Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Change Exchange Online recipient limit

Need to change Exchange online Recipient Limits. The default value is 500 and can't be modified.
In this case, users are able to send bulk\Spam messages by selecting entire global address list.

776 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Bruno Leonardo shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for the feedback. Most of the comments here reflect a desire to be able to LOWER the recipient limit for a specific user. This is something we will consider as priorities allow. If you’re voting or commenting — we would be curious if this is driven more by account compromises or just user behavior (e.g., don’t have permissions to send to the DL, so the user just expands the DL)?

    For issues with compromised accounts, we want you to be aware that we take this issue seriously and have been working on that problem from many angles. That said, we believe that limiting the number of recipients per email will not stop or even slow the bad guys significantly. Instead, we encourage you to visit https://securescore.office.com/ and implement best practices to protect your organization.

    For any comments regarding other issues with limits or throttling (e.g., increasing a limit), please start NEW items and please be clear what the scenario is that you need to support and why. Limits are a necessary piece of any email service, but we don’t want them to be obtrusive and block valid business scenarios.

    61 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        This request would be for both scenarios in my case. I have seen in previous experience where employees have decided to send mass emails in poor taste, and where someones account has been compromised. This is high priority to me, so that I can deliver the best protection for my business. I would like for this be a high priority for Microsoft as well. Let me know what I can do, to make this happen.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I want to be able to restrict the max to 20 or so. This keeps a user from mass emailing a bunch of people in error. When we do send out emails to a large number of customers I ensure the user has the emails in the BCC and then lift the restriction. I had powershell scripts to lift and place the restriction when we were on Exchange 2010

      • Sean Schipper commented  ·   ·  Flag as inappropriate

        I would love to have control the recipient limit per message. 500/message is much too high for us. We'd also like to limit the messages/day. 10,000 is ridiculously high. We set it to 500 for our on premise users and have very few users we need to increase.

      • Julie Russell commented  ·   ·  Flag as inappropriate

        We would appreciate the ability to alter this value. We have been managing this on prem until starting migrations to O365. It is for legal reasons that we use this setting, to stop people from sending emails to bulk recipients.
        We are willing to consider other alternatives - with transport rules etc.

      • Kalinda Francomb commented  ·   ·  Flag as inappropriate

        We would like to be able to reduce it so we can set it lower for students who seem to love sending random emails to lots of people :(

      • Anonymous commented  ·   ·  Flag as inappropriate

        We would like to request the 500 recipient limit in O365 be increased to either 2000 or no limit like the older versions of MS Exchange. We cannot send mass emails to customer base and the contacts are changing constantly so a DL is not feasible.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I agree with other comments - even from a GDPR perspective - implementing a limit on the number of emails a user can send (in the to, cc or bcc fields) via transport rule or otherwise should be a basic feature of any corporate email system. It can't be that hard to implement. If there is another thread with a similar request that we need to vote on - someone please post it here.

      • James Winter commented  ·   ·  Flag as inappropriate

        So here is a typical scenario. Student users click a spammed link from "Microsoft" and enter their credentials. Nothing happens. Late afternoon Sunday or 2:00 AM weekdays someone in South Africa logs in to the student's account, sets an Inbox rule to delete all inbox then sends a spam to a huge number of off-domain recipients. The student's account locks at 500 emails and I get a message. I want to set that lock at 50 or whatever I want. Also, please give me the ability to block login by region (yes, I have a request on that thread too).

      • Charles Carmichael commented  ·   ·  Flag as inappropriate

        Lowering the number for us is more to limit bad behavior of users; expanding a DL but more so compliance with email marketing laws and company policies. Our previous hosted email would monitor do two things 1) only allow up to 200, still want this WAY lower and 2) monitor if the end user was attempting to game the system by sending in smaller batches. if the user was suspect of attempting to game, they got a warning, admin got a notice if they did it again they were blocked. It was very helpful as it also worked if the account had been compromised as well.

      • Anonymous commented  ·   ·  Flag as inappropriate

        "Limiting the number of recipients per email may not slow the bad guys significantly" - Yes, and speed limit signs don't stop all speeders but that doesn't mean they aren't a common sense precaution. We have a few people in my organization that send to large recipients groups but the vast majority could be capped at 50 recipients and never even notice it. I understand Microsoft's concerns about increasing but what is the possible harm in allowing administrators to decrease it? Or the logic in saying this is the appropriate limit for every person in every organization? The ability to mass send e-mails just doesn't need to in the hands of every random temp or intern that walks through the door.

      • Przemyslaw Jagusiak commented  ·   ·  Flag as inappropriate

        Please this is very important and urgent. there should be an option to limit the number of recipients within the same outgoing email.

      • Anonymous commented  ·   ·  Flag as inappropriate

        This is just proving how useless O365 is on point of phishing emails. We should be able to decide how many recipients we allow in our organisation and it is available in on-premise Exchange so don't understand you decided to switch off that functionality. Are you going backwards? But since you are not able to implement that in 3 years I wouldn't think it would change in the future

      • Michiel van Heerde commented  ·   ·  Flag as inappropriate

        Our Helpdesk wants to be able to send out emails to the entire internal company, this however is impossible with only one distribution group as the limit is 500 recipients and we have over 500 colleagues. We really would like to be able to increase the limit, if only for our internal mail flow.

      • Ron Gerber commented  ·   ·  Flag as inappropriate

        I run an IT seminar firm that features Microsoft speakers nationwide. About a year ago, my IT services/consulting firm switched me from managing our own onsite Exchange server, to Office365. However I was never informed that there were recipient limits and other constraints tied to emailing on Office365. There are both explicit limits (30/sec, 10K/day) and "hidden" restrictions, e.g. when I send the same email invite to 10 different people, 10 minutes apart, the Microsoft algorithm views this as spam and shuts down the account. Using a third party bulk email service is NOT the answer, since I am not sending out one bulk email a week but am sending out the same email all day long, to a few people.

        So now I have to switch to a managed exchange service provider, to maintain my outlook/exchange setup but avoid the email limits.

        So I would strongly recommend much more flexibility here, and the ability to send out more emails.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Another aspect to this problem is when users (without thinking) send emails out to large numbers of customers or suppliers without using Bcc. These mass emails effectively share the email addresses of every recipient with every other recipient, which is potentially a GDPR issue. I've had several occasions where a customer has visibly copied me (and all my competitors) into an email

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please get this implemented. It would be nice to limit the impact of a compromised email. And it would be great to get emails as soon as this limit was hit.

      • Paul Zender commented  ·   ·  Flag as inappropriate

        I do not know why Microsoft is being stubborn on this issue. We had ps scripts that ran in Ex2007 that if a person sent to over a certain amount (configurable) to external only, it sent the admins an email so we could shutdown the compromised user instead of finding out two days later when we were being blocked by major ISP's for sending them spam. So if Microsoft wont let us make the recipient limit configurable, at least have a transport rule in 365 that does this and is configurable so we can put in whatever number we want.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please enable this.

        We want to be able to lower the limit for students (not for staff) because there is no need for students to email more than a small number of people at any one time.

        Unfortunately it is a fact that some students do misuse this, e.g. by sending an email to their entire yeargroup

      • Francisco Chichizola commented  ·   ·  Flag as inappropriate

        More than arbitrarily lowering the limit, we need control of it. Depending on the business and down to the individual use. The 500 (greyed out) limit, should be available to be changed by the administrator for each user he/she administers.

      ← Previous 1 3 4

      Feedback and Knowledge Base