Microsoft has introduced a security feature called Reject Direct Send, which blocks spoofed messages sent directly to Microsoft 365 tenants without proper authentication.

If your organization has enabled this feature, Microsoft recommends creating a partner connector to explicitly authorize trusted mail sources, as outlined here.

Ensure SpamHero is using static delivery IPs

Before getting started, confirm that your domain is configured to use the SpamHero static delivery IPs.

1. From within the SpamHero control panel go to Settings > Delivery Mail host or use this shortcut: https://www.spamhero.com/cp/settings/mail-host
2. On the Delivery mail host page, switch your Mail host configuration to Mail host will only accept email from specific IPs or on a specific port. Doing so will ensure that we always use the same IPs to deliver your mail. example

   
   

    

Add a partner connector in Microsoft 365

1. Go to the Exchange Admin Center: https://admin.exchange.microsoft.com/
2. In the left menu, go to Mail flow > Connectors
3. Click the + Add a connector button
4. On the Connection From / To screen:
   • From: Partner organization
   • To: Microsoft 365
5. Click Next and give your connector a name
   Example: Spam Filter Relay
6. When asked how you want to identify email from your partner:
   • Select: Use the sender's IP address
7. Add each of the SpamHero IPs to the list
   

   You can find the list of IPs in the SpamHero control panel on the Delivery Mail host page (under Settings > Delivery Mail host)

8. Under Security restrictions, leave the following options checked:
   • ✅ Reject messages if they aren't sent over TLS (SpamHero uses TLS by default)
   • ✅ Reject messages if they aren't sent from within this IP address range
9. Click Next, review the summary, then click Create connector

Once saved, Microsoft will treat mail from our filtering servers as authenticated — allowing it through, even when Direct Send rejection is enabled.