O365 – Spam Abuse NDR when emails are sent as “onmicrosoft.com”

By: Caio Ribeiro César and Robson Elias da Silva

Support daily basis is to handle diversified scenarios. When multiple customers and partners are hitting the same issue or behavior, means we need to elaborate on what is the design of the product and how administrators should handle these problems.

We have seen cases about external mailflow issues when using the “ .onmicrosoft.com” email address. Meaning when end users send emails with their SMTP address “user@domain .onmicrosoft.com”, these messages get bounced with the following NDR:

a) “Remote Server returned ‘550 5.7.501 Access denied, spam abuse detected”;

b) The organization admin will list those emails in the High Risk Delivery Pool (HRDP), classified as outbound spam;

c) Recipient mail server will reject the message, informing that it is classified as SPAM (usually with a high Spam Confidence Level;SCL).

Why are those messages classified as SPAM? Your subdomain was classified as SPAM as any other domain would be (bulk email, false positive or end users using your domain for SPAM). Any sending address, including the original [domain].onmicrosoft.com is subject to EOP's spam scan and will be blocked if sending spam. The .onmicrosoft.com address is not subject to any additional anti-spam checks.

External emails should be sent through a verified and valid domain. If the email used is @domain.com, it means the administrator has provided DNS proof to show that he is the owner of this specific public domain and mailboxes created with the SMTP address follow the same rule.

Although you can use this address for mailflow, it doesn’t mean it is recommended to. To fix this behavior, do not to use “domain.onmicrosoft.com” for mailflow. Use your public domain instead.

If your organization is still not willing to add a custom domain for a familiar domain name, please have a ticket created with support.