What is Direct Send?
Direct Send is a method that allows devices or applications such as multifunction printers, scanners, or business apps to send email through Microsoft 365 without authentication. Instead of requiring a username and password, the device connects directly to Microsoft 365’s SMTP endpoint and can send emails to recipients within your organization.
Is Direct Send Enabled by Default?
Yes. Direct Send is effectively available by default in Microsoft 365. Any device or app can send messages through your Microsoft 365 MX endpoint, provided the recipient is a valid mailbox in your tenant. However, Direct Send cannot deliver to external domains—it only works for internal mail.
Security Risks of Direct Send
• No authentication – anyone who can connect may attempt to send mail into your tenant.
• Potential spoofing – devices can send as any internal address, such as ceo@yourdomain.com.
• No encryption guarantees – some devices may not negotiate TLS, sending messages in cleartext.
• Harder to track – no login/account association makes auditing more difficult.
• Bypasses modern controls – Conditional Access, MFA, and password policies do not apply.
Best Practices and Alternatives
• Prefer SMTP Authenticated Submission for better security and accountability.
• If Direct Send must be used, configure the device with a single “noreply@domain.com” sender.
• Implement SPF, DKIM, and DMARC to detect or block spoofed messages.
• Use Exchange mail flow rules to flag unauthenticated mail.
• For external relay, configure an authenticated connector tied to specific IP addresses.
How To Configure Direct Send for Devices and Applications
Follow these steps to configure a printer, scanner, or line-of-business app to use Direct Send:
1. Locate Your Microsoft 365 MX Record
– Sign in to the Microsoft 365 Admin Center.
– Go to Settings > Domains.
– Select your domain (e.g., contoso.com).
– Locate the MX record (it will look like contoso-com.mail.protection.outlook.com).
– Copy this value—it will be your SMTP server address.
2. Configure Your Device or Application
– Open the email or SMTP settings on the device/app.
– Set the SMTP server to your MX record value.
– Set the Port to 25.
– Disable any authentication options (username/password not required).
– Disable TLS/SSL if your device cannot negotiate encryption.
3. Set the Sender Address
– Use a valid Microsoft 365 mailbox address in your domain (e.g., noreply@yourdomain.com).
– Ensure this mailbox exists in Exchange Online to prevent spoofing issues.
4. Test Internal Delivery
– Send a test email from the device to an internal recipient (e.g., your own mailbox).
– Confirm the email arrives successfully.
5. Note the Limitations
– Direct Send cannot send email to external domains.
– Emails are limited to recipients inside your tenant.
– For external recipients, use SMTP Authenticated Submission or a Connector.
Summary
Direct Send is enabled by default in Microsoft 365 for internal delivery only. While convenient, it presents security risks due to lack of authentication and potential spoofing. For most scenarios, SMTP authentication or secure connectors should be used instead.
If Direct Send is chosen, configure it carefully using the steps above, restrict usage to a dedicated “noreply” account, and implement protections such as SPF, DKIM, and DMARC to safeguard against abuse.