Deprecation of SMTP Authentication (Client Submission) in Exchange Online

As technology evolves, so do the tactics of cyber threats. In line with the efforts to protect users’ data in Exchange Online, Microsoft announced a significant change: the retirement of Basic authentication for Client Submission (SMTP AUTH) by September 2025! 📅. After this time, applications and devices will be required to transition from Basic auth to OAuth for SMTP Auth when sending emails.

Basic authentication, a legacy method prone to credential theft and brute force attacks, has long been a concern within the Exchange Online ecosystem.

When deprecating basic authentication in Exchange Online, Microsoft gave a lenient time to SMTP authentication alone. This is due to the extensive reliance of numerous devices and applications on SMTP for sending emails. However, Microsoft has disabled the SMTP protocol for those who have not been using it or never used it.

Despite efforts to deprecate Basic authentication over several years, SMTP Auth remained an exception. But the exception is no more! Recognizing the critical importance of strengthening security measures, Microsoft announced the decisive step to remove Basic authentication entirely from Client Submission on April 15, 2024.

Basic authentication is an outdated method that transmits credentials in plain text, making it vulnerable to attacks. Upgrading to OAuth not only enhances the security of your email service by utilizing encrypted token-based authentication but also provides additional layers of protection for your data.

The four phases of retirement of Basic auth for client submission (SMTP AUTH) are as follows.

1️⃣September 2024: SMTP AUTH Clients Submission Report in the Exchange admin center updates to show if Basic auth or OAuth is being used to submit email to Exchange Online.

2️⃣January 2025: Microsoft will be sending a Message Center alert notification to tenants who are currently utilizing Basic authentication with Client Submission (SMTP AUTH).

3️⃣August 2025: Microsoft will send another Message Center post to tenants who are still using Basic auth with Client Submission (SMTP AUTH) about 30 days before disabling it.

4️⃣September 2025: Basic auth will be permanently disabled.

Once the support for Basic auth with the client submission endpoints such as smtp.office365.com
smtp-legacy.office365.com are permanently disabled, any clients or apps connecting using Basic auth with Client Submission (SMTP AUTH) will receive the following error.

“550 5.7.30 Basic authentication is not supported for Client Submission.”

Note: If your email client supports OAuth, you can switch authentication methods by following the steps provided by Microsoft.

If your client doesn’t support OAuth or you need to continue using Basic Auth, consider switching to alternatives like:

• If you’re using Basic authentication for Client Submission (SMTP AUTH) to send emails within your organization, you can benefit from High Volume Email for Microsoft 365.
• High Volume Email (HVE) is designed to handle lots of emails efficiently, perfect for business apps and scenarios involving high volumes of SMTP traffic.

• If you’re using Basic authentication for Client Submission (SMTP AUTH) to send emails both within and outside your organization, Azure Communication Services Email is your alternate solution.
• Azure Communication Services Email provides a centralized platform for managing outgoing emails for all B2C communications.
• With SMTP support, it’s easy to send emails and have greater control over outgoing messages.

• If you have an on-premises Exchange Server in a hybrid setup, you can use Basic authentication to connect to it or set up a Receive connector.
• This connector ensures that only authorized network hosts can anonymously relay messages, maintaining control over its usage.

In conclusion, all these steps taken to retire basic auth for client submission (SMTP AUTH) ultimately contribute to improved email security. Another significant revelation accompanying this update was the introduction of an external recipient rate limit for EXO. This means that Exchange Online will now enforce a limit of 2,000 external recipients within a 24-hour period.

As a final note, we want to emphasize that Microsoft does not currently have plans to grant exceptions for SMTP going forward. Therefore, contacting support for such exceptions will no longer be feasible. Instead, we strongly recommend encouraging users to explore alternative solutions to meet their needs.

Thanks for reading! Feel free to reach us through the comment section for further assistance.