Microsoft Throttles and Blocks Emails from Outdated Exchange Servers: What You Need to Do Now

What Exactly Has Microsoft Enabled – and Why?

For some time now, Microsoft has been protecting Exchange Online with a transport based enforcement system. This system evaluates incoming connections from on premises Exchange Servers based on their support status and patch level. Servers that are out of support or significantly behind on updates are classified as persistently vulnerable.
Mail flow from these sources is initially throttled and, if remediation does not occur, ultimately blocked. The background is Microsoft’s Zero Trust strategy and the well documented risks associated with unpatched systems.

Important: Microsoft has gradually expanded the rollout and explicitly states that throttling and blocking can now apply to all Exchange versions, including Exchange Server 2019, if they are significantly outdated (for example, missing CUs or SUs).

The three components of the system:

• Reporting: You receive visibility into which on premises servers in your organization are considered outdated.
• Throttling: Mail delivery is intentionally delayed; SMTP error 4.7.230 indicates throttling.
• Blocking: Mail delivery is temporarily rejected; SMTP error 5.7.230 signals blocking.

Microsoft’s goal is not to disrupt legitimate email traffic, but to prevent insecure connections into the cloud and to enable administrators to remediate vulnerabilities.

How Can I Tell If We Are Affected? The New Mail Flow Report in the EAC

Analysis is handled conveniently in the new Exchange Admin Center (EAC) under Reports → Mail flow. These Mail Flow Reports provide visibility into trends and help identify delivery issues. For this topic, the most relevant report is “Out of date connecting on premises Exchange servers.” It shows which on premises servers (including version and patch level) are being captured by the enforcement logic and to what extent throttling or blocking is applied.

How to access it:

• Open the new EAC: , then go to Reports → Mail flow. Alternatively, use the direct link to the Mail Flow Reports.
• In the report “Out of date connecting on premises Exchange servers,” you can see affected systems and, if necessary, initiate an enforcement pause (see below).
  
   

What Happens Technically During Throttling and Blocking?

When a persistently vulnerable Exchange Server sends mail to EXO, the system responds with progressively stricter measures:

1. Notification / reporting in the EAC (and potentially via Message Center or reports).
2. Throttling (delivery delays), visible as SMTP 4.7.230 in on premises logs.
3. Blocking (temporary rejection), visible as SMTP 5.7.230.
   
    

Temporary Breathing Room: Pausing Enforcement

If you are under immediate operational pressure (for example, due to critical business processes or migration windows), enforcement can be paused per tenant for up to 90 days per calendar year, either in one block or split into multiple periods. Important: Unused days from a requested pause are not refunded.

Two ways to pause enforcement:

• Via the EAC:
  Reports → Mail flow → Out of date connecting on premises Exchange servers → “Enforcement Pause”. Enter the number of days and save.
• Via PowerShell (Exchange Online Management): 
  PowerShell
  Connect-ExchangeOnline
  New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -NumberOfDays 90
  Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer

This pause is not a substitute for an upgrade; it simply gives you time to reach a supported state in a controlled manner.

Strong Recommendation: Migrate to Exchange Server SE

In light of the enforcement measures and end of support risks, Microsoft clearly recommends moving to Exchange Server Subscription Edition (SE). SE is the evergreen generation of Exchange Server under the Modern Lifecycle Policy, with no fixed end date, as long as the system remains up to date.

What Is Exchange Server SE?

• General availability (GA): July 1, 2025
• Continuous servicing via CUs and HUs; no traditional “next major versions”
• Coexistence supported with Exchange 2016 and 2019 (but not with Exchange 2013)

Microsoft has refined the roadmap and upgrade approach multiple times, including milestones such as Exchange 2019 CU15 as a bridge, SE RTM, SE CU1/CU2, and clear coexistence rules.

Your Realistic Upgrade Path

• From Exchange 2019 (CU14/CU15) → SE:
  An in place upgrade is supported (similar to installing a CU). This minimizes risk and downtime and is Microsoft’s preferred path.
• From Exchange 2016 → SE:
  A legacy upgrade is required: deploy new servers, migrate mailboxes and workloads, then decommission the old servers. There is no direct in place upgrade from 2016 to SE.

Microsoft documents this in detail in the SE upgrade guide on Microsoft Learn and in TechCommunity post, including coexistence restrictions (e.g., no coexistence with Exchange 2013) and best practices.

Why You Should Prioritize SE Now

• Compliance & Security: Only supported builds receive security updates; essential in a Zero Trust model and today’s threat landscape.
• Enforcement pressure: Outdated systems cause delivery issues (throttling/blocking) when sending to EXO, disrupting business operations and customer communication.
• Evergreen model: With SE, you avoid future “big bang” upgrades; staying compliant is achieved through regular CUs.