Preventing Users from Sending Emails to Too Many Recipients in Exchange Server

Posted on by

๐Ÿ”น Introduction

As an Exchange Server administrator, one of the key ways to protect your environment from misuse or accidental spam is to limit how many recipients a user can send an email to at once. This helps avoid internal spam, reduces the risk of phishing, and improves server performance.

In this post, Iโ€™ll walk you through how I implemented a policy that limits users to a maximum of 20 recipients per message, and how I monitor and enforce this behavior using PowerShell and Exchange settings.

๐Ÿ”น Why Limit Recipient Count?

  • โŒ Prevent accidental or intentional bulk mail
  • ๐Ÿ›ก๏ธ Protect internal users from spam
  • ๐Ÿ” Reduce impact of compromised accounts
  • ๐Ÿ“ˆ Improve mail flow efficiency

๐Ÿ”น Step 1: Set Org-Wide Recipient Limit

To enforce a global maximum recipient limit across the organization:

Set-TransportConfig -MaxRecipientEnvelopeLimit 20

You can verify it with: Get-TransportConfig | Select MaxRecipientEnvelopeLimit

๐Ÿ”น Step 2: Ensure Mailboxes Inherit the Limit

By default, mailboxes can override this setting. To force them to use the global value, clear any custom RecipientLimits:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -RecipientLimits unlimited

Exception: If some users send above limits, can change limit for specific mailboxes from ECP.

๐Ÿ”น Step 3: Set Send Connector Limit (Optional)

If you’re using a send connector for internet email:

Set-SendConnector -Identity "YourConnectorName" -MaxRecipientsPerMessage 20

๐Ÿ”น Step 4: What Happens When Limit is Exceeded

If someone tries to send an email to more than 20 recipients (To + Cc + Bcc):

  • The message will fail to send
  • The sender will receive an NDR (non-delivery report)
  • Example error: Remote Server returned '550 5.5.3 RESOLVER.ADR.RecipLimit; too many recipients'

Note: Distribution Groups count as 1 recipient unless expanded. Hence, mail send successful.

๐Ÿ”น Step 5: Monitor and Alert on Violations

Hereโ€™s a script I use to detect violations and send an alert:

๐Ÿ”น Conclusion

Enforcing recipient limits is a simple but powerful way to harden your mail system and avoid user mistakes. Combined with regular monitoring, this gives you full control over outbound mail behavior in Exchange Server.