instead of using @tenantname.onmicrosoft.com is probably mostly about getting people to stop using addresses that have "microsoft" in them except for testing and initial setup. Those are intended as place

Re:

[tlhIngan]

I've seen many companies use a @gmail.com address. It's rather shocking how many will have a website and then email from hotmail, gmail, yahoo or other site.

If you're paying Microsoft to host your email on M365, you can probably pay for a domain.

Re:

[EvilSS]

Yea that's pretty unprofessional and really raises red flags about things like phishing when you get an email like that. And if have a website, you most likely already have a domain anyway. Hell I have a friend who is a professional game streamer, company of 1, and his business email uses a custom domain instead of gmail.com because it helped make him seem more professional to sponsors.

Tenants?

[ebcdic]

What does this word mean in the Microsoft world?

Re:

[CoachS]

Basically the account. You buy a subscription, that gives you a Microsoft 365 account with a domain (.onmicrosoft.com by default) and you can add users and services to that. That whole account is called a "tenant".

Re:

[mysidia]

The word ``tenant'' when spoken by the owner of a service or building/facility such as Microsoft is as a counterpart to their role as landlord, and a euphamism for the words peasant or rent-payer.

Re: Tenants?

[kenh]

As a person paying to use their service, what's wrong with the term? Renting something doesn't make you a peasant, rich people rent things all the time.

You're just trying really, really hard to make a perfectly logical business decision (until you prove your identity, you can only send 100 emails/day) into some nefarious policy.

If your business rents a storefront to conduct business, your business is a "tenant". If you rent virtual space online to conduct business, why is it insulting to be referred to as a

Re: Tenants?

[drinkypoo]

You can buy mass email software from a number of vendors and run it in your own servers. You can also do it with FOSS for the entire stack. No one is being forced to pay a subscription to spam. They have the option to do so for convenience.

What's the big deal, seriously?

[kenh]

As I read this, when someone signs up for email service they are only able to send 100 emails/day until they verify their identity.

WTF is wrong with that?

From TFS:

The restrictions target the onmicrosoft.com domain that Microsoft 365 automatically assigns to new tenants, limiting external messages to 100 recipients per day starting October 15.

Do customers STAY on "Microsoft.com" domain for any length of time?

Microsoft blames spammers who exploit new tenants for quick spam bursts before detection. Affected organizations must acquire custom domains and update primary SMTP addresses across all mailboxes -- a process that requires credential updates across devices and applications.

Prove who you are, get a proper domain, send out all the emails you want... Again, I ask, WTF is wrong with that?

Do people really want to stay on the onmicrosoft.com domain for their email, or do they want their own domain?

It's just a case of MS Derangement Syndrome, a close relative of AMZ Derangement Syndrome, where the sufferer becomes uncontrollably upset at the mention of MS or AMZ.

Better standards or bust!

[Tablizer]

We need a decent telecom standard such that every message and phone call is trace-able back to ISP subscriber so we can knock heads together. And high-volume senders/callers would require more identification.

Does such really take 5D rocket science?

Good...

[Anamon]

... it's a small additional hurdle, but every bit counts.

However, from personal experience, Microsoft don't seem to be the biggest problem. For about half a year now, more than 95% of all phishing mails I get, across dozens of hosts, privately and on honeypots, have been coming from Google Cloud and Firebase. They don't seem interested in doing jack all about that. Google servers are on fire on blocklist, and I'm sending automated abuse reports by the boatload, but nothing ever changes. The same Google serv

Should do the same with Salesforce

[BillTheKatt]

Salesforce should do something similar. Lately all I get is crap spam from gmail addresses being forwarded from salesforce.com's internal marketing engine.

Microsoft is a spam haven

[protehnica]

I've been receiving spam from onmicrosoft subdomains for years. Every time I reported it to Microsoft's CERT, they replied that the report couldn't be verified. Microsoft and Google are the primary source of spam I get, and both platforms chose not to implement very simple measures to prevent their platforms from being used by spammers.