From eb078724a4dd0243c15cf034070b9376a3540ada Mon Sep 17 00:00:00 2001 From: Jeremy Conley Date: Tue, 2 Jun 2026 16:21:57 -0700 Subject: [PATCH 1/2] Add custom domain email requirements to B2B invitation email docs Add prerequisites section covering mail-enabled tenant requirements, MOERA domain guidance, and DNS configuration (SPF, DKIM, DMARC) for custom domain invitation emails. Includes guidance for both Exchange Online and third-party gateway scenarios. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/external-id/invitation-email-elements.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/external-id/invitation-email-elements.md b/docs/external-id/invitation-email-elements.md index d974eb48b15..fc38867e1c2 100644 --- a/docs/external-id/invitation-email-elements.md +++ b/docs/external-id/invitation-email-elements.md @@ -36,6 +36,42 @@ Before December 2025, invitations originate from Microsoft Invitations invites@m > For the Azure service operated by [21Vianet in China](/azure/china/), the sender address is `.partner.onmschina.cn`. > For [Microsoft Entra ID for government](/azure/azure-government/), the sender address is `.onmicrosoft.us`. +### Custom domain email requirements + +When invitation emails are sent from your organization's custom domain (rather than the default MOERA domain), the following requirements must be met for successful delivery. + +#### Mail-enabled tenant + +Your tenant must be mail-enabled with an Exchange Online (EXO) license. Without this, invitation emails can't be sent from a custom domain. If your tenant doesn't meet this requirement, invitations are sent from `microsoft.com` instead. + +#### Avoid MOERA (Microsoft Online Email Routing Address) domains + +MOERA domains (`.onmicrosoft.com`) are **strongly discouraged** for sending invitation emails because: + +- MOERA domains are subject to [throttling limits](https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4292065). +- Emails sent from MOERA domains have a high likelihood of being filtered as spam. + +[Set a verified custom domain as the default domain for your tenant](/microsoft-365/admin/setup/add-domain). + +#### DNS configuration (SPF, DKIM, DMARC) + +Email authentication records must be configured in DNS based on how your organization routes outbound email. Owning and verifying a custom domain in Microsoft Entra ID alone isn't sufficient — DNS records must also be in place. + +- **Outbound mail goes directly through Exchange Online** — Configure SPF, DKIM, and DMARC based on Microsoft 365 settings: + - [Add DNS records to connect your domain](/microsoft-365/admin/get-started/add-domain) + - [Set up SPF, DKIM, and DMARC](/defender-office-365/email-authentication-about) + +- **Outbound mail routes through a third-party gateway** (for example, Proofpoint or Mimecast) — Configure SPF, DKIM, and DMARC based on your third-party provider's requirements, not Microsoft 365. Your SPF record should authorize your provider's sending IPs, and DKIM signing is handled by your provider's infrastructure. + +> [!IMPORTANT] +> If your organization doesn't send outbound email directly from Exchange Online, do **not** add Microsoft 365 SPF/DKIM records to your DNS. Instead, align your DNS authentication records with the third-party service that handles your outbound mail. + +#### Related resources + +- [Add a custom domain to Microsoft 365](/microsoft-365/admin/setup/add-domain) +- [Set up email authentication (SPF, DKIM, DMARC)](/defender-office-365/email-authentication-about) +- [Limiting onmicrosoft domain usage for sending emails](https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4292065) + ### Reply To The reply-to email is set to the inviter's email when available, so that replying to the email sends an email back to the inviter. From 66f52b1a700cda1b95f6f65f04b4647bb5d991ae Mon Sep 17 00:00:00 2001 From: jconley76 <100385591+jconley76@users.noreply.github.com> Date: Thu, 4 Jun 2026 13:37:36 -0700 Subject: [PATCH 2/2] Apply reviewer suggestions: add ai-usage, remove microsoft.com reference, move section, reformat related content Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/external-id/invitation-email-elements.md | 74 ++++++++++--------- 1 file changed, 38 insertions(+), 36 deletions(-) diff --git a/docs/external-id/invitation-email-elements.md b/docs/external-id/invitation-email-elements.md index fc38867e1c2..dfd15e16d62 100644 --- a/docs/external-id/invitation-email-elements.md +++ b/docs/external-id/invitation-email-elements.md @@ -5,6 +5,7 @@ ms.topic: concept-article ms.date: 12/05/2025 ms.collection: M365-identity-device-management ms.custom: it-pro, seo-july-2024, sfi-image-nochange +ai-usage: ai-assisted # Customer intent: As a B2B collaboration user, I want to understand the elements of the invitation email, so that I can effectively invite partners to join my organization and provide them with the necessary information to make an informed decision. --- @@ -36,42 +37,6 @@ Before December 2025, invitations originate from Microsoft Invitations invites@m > For the Azure service operated by [21Vianet in China](/azure/china/), the sender address is `.partner.onmschina.cn`. > For [Microsoft Entra ID for government](/azure/azure-government/), the sender address is `.onmicrosoft.us`. -### Custom domain email requirements - -When invitation emails are sent from your organization's custom domain (rather than the default MOERA domain), the following requirements must be met for successful delivery. - -#### Mail-enabled tenant - -Your tenant must be mail-enabled with an Exchange Online (EXO) license. Without this, invitation emails can't be sent from a custom domain. If your tenant doesn't meet this requirement, invitations are sent from `microsoft.com` instead. - -#### Avoid MOERA (Microsoft Online Email Routing Address) domains - -MOERA domains (`.onmicrosoft.com`) are **strongly discouraged** for sending invitation emails because: - -- MOERA domains are subject to [throttling limits](https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4292065). -- Emails sent from MOERA domains have a high likelihood of being filtered as spam. - -[Set a verified custom domain as the default domain for your tenant](/microsoft-365/admin/setup/add-domain). - -#### DNS configuration (SPF, DKIM, DMARC) - -Email authentication records must be configured in DNS based on how your organization routes outbound email. Owning and verifying a custom domain in Microsoft Entra ID alone isn't sufficient — DNS records must also be in place. - -- **Outbound mail goes directly through Exchange Online** — Configure SPF, DKIM, and DMARC based on Microsoft 365 settings: - - [Add DNS records to connect your domain](/microsoft-365/admin/get-started/add-domain) - - [Set up SPF, DKIM, and DMARC](/defender-office-365/email-authentication-about) - -- **Outbound mail routes through a third-party gateway** (for example, Proofpoint or Mimecast) — Configure SPF, DKIM, and DMARC based on your third-party provider's requirements, not Microsoft 365. Your SPF record should authorize your provider's sending IPs, and DKIM signing is handled by your provider's infrastructure. - -> [!IMPORTANT] -> If your organization doesn't send outbound email directly from Exchange Online, do **not** add Microsoft 365 SPF/DKIM records to your DNS. Instead, align your DNS authentication records with the third-party service that handles your outbound mail. - -#### Related resources - -- [Add a custom domain to Microsoft 365](/microsoft-365/admin/setup/add-domain) -- [Set up email authentication (SPF, DKIM, DMARC)](/defender-office-365/email-authentication-about) -- [Limiting onmicrosoft domain usage for sending emails](https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4292065) - ### Reply To The reply-to email is set to the inviter's email when available, so that replying to the email sends an email back to the inviter. @@ -111,6 +76,43 @@ The following settings determine the language presented to the guest user in the If you don't configure any of these settings, the language defaults to English (US). +## Custom domain email requirements + +When invitation emails are sent from your organization's custom domain (rather than the default MOERA domain), the following requirements must be met for successful delivery. + +### Mail-enabled tenant + +Your tenant must be mail-enabled with an Exchange Online (EXO) license. Without this, invitation emails can't be sent from a custom domain. + +### Avoid MOERA (Microsoft Online Email Routing Address) domains + +MOERA domains (`.onmicrosoft.com`) are **strongly discouraged** for sending invitation emails because: + +- MOERA domains are subject to [throttling limits](https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4292065). +- Emails sent from MOERA domains have a high likelihood of being filtered as spam. + +To avoid these issues, [set a verified custom domain as the default domain for your tenant](/microsoft-365/admin/setup/add-domain). + +### DNS configuration (SPF, DKIM, DMARC) + +Email authentication records must be configured in DNS based on how your organization routes outbound email. Owning and verifying a custom domain in Microsoft Entra ID alone isn't sufficient — DNS records must also be in place. + +- **Outbound mail goes directly through Exchange Online** — Configure SPF, DKIM, and DMARC based on Microsoft 365 settings: + - [Add DNS records to connect your domain](/microsoft-365/admin/get-started/add-domain) + - [Set up SPF, DKIM, and DMARC](/defender-office-365/email-authentication-about) + +- **Outbound mail routes through a third-party gateway** (for example, Proofpoint or Mimecast) — Configure SPF, DKIM, and DMARC based on your third-party provider's requirements, not Microsoft 365. Your SPF record should authorize your provider's sending IPs, and DKIM signing is handled by your provider's infrastructure. + +> [!IMPORTANT] +> If your organization doesn't send outbound email directly from Exchange Online, do **not** add Microsoft 365 SPF/DKIM records to your DNS. Instead, align your DNS authentication records with the third-party service that handles your outbound mail. + +## Related content + +- [Add a custom domain to Microsoft 365](/microsoft-365/admin/setup/add-domain) +- [Set up email authentication (SPF, DKIM, DMARC)](/defender-office-365/email-authentication-about) +- [Limiting onmicrosoft domain usage for sending emails](https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4292065) + ## Next steps - [B2B collaboration invitation redemption](redemption-experience.md) +