How do I set up Exchange (2003 - 2016) or Office365 to allow verification of the recipient address for incoming messages?

A regularly configured Exchange server should automatically reject messages to non-existent email addresses.

However, an incorrectly configured server may also accept messages to non-existent users, because Exchange first accepts the incoming message and only then decides whether to reject or accept it. If the message is rejected, the Exchange creates its own non-deliverability report and attempts to return it to the sender. This unnecessarily consumes resources, which can be avoided with the following measures. The following changes allow EuropeanMX to perform a recipient callout on your mail server to verify that a recipient is actually existing. Messages to non-existent recipients will be automatically rejected by EuropeanMX.

Exchange 2003

No changes are necessary for Exchange 2003. Recipients should be easily verified and incoming messages delivered.

Exchange 2007

Recipient verification can be easily enabled or disabled from the Exchange 2007 management console or from the management shell.

Exchange Management Console

1. Go to Edge Transport within the Management Console.
2. Click the tab Anti-Spam and select Recipient Filtering.
3. Enable recipient filtering.
   
   

Exchange Management Shell

1. Open the shell and run the following command to enable recipient filtering:
   
   

   Set-RecipientFilterConfig -Enabled $true

2. To deactivate the recipient filtering again, please use the following command:
   
   

   Set-RecipientFilterConfig -Enabled $false

Exchange 2010

Recipient verification can be easily enabled or disabled from the Exchange management console or from the management shell. First, make sure that you are not using the Edge Transport Server standalone installation, which does not have anti-spam functionality installed. In order to enable it, please use the knowledgebase article from Microsoft (https://docs.microsoft.com/en-us/previous-versions/office/exchange-server-2010/bb201691(v=exchg.141)).

Exchange Management Console

1. First open the Administrative Console on the Edge Transport server.
2. In the console tree, click Edge Transport and select the tab Anti-Spam in the workspace. Now go to Sender Filtering and enable it.

Please note that you need the necessary permissions to access the anti-spam feature of Exchange 2010.

Exchange Management Shell

1. Open the shell and enter the following command to enable receiver filtering:
   
   

   Set-SenderFilterConfig -Enabled $true

2. To deactivate the receiver filtering again, please use the following command:
   
   

   Set-SenderFilterConfig -Enabled $false
   

Please note that you need the necessary permissions to access the anti-spam feature of Exchange 2010.

For more information, please visit the Microsoft's Knowledgebase for Exchange 2010.

Exchange 2013

For Exchange 2013, Microsoft has changed the way Recipient Callouts are handled. DATA checks are now performed, which means that the server returns the status 250 OK for messages to invalid recipients, even if recipient validation is enabled, and thus does not give us the opportunity to check a recipient address for validity.

However, this behavior can be prevented with the following workaround. By default, a second port (2525) is opened when installing Exchange 2013. If you now enable the option Anonymous Users on the default hub transport, it is possible to use port 2525 for a proper recipient validation.

1. First, make sure that the Anti-Spam Agent is installed and activated via the shell.
   
   

   Get-TransportAgent

2. Then please make sure that the Receiver Filter Agent is installed and activated.
   
   

   & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

3. Now check whether this is active.
   

   & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

4. Activate the address book that is required for all domains so that recipients can be searched for.
   
   

   Get-AcceptedDomain | Format-List Name,AddressBookEnabled

5. If the address book should be deactivated, please use the following command and replace example.com with your own domain!
   
   

   Set-AcceptedDomain example.com -AddressBookEnabled $true
   

6. Now restart the Exchange Transport Service.
7. To ensure that recipient validation is enabled, please use the following command:
   
   

   Set-RecipientFilterConfig -RecipientValidationEnabled $true

8. Restart the Exchange Transport Service again.
9. Now check whether the receiver filtering really works. To do this, open a Telnet session on port 2525 on your server and request the following data:
   
   

   HELO example.com
   MAIL From:
   RCPT To:

10. In the last step, make sure that EuropeanMX checks the receivers on port 2525. You can view and change the port in the admin panel under Incoming in the menu item Destinations.

Office 365

In order to set up recipient validation in Office 365, Exchange Online Protection must be enabled on the server and you must have a global administrator or an Exchange Company administrator account.

The DBEB (Directory Based Edge Blocking) feature of Office365 allows you to reject messages to non-existent recipients. To enable the feature, please follow these steps:

1. First, make sure that the domain in Office 365 is set to Internal Relay. You can check this by accessing the domain via EAC > Mail Flow > Accepted Domains, then clicking on Edit and then checking that the domain type is set to Internal Relay. If not, change the option and save the change.
   
2. Now add the valid users to Office 365 either through directory synchronization, remote Windows Power Shell, or directly through the Exchange Administration Center (EAC).
   
3. Now change your domain to Authoritative. To do this, select your domain via EAC > Mail Flow > Accepted Domains and set it to Authoritative. After clicking Save, please confirm that you want to use Directory Based Edge Blocking.

For more information, please visit the knowledgebase article from Microsoft.