Updated July 2, 2025: We have updated the timeline below. Thank you for your patience.
We are proactively opting tenants out of the rollout that were detected as sending high volumes of emails exhibiting multiple From addresses without a Sender address header. These exempted senders will only be able to send emails exhibiting multiple From addresses without a Sender address header to recipients belonging to the same tenant as the sender. We will provide a subsequent update by the end of May 2025 (previously end of March) with an updated timeline for tenants that are opted out.
We're going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being processed via Exchange Online, please review the section "When this will happen" for rollout timeline information for your tenant.
If we see significant traffic exhibiting multiple From addresses (P2 From headers) without a Sender header in your tenant in the month of September, we will send you a Message Center Post by October 15th alerting you and providing some sample message IDs.
We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header.
When this will happen:
General Availability (Worldwide, GCC): We will begin rolling out April 15, 2025, and expect to complete by May 15, 2025.
GCC High, DOD: We will begin rolling out October 7, 2025 (previously July 1), and expect to complete by November 1, 2025 (previously August 1).
We are delaying the rollout start date in order to provide more time to customers for investigating messages exhibiting multiple P2 From Addresses without a Sender Address.
Most of the traffic exhibiting multiple P2 From Addresses without a Sender Address will be inbound spam destined for your tenant sent by malicious spammers on the internet.
Some customers are sending legitimate emails with this malformed header configuration. On October 15, we sent a targeted MC post to customers showing high volumes of messages exhibiting multiple P2 From Addresses without a Sender Address as they may be impacted by this change.
For investigating if you will be impacted by this change, focus your investigation on messages sent using On Premises Inbound Connectors to Exchange Online. Authenticated mail submission is not impacted because submitting messages like this using those submissions are not allowed (Graph, Outlook clients, SMTP AUTH Client Submission).
How this affects your organization:
If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after the change starts rolling out to your environment, you will get an NDR error code 550 5.1.20 “Multiple From addresses are not allowed without Sender address.
What you can do to prepare:
When this change is in effect, if you need to send a message that has more than one email address in the From field, make sure that you have a single email address in the Sender header.
If you expect this change to cause any issues for your organization, please share that feedback.