Starting October 15th, we’re going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being sent via Exchange Online.
We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header.
[When this will happen:]
October 15, 2024
[How this affects your organization:]
If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after October 15th, you will get an NDR error code 550 5.1.20 “Multiple From addresses are not allowed without Sender address’”.
[What you can do to prepare:]
When this change is in effect, if you need to send a message that has more than one email address in the From field, make sure that you have a single email address in the Sender header.
If you expect this change to cause any issues for your organization, please share that feedback.
Source: Microsoft
The upcoming update starting October 15th will impact both admins and users who send emails through Exchange Online. Admins will need to ensure that their organization’s email clients, devices, and applications comply with the new requirement of having a single Sender address when using multiple From addresses. Users, on the other hand, may encounter NDR error code 550 5.1.20 if they attempt to send messages with multiple From addresses but without a Sender address header.
In terms of criticality, this update is important for enhancing email security by preventing potential exploitation by attackers. By enforcing the presence of a Sender header with a single address when the From header contains multiple addresses, the update aims to reduce the risk of impersonation and misleading sender information.
So, remember, starting October 15th, keep an eye out for those multiple From addresses without a Sender header to avoid any email mishaps. And if you’re feeling overwhelmed by this change, don’t hesitate to share your feedback. After all, we’re all in this email jungle together!