Enable High Volume Email for Microsoft 365

In this article, I will help you better understand what the High Volume Email service in Microsoft 365 is and how it works. Also, I will walk you through the steps on how to set it up and test it.

What is High Volume Email?

The High-Volume Email service in Microsoft 365 enables you to send a higher volume of emails to your internal users compared to a standard Exchange Online user. The service uses the legacy SMTP protocol to relay emails internally, which must be manually enabled for your HVE account before it is usable. 

HVE is not like your existing SMTP client submission service with Office 365. Instead:

  • You must use port 587 and TLS.
  • You cannot send emails outside of your organisation.
  • Emails are not saved in the sent items folder.
  • The HVE account does not need to be licensed.

Use cases for High Volume Email

Fundamentally, High Volume Email will support organisations in completing final migrations to Exchange Online by removing the final needs for on-premises infrastructure. Organisations that must send over 10,000 in a 24-hour period, or over 30 messages per minute, likely still rely on their on-premises Exchange servers to meet that need. With HVE, the limit has been increased tenfold, providing organisations with more support for decommissioning legacy infrastructure.

Overall, HVE provides support for larger organisations with a high number of internal users to implement email-based solutions for internal services, such as:

  • CRM systems for internal management.
  • Internal newsletters. 
  • High-volume document scanning.
  • Alerting or notification systems.
  • and much more…

High Volume Email Limits

HVE supports a significantly higher email volume than a standard Exchange Online user mailbox. The below matrix details the difference between an Exchange Online mail and a High Volume Email account.

Feature Exchange Online High Volume Email
Rate limit 10,000 recipients per day 100,000 recipients per day
Message limit 30 messages per minute No limit

High Volume Email SMTP endpoint

The table below details the service information for communicating with the High Volume Email SMTP endpoint for Microsoft 365. Use this information when you need to send High Volume Email internally within your organisation from your application or script.

SMTP Server smtp-hve.office365.com
Port 587
TLS STARTTLS
Authentication Username and Password

Prepare your tenant for High Volume Email

High-volume email features in Exchange Online are blocked by default. This is because they used the legacy SMTP authentication protocol to send emails, which is now blocked by default in Exchange Online. To use HVE, you must ensure your tenant needs the following requirements.

Security Defaults must be disabled

 To disable Security Defaults, follow the below steps:

  1. Log in to entra.microsoft.com.
  2. Expand Identity and select Overview.
  3. Click Properties, then select Manage security defaults at the bottom of the page.
  4. Select Disabled in the drop-down box and click Save.

Conditional Access must not be blocking legacy protocols

For the accounts you wish to send High Volume Email from, Conditional Access policies targeting legacy protocols with a block control, should have your HVE accounts excluded from them. Check your existing policy using the below steps:

  1. Log in to entra.microsoft.com.
  2. Expand Protection and select Conditional Access.
  3. Click Policies, then select Add filter.
  4. From the filter drop-down box, select Grant control, check the box next to Block access and click Apply.
  5. Evaluate the policies listed and exclude your HVE accounts from any that block legacy protocols.

SMTP Auth must be enabled on your HVE accounts

Because HVE accounts are not user mailboxes, you cannot directly enable SMTP authentication using PowerShell or the Microsoft 365 Admin portal. Instead, while the account has SMTP auth enabled by default, authentication policies in Exchange Online may still impact this account if a default policy has been created an applied to all user accounts. For this reason, it is recommended that you create a new Authentication policy in Exchange Online with SMTP auth enabled and apply it to your HVE accounts.

Create a High Volume Email account

To create a High Volume Email account in Exchange Online using PowerShell, first connect using the Connect-ExchangeOnline cmdlet, then use the New-MailUser cmdlet to create the account. Modify the below example to create a new HVE account in your tenant.

Connect-ExchangeOnline

$smtpPassword = ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force

New-MailUser -LOBAppAccount `
-Name "HVEAccount01" `
-Password $smtpPassword `
-PrimarySmtpAddress "[email protected]"

Create an Authentication policy to allow SMTP auth

Once your new HVE account is created, you need to ensure no authentication policies impact the enablement of SMTP authentication. As this account is not a mailbox, you cannot use the traditional method of enabling SMTP authentication through the Microsoft 365 admin portal, it must be done with PowerShell. Use the below example to create a new authentication policy with AllowBasicAuthSmtp enabled and assign it to your newly created HVE account.

New-AuthenticationPolicy -Name "Allow basic auth"

Set-AuthenticationPolicy -Identity "Allow basic auth" -AllowBasicAuthSmtp:$true

Set-User -Identity [email protected] -AuthenticationPolicy "Allow basic auth"

Set-User -Identity [email protected] -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

Once the authentication policy has been applied and the SRS Refresh Token has been renewed, you will need to wait around 30 minutes for it to take effect.

Test High Volume Email with PowerShell

Once the HVE account is fully configured and your tenant is ready, using PowerShell is the quickest way to ensure everything is set up correctly. 

Copy the code example below and modify the values in the first 3 lines of code. If you do not receive an error when the code is run, then the request has been sent successfully.

$toAddress = "%address%"
$smtpUsername = "%username%"
$smtpPassword = ConvertTo-SecureString -String "%password%" -AsPlainText -Force
$smtpCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $smtpUsername, $smtpPassword

$sendMailMessage = @{
    From = $smtpUsername
    To = $toAddress
    Subject = 'Hello from HVE'
    Body = "This email is from the HVE endpoint"
    SmtpServer = 'smtp-hve.office365.com'
    Port = '587'
}
Send-MailMessage @sendMailMessage -UseSSL -Credential $smtpCredential

Once the message is received, it will look like any other email. The message ‘received’ header clearly indicates that the message is being received from the Office 365 substrate (substrate.office.com) and not the usual prod.outlook.com endpoint.

Can I assign a license to a HVE account?

No. Once a license is assigned a license in Microsoft 365, the account is migrated from a MailUser to a UserMailbox automatically. When you attempt to send an email through the HVE endpoint after a license is assigned to the user, you will get the following error:

The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 Client not authenticated to send mail. Error: 451 4.7.0 Temporary server
error. Please try again later AUTH2003

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has One Comment

  1. Alexandre

    Thanks a lot , nice article

Leave a Reply