Recipient verification in Exchange and Microsoft 365

The Microsoft Exchange mail server should reject email to non-existing users. If it's wrongly configured, as a result it may be accepting email to non-existent users. Regular mail servers should always have recipient filtering enabled, to automatically reject emails to non-existent users.

The mechanism behind a wrongly setup Exchange is that it first accepts the email, and then decides if it will reject or accept the email, thus generating its own Non-Delivery Report and try to send it back to the sender.

This can consume resources to generate the local NDR and send it back to the original sender, which will then be flooded with Non-Delivery Reports.

To avoid such situations, we recommend to enable the recipient verification on your Exchange email server, as follows:

Exchange 2007

The Recipient Filtering can be enabled or disabled in Microsoft Exchange 2007 email server via the Management Console or the Management Shell, as follows:

Exchange Management Console

  1. In the Exchange Management Console, go to Edge Transport
  2. In the work pane, select the Anti-Spam tab, and then choose Recipient Filtering
  3. Now enable the Recipient Filtering feature

Exchange Management Shell

First open the Management Shell and issue the following command to enable the Recipient Filtering:

Set-RecipientFilterConfig -Enabled $true

To disable recipient filtering, issue the following command in the Management Shell:

Set-RecipientFilterConfig -Enabled $false

For more information, check this article from the Exchange 2007 knowledgebase.

Exchange 2010

The Recipient Filtering can be enabled or disabled in Microsoft Exchange 2010 email server via the Management Console or the Management Shell, as follows:

Exchange Management Console

First open the Management Console on the Edge Transport server.

Click on Edge Transport from the console tree, and select the Anti-Spam tab from the work pane. Now go to Sender Filtering and click enable.

Be advised: You need the necessary permissions to access the anti-spam features from Exchange 2010.

Exchange Management Shell

First open the Management Shell and issue the following command to enable the Recipient Filtering:

Set-SenderFilterConfig -Enabled $true

To disable recipient filtering, issue the following command in the Management Shell:

Set-SenderFilterConfig -Enabled $false

Be advised: You need the necessary permissions to access the anti-spam features from Exchange 2010.

For more information, see the following article from the Exchange 2010 knowledgebase.

Please ensure that you are not using the default standalone installation with no Edge Transport server, because the Anti-Spam function is not installed. To enable it, see more details here.

Exchange 2013

In Exchange 2013 Microsoft has changed the way it handles recipient callouts, by doing this check post DATA. This means even if the recipient validation is enabled on the mail server, any recipient callout (see What are recipient callouts/recipient verification?) responds with a "250 OK" response for invalid recipients, therefore leaving us with no valid way of checking if the recipient is valid or not.

Fortunately there's a workaround for this issue. On a default installation of Exchange 2013, a secondary port is open (port 2525). If you enable “Anonymous Users” on the default hub transport then it is then possible to use this secondary port (2525) for both deliveries and correctly be able to verify recipients with a standard recipient callout.“

Please note that this setup has only been verified in a closed testing environment, and may require testing before deploying on any live setup.

You will also as like other versions still need to make sure that the following has been done.

  1. First check if the Anti-Spam Agent is installed on the server via the shell:

    Get-TransportAgent

  2. Then ensure the Recipient Filter Agent is installed and enabled, if not use the following command:

    & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

  3. Now check if it is enabled:

    & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

  4. Enable the AddressBook needed for all domains to check for recipients:

    Get-AcceptedDomain | Format-List Name,AddressBookEnabled

  5. If the AddressBook is disabled, use the following command:

    Set-AcceptedDomain example.invalid -AddressBookEnabled $true

    6. Replace example.invalid with your domain

  6. Now restart the Exchange Transport service
  7. To ensure the Recipient validation is enabled issue the following command:

    Set-RecipientFilterConfig -RecipientValidationEnabled $true

  8. Restart the transport service again
  9. Check if the Recipient Filtering actually works by opening a telnet session on port 2525 of the mail server and issue the following:

    10. HELO demo-domain.invalid

    MAIL From:<test@demo-domain.invalid>

    RCPT To:<nonexistent_user@demo-domain.invalid>

    Now ensure Spam Experts uses port 2525 to verify recipients.

Microsoft 365

To enable Recipient Verification in Microsoft 365 you need to have Exchange Online Protection enabled on the server, as well as an Global Admin or an Exchange Company Administrator account.

The Directory Based Edge Blocking (DBEB) feature from Microsoft 365 enables users to reject messages for nonexistent recipients.

To configure and Enable DBEB, use the following steps:

Ensure the domain is set to Internal Relay, by going to EAC > Mail Flow > Accepted Domains > Select your domain and click Edit > check if the domain type is set to Internal relay, if not change it to Internal relay and click Save.

Add your valid users to Microsoft 365 via Directory synchronization, remote Windows Powershell or directly from the Exchange Admin Center (EAC).

Now set your domain to Authoritative. Follow the same path as above, Mail Flow > Accepted Domains > select your domain and set it to Authoritative. After you click Save, please confirm that you wish to enable "Directory Based Edge Blocking".

For more information, see this Microsoft article.