Microsoft has indefinitely shelved plans to impose new bulk email restrictions in Exchange Online, marking a notable retreat after sustained customer complaints and repeated rollout delays. The decision highlights the challenges facing large cloud providers as they attempt to tighten spam and phishing security controls without disrupting legitimate business operations.

The abandoned proposal centered on a new External Recipient Rate (ERR) limit that would have capped users at 2,000 external recipients within a rolling 24-hour period. First announced in April 2024, Microsoft framed it as a way to curb outbound spam and prevent misuse of Exchange Online resources. The limits were initially scheduled to take effect in early 2025, before being pushed back multiple times as customers struggled to prepare.

By late 2024, Microsoft had already delayed enforcement into 2026. Now, the company has scrapped the change altogether, citing what it described as “significant operational challenges” for customers who rely on bulk email for routine workflows.

“Your feedback matters,” the Exchange team said in a statement, acknowledging that the ERR limit proved too disruptive given the current state of Microsoft’s bulk-sending alternatives. Rather than hard caps, the company said it will pursue “smarter, more adaptive approaches” to tackling outbound email abuse.

Still Fighting Email Abuse

Adding to the customer frustration was the blunt way the limit would have been calculated. Under Microsoft’s design, sending repeated messages to the same external contacts would still count toward the daily cap. For example, 100 emails sent to five external addresses would be tallied as 500 recipients. Admins warned that this approach could easily break automated systems, integrations, and alerting tools that depend on frequent outbound messages.

Many organizations also complained about Microsoft’s suggestion that Azure Communication Services for Email could fill the gap. Customers pushed back, saying that the service does not replicate the deep integrations, compliance features, or operational simplicity of Exchange Online, particularly for businesses already heavily invested in Microsoft’s email ecosystem.

Despite backing away from the ERR limit, Microsoft was careful to stress that it is not loosening its stance on email abuse. Existing safeguards remain in place, including a long-standing recipient rate limit of 10,000 recipients per day and a tenant-level cap of 5,000 external recipients. Those restrictions are unchanged, and the company has signaled that new protections are still in development.

A Broader Industry Challenge

The episode highlights a difficult issue confronting email providers as spam and phishing attacks continue to evolve. Major platforms are under pressure to harden their services, often at the risk of alienating legitimate senders whose use cases fall outside traditional marketing email.

Google, for example, has moved aggressively to tighten its own rules. Since April 2024, Gmail has enforced stricter spam thresholds for bulk senders, automatically blocking messages that fail to meet them, even if the emails are properly authenticated. Under guidelines announced in late 2023, organizations sending more than 5,000 messages per day to Gmail users must configure SPF, DKIM, and DMARC authentication, include a one-click unsubscribe option, and process unsubscribe requests within two days. Failure to comply can result in wholesale rejection of messages.

By contrast, Microsoft’s retreat takes a more cautious approach. While some administrators welcomed the decision as a pragmatic response to real-world feedback, others noted the lack of clarity around what comes next. Microsoft has offered few specifics about the “adaptive” controls it plans to introduce, leaving customers uncertain about how outbound email policies may change in the future.

For now, the message to Exchange Online users is one of temporary relief rather than resolution. The underlying problem, how to prevent abuse without hamstringing legitimate business communication, remains unsolved. Microsoft may have stepped back from one solution, but the pressure to act is unlikely to ease anytime soon.