check before: 2025-04-15
Product:
Exchange, Outlook
Platform:
Developer, Online, US Instances, World tenant
Status:
Change type:
Admin impact, Updated message, User impact
Links:
Details:
Summary:
Starting April 15, 2025, Exchange Online will reject emails with multiple From addresses without a Sender header to comply with RFC 5322. Tenants sending high volumes of such emails are opted out temporarily. Rollout for GCC High and DOD starts July 1, 2025. Ensure emails have a single Sender address if multiple From addresses are used.
Details:
Updated March 21, 2025: We have updated the rollout timeline below. Thank you for your patience.
We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of May 2025 (previously end of March) with an updated timeline for tenants that are opted out.
We're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online, please review the section "When this will happen" for rollout timeline information for your tenant.
If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs.
We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header.
[When this will happen:]
General Availability (Worldwide, GCC): We will begin rolling out April 15, 2025, and expect to complete by May 15, 2025.
GCC High, DOD: We will begin rolling out July 1, 2025, and expect to complete by August 1, 2025.
We are delaying the rollout start date in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address.
Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet.
Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change.
For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-09-10
updated:
2025-03-22
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Email Delivery Failure
Emails with multiple From addresses without a Sender header will be rejected, leading to delivery failures for legitimate emails.
- roles: Email Administrators, End Users
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
Increased User Frustration
Users may experience frustration due to non-delivery reports (NDRs) when attempting to send emails with multiple From addresses, impacting communication.
- roles: End Users, Support Staff
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
Compliance Risks
Failure to comply with RFC 5322 may expose the organization to security risks, as attackers could exploit the lack of a Sender header.
- roles: Security Officers, Email Administrators
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
Operational Disruption
The change may disrupt normal email operations, especially for organizations that rely on automated systems sending emails with multiple From addresses.
- roles: IT Operations, System Administrators
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
Increased Support Tickets
The change is likely to generate an increase in support tickets as users encounter issues with sending emails, straining IT resources.
- roles: Support Staff, IT Managers
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Email Compliance and Security Enhancement
Implementing strict adherence to the Sender header requirement will enhance email security by preventing spoofing and impersonation attacks. This ensures that only legitimate emails are processed, reducing the risk of phishing and other malicious activities.
- next-steps: Conduct a thorough audit of existing email configurations to identify instances of multiple From addresses without a Sender header. Develop a communication plan to inform users about the changes and provide training on compliant email practices.
- roles: IT Security Manager, Compliance Officer, Email Administrators
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
User Training and Awareness Programs
With the impending changes, there is an opportunity to enhance user training programs to educate staff on email best practices, specifically regarding the proper use of the From and Sender headers. This can improve overall user experience and reduce the likelihood of email delivery issues.
- next-steps: Create training materials that outline the new email standards and provide examples of compliant versus non-compliant emails. Schedule training sessions for all staff, particularly those in roles heavily reliant on email communication.
- roles: Training Coordinator, HR Manager, IT Support Staff
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
Email System Optimization
Reviewing and optimizing email systems in light of the new requirements can lead to better performance and reduced processing of non-compliant emails. This can result in cost savings in terms of bandwidth and storage usage.
- next-steps: Analyze email traffic patterns to identify and mitigate sources of non-compliant emails. Consider implementing automated tools to filter and flag emails that do not meet the new requirements before they reach users.
- roles: IT Operations Manager, Network Administrator, Email System Administrator
- references: https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-03-22 | MC Messages | Updated February 28, 2025: We have updated the rollout timeline below. Thank you for your patience.
We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of May 2025 (previously end of March) with an updated timeline for tenants that are opted out. Starting April 15, 2025 (previously February 3), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] April 15, 2025 (previously February 3) We are delaying the rollout start date from December to April 15, 2025 (previously February 3) in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). | Updated March 21, 2025: We have updated the rollout timeline below. Thank you for your patience.
We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of May 2025 (previously end of March) with an updated timeline for tenants that are opted out. We're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online, please review the section "When this will happen" for rollout timeline information for your tenant. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] General Availability (Worldwide, GCC): We will begin rolling out April 15, 2025, and expect to complete by May 15, 2025. GCC High, DOD: We will begin rolling out July 1, 2025, and expect to complete by August 1, 2025. We are delaying the rollout start date in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). |
| 2025-03-22 | MC How Affect | If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after April 15 2025 (previously December 1st), you will get an NDR error code 550 5.1.20 "Multiple From addresses are not allowed without Sender address'". | If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after the change starts rolling out to your environment, you will get an NDR error code 550 5.1.20 "Multiple From addresses are not allowed without Sender address. |
| 2025-03-22 | MC Last Updated | 02/28/2025 17:27:08 | 2025-03-21T19:39:58Z |
| 2025-03-22 | MC End Time | 06/30/2025 10:00:00 | 2025-10-01T10:00:00Z |
| 2025-03-22 | MC Summary | Starting April 15, 2025, Exchange Online will reject emails with multiple From addresses without a Sender header to comply with RFC 5322. Tenants sending high volumes of such emails are opted out temporarily. Organizations must ensure emails with multiple From addresses include a single Sender address to avoid NDR errors. | Starting April 15, 2025, Exchange Online will reject emails with multiple From addresses without a Sender header to comply with RFC 5322. Tenants sending high volumes of such emails are opted out temporarily. Rollout for GCC High and DOD starts July 1, 2025. Ensure emails have a single Sender address if multiple From addresses are used. |
| 2025-03-01 | MC Messages | Updated February 14, 2025: We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of March with an updated timeline for tenants that are opted out.
Starting February 3 (previously December 1), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] February 3, 2025 (previously December 1st) We are delaying the rollout start date from December to February 3rd 2025 in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). | Updated February 28, 2025: We have updated the rollout timeline below. Thank you for your patience.
We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of May 2025 (previously end of March) with an updated timeline for tenants that are opted out. Starting April 15, 2025 (previously February 3), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] April 15, 2025 (previously February 3) We are delaying the rollout start date from December to April 15, 2025 (previously February 3) in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). |
| 2025-03-01 | MC How Affect | If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after December 1st, you will get an NDR error code 550 5.1.20 "Multiple From addresses are not allowed without Sender address'". | If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after April 15 2025 (previously December 1st), you will get an NDR error code 550 5.1.20 "Multiple From addresses are not allowed without Sender address'". |
| 2025-03-01 | MC Last Updated | 02/14/2025 21:37:02 | 2025-02-28T17:27:08Z |
| 2025-03-01 | MC End Time | 05/05/2025 10:00:00 | 2025-06-30T10:00:00Z |
| 2025-03-01 | MC Summary | Starting February 3, 2025, Exchange Online will drop messages with multiple From addresses without a Sender header to comply with RFC 5322. Affected users were notified on October 15. To prevent issues, ensure messages with multiple From addresses include a Sender header. | Starting April 15, 2025, Exchange Online will reject emails with multiple From addresses without a Sender header to comply with RFC 5322. Tenants sending high volumes of such emails are opted out temporarily. Organizations must ensure emails with multiple From addresses include a single Sender address to avoid NDR errors. |
| 2025-02-15 | MC Last Updated | 01/31/2025 17:35:05 | 2025-02-14T21:37:02Z |
| 2025-02-15 | MC Messages | Updated January 31, 2025: We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of February with an updated timeline for tenants that are opted out.
Starting February 3 (previously December 1), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] February 3, 2025 (previously December 1st) We are delaying the rollout start date from December to February 3rd 2025 in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). | Updated February 14, 2025: We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of March with an updated timeline for tenants that are opted out.
Starting February 3 (previously December 1), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] February 3, 2025 (previously December 1st) We are delaying the rollout start date from December to February 3rd 2025 in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). |
| 2025-02-15 | MC End Time | 03/03/2025 09:00:00 | 2025-05-05T10:00:00Z |
| 2025-02-01 | MC Messages | Updated November 6, 2024: We have updated the content. Thank you for your patience.
Starting February 3 (previously December 1), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being sent via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] February 3, 2025 (previously December 1st) We are delaying the rollout start date from December to February 3rd 2025 in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). | Updated January 31, 2025: We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of February with an updated timeline for tenants that are opted out.
Starting February 3 (previously December 1), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] February 3, 2025 (previously December 1st) We are delaying the rollout start date from December to February 3rd 2025 in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). |
| 2025-02-01 | MC Last Updated | 11/08/2024 01:37:37 | 2025-01-31T17:35:05Z |
| 2024-11-08 | MC Last Updated | 09/21/2024 01:49:28 | 2024-11-08T01:37:37Z |
| 2024-11-08 | MC Messages | Updated September 20, 2024: We have updated the content. Thank you for your patience.
Starting December 1st, we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being sent via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] December 1st, 2024 | Updated November 6, 2024: We have updated the content. Thank you for your patience.
Starting February 3 (previously December 1), we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being sent via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] February 3, 2025 (previously December 1st) We are delaying the rollout start date from December to February 3rd 2025 in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address. Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet. Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change. For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission). |
| 2024-11-08 | MC End Time | 02/24/2025 09:00:00 | 2025-03-03T09:00:00Z |
| 2024-11-08 | MC Summary | Starting December 1st, Exchange Online will reject emails with multiple From addresses without a Sender header, to comply with RFC 5322. Noncompliance can lead to sender impersonation. Affected organizations will be notified by October 15th if they had significant noncompliant traffic in September. | Starting February 3, 2025, Exchange Online will drop messages with multiple From addresses without a Sender header to comply with RFC 5322. Affected users were notified on October 15. To prevent issues, ensure messages with multiple From addresses include a Sender header. |
| 2024-09-21 | MC MessageTagNames | User impact, Admin impact | Updated message, User impact, Admin impact |
| 2024-09-21 | MC Summary | Starting October 15th, Exchange Online will reject emails with multiple From addresses without a Sender header, to comply with RFC 5322. Organizations should ensure a single address in the Sender header to avoid non-delivery reports (NDRs) with error code 550 5.1.20. Feedback on this change is welcomed. | Starting December 1st, Exchange Online will reject emails with multiple From addresses without a Sender header, to comply with RFC 5322. Noncompliance can lead to sender impersonation. Affected organizations will be notified by October 15th if they had significant noncompliant traffic in September. |
| 2024-09-21 | MC Last Updated | 09/10/2024 02:59:50 | 2024-09-21T01:49:28Z |
| 2024-09-21 | MC Messages | Starting October 15th, we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being sent via Exchange Online.
We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] October 15, 2024 | Updated September 20, 2024: We have updated the content. Thank you for your patience.
Starting December 1st, we're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being sent via Exchange Online. If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs. We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header. [When this will happen:] December 1st, 2024 |
| 2024-09-21 | MC How Affect | If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after October 15th, you will get an NDR error code 550 5.1.20 "Multiple From addresses are not allowed without Sender address'". | If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after December 1st, you will get an NDR error code 550 5.1.20 "Multiple From addresses are not allowed without Sender address'". |
| 2024-09-21 | MC Title | Reject multiple From addresses (P2 From headers) without a Sender header | (Updated) Reject multiple From addresses (P2 From headers) without a Sender header |
| 2024-09-21 | MC End Time | 12/31/2024 09:00:00 | 2025-02-24T09:00:00Z |
Last updated 4 weeks ago
