MC886603 – (Updated) Reject multiple From addresses (P2 From headers) without a Sender header

Product:

Exchange, Outlook

Platform:

Developer, Online, US Instances, World tenant

Status:

Change type:

Admin impact, Updated message, User impact

Links:

Details:

Summary:
Starting April 15, 2025, messages with multiple From addresses without a Sender header will be rejected in Exchange Online to comply with RFC 5322. The rollout for GCC High and DOD is delayed to October 7, 2025. Tenants sending high volumes of such emails are opted out temporarily.

Details:
Updated July 2, 2025: We have updated the timeline below. Thank you for your patience.
We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of May 2025 (previously end of March) with an updated timeline for tenants that are opted out.
We're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online, please review the section "When this will happen" for rollout timeline information for your tenant.
If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs.
We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header.
[When this will happen:]
General Availability (Worldwide, GCC): We will begin rolling out April 15, 2025, and expect to complete by May 15, 2025.
GCC High, DOD: We will begin rolling out October 7, 2025 (previously July 1), and expect to complete by November 1, 2025 (previously August 1).
We are delaying the rollout start date in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address.
Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet.
Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change.
For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission).

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2024-09-10

updated:
2025-07-03

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

Starting in 2025, Exchange Online will reject emails with multiple "From" addresses but no "Sender" address to prevent misuse, with a temporary opt-out available for internal organizational emails.

Direct effects for Operations**

Email Delivery Issues
Messages with multiple From addresses without a Sender header will be rejected, leading to potential loss of important communications.
   - roles: Email Administrators, End Users
   - references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2

Increased User Frustration
Users may experience confusion and frustration due to Non-Delivery Reports (NDRs) when attempting to send emails with invalid headers.
   - roles: End Users, Support Staff
   - references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2

Compliance Risks
Failure to comply with RFC 5322 may expose the organization to security risks, including email spoofing and phishing attacks.
   - roles: Security Officers, Email Administrators
   - references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2

Operational Disruption
High volumes of rejected emails may disrupt normal business operations, especially for departments relying on email communication.
   - roles: Department Managers, End Users
   - references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2

Increased Support Tickets
The change may lead to an increase in support tickets as users encounter issues sending emails, straining IT resources.
   - roles: Support Staff, IT Managers
   - references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Email Header Compliance Automation
Implementing automated tools to check outgoing emails for compliance with RFC 5322 can help prevent issues related to multiple From addresses without a Sender header. This will ensure that all outgoing emails adhere to the required standards before they are sent, reducing the likelihood of rejected messages and improving overall email deliverability.
   - next-steps: Research and select email compliance tools that can integrate with Exchange Online. Set up a pilot program to test the effectiveness of these tools before a full rollout.
   - roles: IT Administrators, Compliance Officers, Email System Administrators
   - references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2, https://techcommunity.microsoft.com/t5/exchange-team-blog/what-you-need-to-know-about-multiple-from-addresses-and/ba-p/3020500

User Training and Awareness Programs
Conducting training sessions for users on proper email practices, specifically focusing on the correct use of From and Sender headers, can help minimize the occurrence of compliance issues. Educating users about the implications of sending emails with incorrect headers will enhance their understanding and reduce potential disruptions.
   - next-steps: Develop training materials and schedule training sessions for all email users within the organization. Create a feedback mechanism to assess the effectiveness of the training.
   - roles: HR Managers, Training Coordinators, IT Support Staff
   - references: https://www.microsoft.com/en-us/microsoft-365/blog/2020/06/30/understanding-email-headers-and-how-they-affect-deliverability/, https://www.linkedin.com/pulse/importance-email-header-compliance-rfc-5322-ivan-novak/

Email Traffic Monitoring and Reporting
Establishing a monitoring system for email traffic can help identify patterns of non-compliance with the new header requirements. By analyzing email traffic, the organization can proactively address issues and ensure that legitimate emails are not mistakenly rejected.
   - next-steps: Implement email analytics tools that can provide insights into email traffic patterns. Regularly review reports to identify and resolve compliance issues before they affect users.
   - roles: Network Administrators, IT Security Analysts, Compliance Officers
   - references: https://www.zdnet.com/article/how-to-monitor-your-email-traffic/, https://www.csoonline.com/article/3307851/how-to-use-email-analytics-to-improve-communication.html

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only