Starting October 15th, we’re going to start gradually dropping messages that have multiple From addresses (also known as P2 From headers) without a Sender header from being sent via Exchange Online.

We are doing this to comply with RFC 5322 (https://www.rfc-editor.org/rfc/rfc5322#section-3.6.2) which mandates the Sender header to be present and contain a single address if the From header has more than one address. Noncompliance with this could be exploited by attackers, allowing them to impersonate a sender address by misleading the client into using the From header to determine the sender instead of the Sender header.

[When this will happen:]

October 15, 2024

[How this affects your organization:]

If email clients including devices and applications that you use to send messages, do so using multiple From addresses but without a Sender address header after October 15th, you will get an NDR error code 550 5.1.20 “Multiple From addresses are not allowed without Sender address’”.

[What you can do to prepare:]

When this change is in effect, if you need to send a message that has more than one email address in the From field, make sure that you have a single email address in the Sender header.

If you expect this change to cause any issues for your organization, please share that feedback.