Chat now with support
Chat with Support

On Demand Migration Current - Active Directory Domain Rewrite Quick Start Guide

How does Domain Rewrite select which email address to use for the rewrite?

Domain Rewrite reads in Exchange Online attributes during the tenant discovery process including the PrimarySMTPAddress attribute. When enabling rewrite-as-source, outbound messages sent from a mailbox in the target tenant will be rewritten with the PrimarySMTPAddress or value of the source mailbox.

When enabling rewrite-as-target, outbound messages sent from a mailbox in the source tenant will be rewritten with the PrimarySMTPAddress value of the matched target user account. Matched target accounts must be mailbox-enabled users, mail-enabled users, or B2B accounts. Contact objects cannot be used for matching since they do not have the PrimarySMTPAddress attribute. If provisioning B2B accounts in the target for Domain Rewrite, ensure that you assign the target domain as the PrimarySMTPAddress instead of the source mailbox address while the external address points to the source mailbox primarySMTPAddress.

How does Tenant External Recipient Rate Limit (TERRL) affect Domain Rewrite

The Tenant External Recipient Rate Limit (TERRL) is a Microsoft Exchange Online threshold policy designed to limit the number of external recipients a tenant can send emails to within a 24-hour period. It's part of Microsoft's efforts to prevent spam and abuse, especially from compromised accounts or misconfigured applications.

Any recipient with a domain that is not an accepted domain in your tenant is considered an external recipient and when a message is sent to them it will count against your quota. This includes messages sent to recipients in other Microsoft 365 tenants including On-Prem Exchange Servers or Partner Mail Services.

For Domain Rewrite, both outbound and inbound email messages are routed from the customer’s tenant to the rewrite service for address rewrite and then routed back to the tenant for final delivery. As a result, each message processed through Domain Rewrite is counted as two external messages by Exchange Online. Because of this behavior, both the source and target tenants must have sufficient license capacity to avoid exceeding Microsoft’s TERRL.

For additional information, see Introducing Exchange Online Tenant Outbound Email Limits on Microsoft Community Hub.

Sample limits for tenants with various license counts are shown below:

Number of Non-trial Email Licenses Tenant External Recipient Rate Limit
1 10,000
2 10,312
10 12,006
25 14,259
100 22,059
1,000 72,446
10,000 324,979
100,000 1,590,639

If your tenant exceeds its daily outbound sending limit subsequent messages sent to external recipients will be blocked and senders will receive one of the following bounce messages (also known as Non-Delivery Receipts or NDRs):

Trial tenants: 550 5.7.232 - Your message can't be sent because your trial tenant has exceeded its daily limit for sending email to external recipients (tenant external recipient rate limit)

Non-trial tenants: 550 5.7.233 - Your message can't be sent because your tenant exceeded its daily limit for sending email to external recipients (tenant external recipient rate limit)

To best ensure that the tenants have sufficient license capacity, ensure that you follow the best practices below:

  • Source rewrite as Target: Although Domain Rewrite works with target accounts that are MEU’s, Guests, MBEUS’, the recommendation is to always mailbox-enable the target accounts.
  • Target rewrite as Source: Although Domain Rewrite works with source user and shared mailboxes, the recommendation is to keep source user mailboxes licensed instead of converting them to shared.

Will Domain Rewrite continue working if I delete the matched target account?

No, Domain Rewrite requires a valid source and target account. If you delete the target account, then Domain Rewrite will mark the object as deleted during the next scheduled tenant discovery and will no longer rewrite messages for that mailbox.

Will Domain Rewrite work for a source mailbox that has a contact object in the target tenant?

You cannot match a source mailbox to a contact object in the target tenant for Domain Rewrite processing. The source mailbox must be matched to a mail user, mailbox, or B2B account in the other tenant. However, if the target tenant also has contact objects representing the source mailboxes, then you may need to update them so that they do not hinder Domain Rewrite processing.

When enabling Domain Rewrite for mailboxes that have contacts in the other tenant, ODM will attempt to add the contacts to specific Domain Rewrite groups. This action will fail if the contacts were not created by ODM Directory Sync. This can be resolved either by deleting the pre-existing contacts or by updating an attribute on them that authorizes ODM to add them to the Domain Rewrite groups.

For contacts created in Active Directory, set AdminDescription = Created by DirSync

For cloud-only contacts, use PowerShell to set CustomAttribute15 = Created by DirSync

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating