What are the new Microsoft Exchange receiving limits and how do they work?

Key findings

• Mailbox receiving limit: An Exchange Online mailbox can receive a maximum of 3,600 messages within any given 60-minute rolling window. If this limit is exceeded, the mailbox will temporarily stop accepting messages.
• Sender-recipient pair (SRP) limit: A new limit states that if a single sender sends over 33% of the mailbox's hourly threshold (approximately 1,200 messages) to a specific recipient, the SRP limit will activate, and messages from that sender to that recipient will be blocked. The mailbox will continue to accept mail from other senders.
• Purpose: These limits are primarily designed to prevent single-sender mail storms and deter DoS attacks, ensuring a more stable and reliable mail flow for all users.
• Scope: The limits apply to messages received from the internet, other Microsoft 365 tenants, and on-premises senders.

Key considerations

• Sending practices: While these are receiving limits, high-volume senders, especially those sending transactional emails or notifications, should review their sending patterns to individual recipients. For more general guidance on volume, see our article on how Microsoft handles email volume limitations.
• Impact on specific use cases: These limits are most likely to affect automated systems that send frequent updates to a single user, rather than typical marketing campaigns. However, understanding why Microsoft throttles emails remains important for overall deliverability.
• Monitoring and alerts: Implement robust monitoring for non-delivery reports (NDRs) from Microsoft Exchange Online to quickly identify if your sending is hitting these limits. For more information on these limits, refer to the Microsoft TechCommunity announcement.
• Sender reputation: While intended to protect recipients, repeatedly hitting these limits could indicate problematic sending behavior and potentially impact your sender reputation over time, affecting future email deliverability.

Key opinions

• Unfamiliarity with limits: Many marketers admit they were not aware of these specific hourly receiving limits for mailboxes in Exchange Online, especially the granular sender-recipient pair (SRP) limit.
• Volume perception: The reported thresholds of 3,600 messages per hour to a mailbox, or 1,200 from a single sender, strike many as extraordinarily high for typical marketing communications, leading to questions about the scenarios that would trigger such blocks.
• Primary concern: Marketers are trying to understand if these limits are primarily for preventing denial-of-service (DoS) attacks on mailboxes or if they will indirectly affect legitimate high-frequency transactional emails.
• Impact on transactional email: While unlikely for bulk campaigns, marketers who manage systems sending numerous transactional emails to the same recipient in a short period (e.g., system alerts, frequent updates) are assessing potential impacts.

Key considerations

• Review sending patterns: Although the numbers seem high, it's wise to review how often a single recipient might receive multiple emails from one sender within an hour, especially for automated notifications. Our guide on recommended email send volume increases can offer broader context.
• NDR management: Ensure your systems are configured to properly handle and analyze non-delivery reports, which will provide clues if you hit these receiving limits. This ties into how you handle email sending rate and connection limits from providers generally.
• Segmentation: For high-frequency sends, consider if there are ways to segment or rate-limit messages to individual recipients to avoid triggering the SRP limit. For context on daily limits, see Outlook's general sending limits.
• Internal communication: Organizations using Exchange Online for internal, high-volume communications (e.g., automated alerts to an admin mailbox) should pay closer attention to these receiving limits.

Key opinions

• Anti-abuse focus: Experts largely agree that these receiving limits, especially the SRP limit, are a defensive mechanism against targeted mail floods and DoS attacks on individual mailboxes.
• Granular control: The sender-recipient pair limit is seen as a sophisticated way to mitigate abuse from a specific problematic sender without broadly impacting the recipient's ability to receive mail from others.
• Edge case scenarios: The high thresholds suggest these limits are unlikely to affect standard marketing campaigns but could impact very specific, high-frequency transactional or system-generated email flows targeting individual mailboxes.
• Proactive protection: Microsoft's implementation reflects an ongoing effort to maintain service stability and protect users from disruptive email patterns.

Key considerations

• System architecture: Developers and administrators of systems that generate a high volume of emails to specific recipients, such as monitoring alerts or rapid-fire notifications, should ensure their systems can adapt or rate-limit appropriately. This also aligns with managing temporary rate limiting due to IP reputation.
• Monitoring for impact: While intended for abuse, consistent triggering of these receiving limits could still subtly affect how Microsoft perceives a sender, emphasizing the need to monitor why Microsoft might rate limit your email sends.
• NDR analysis: Understanding the specific non-delivery reports (NDRs) or bounce codes associated with these limits is critical for diagnosing and rectifying issues. Insights into how Microsoft addresses these can be found on Office 365 for IT Pros.
• Holistic view: These limits are part of a broader set of controls; it's important to consider them alongside other Microsoft deliverability factors, including sender reputation and authentication.

Key findings

• Mailbox receiving limits: Microsoft documentation confirms that a Microsoft Office 365 mailbox has a receiving limit of 3,600 messages within a 60-minute window. Exceeding this will cause the mailbox to stop accepting messages from external and internal sources.
• Sender-recipient pair (SRP) limit: Documentation explicitly states the addition of an SRP limit, where if a single sender sends over 33% of the 3,600 messages/hour threshold to a specific recipient, the mailbox will no longer accept messages from that sender.
• Purpose of limits: These limits are in place to help prevent attacks on mail flow experience, block single-sender mail storms, and deter DoS attacks, as stated by Microsoft.
• Impact: When limits are hit, messages are not accepted, and senders will receive non-delivery reports (NDRs).

Key considerations

• NDR information: Microsoft provides detailed information on non-delivery reports in Exchange Online, which are essential for understanding why messages are bounced.
• Mailbox delivery headers: For deeper insights into delivery outcomes, understanding X-Microsoft-Antispam-Mailbox-Delivery Header values can be invaluable.
• Comprehensive limits: These receiving limits are part of a comprehensive set of limitations, including address book, mailbox storage, and tenant-level outbound limits, as detailed in the Exchange Online limits documentation. It's useful to also consider common connection and message limits from other providers.
• Message size limits: Separately, Exchange Online has message size limits, which typically default to 25 MB but can be configured up to 150 MB by administrators.