TL;DR: Microsoft Direct Send lets devices and apps send email through Exchange Online without user credentials, but that convenience also lets attackers spoof domains and push phishing or fraud through trusted Microsoft infrastructure, according to Proofpoint. The security gap is not delivery, it is unauthenticated trust in non-human mail flows.
At a glance
What this is: This is an analysis of Microsoft Direct Send and why unauthenticated application email creates spoofing and fraud risk.
Why it matters: It matters because IAM, security, and email teams need governance over non-human mail flows, not just user authentication, if they want to reduce spoofing, compliance, and brand abuse risk.
👉 Read Proofpoint's analysis of Microsoft Direct Send and Secure Email Relay
Context
Microsoft Direct Send is a convenience feature for devices and applications that need to send mail without a user mailbox or standard authentication. That convenience becomes a governance gap when non-human mail is treated as implicitly trusted, because attackers can abuse the same unauthenticated path to impersonate internal senders.
The identity issue is not only email security. Application and device mail is a non-human identity problem because the sender is a workload, service, or device rather than a person, which means authentication, signing, and lifecycle control need to be designed explicitly rather than assumed by default.
Key questions
Q: How should security teams govern application and device email sent from Microsoft 365?
A: They should treat application and device mail as a managed non-human identity path, not as a convenience feature. Every sender needs an owner, an approved relay method, logging, and revocation rights. The safest pattern is authenticated relay with DKIM signing and DMARC enforcement, so mail transport is tied to explicit identity rather than implicit trust.
Q: Why does unauthenticated mail relay increase spoofing risk?
A: Because the receiving systems are validating delivery path more than sender identity. If a platform accepts mail without proving who initiated it, attackers can exploit the same path to impersonate internal systems or brands. That makes phishing and fraud easier to scale, especially when recipients trust messages that appear to come from familiar infrastructure.
Q: What breaks when Direct Send is used as the default for non-human mail?
A: The organisation loses a clear identity boundary for machine-generated email. Without authentication, approval, and logging, security teams cannot reliably distinguish legitimate application mail from spoofed or abused sender flows. The result is weak accountability, poor incident containment, and a larger blast radius when one sending source is compromised.
Q: Who is accountable when application mail can spoof the organisation's domain?
A: Accountability should sit jointly with email security, IAM, and the system owner for the sending application or device. Email teams control the domain policy, IAM teams define identity and access governance, and application owners must remove unsupported sending paths. If no one owns the sender, spoofing risk becomes everybody's problem and nobody's control.
Technical breakdown
Why unauthenticated Direct Send breaks mail trust
Direct Send uses Microsoft 365 Exchange Online to relay messages without a user mailbox or credentials. That design reduces setup friction, but it also removes the normal identity checks that protect sender authenticity. If a message is accepted because it originated from Microsoft infrastructure rather than because the sender was authenticated, then domain reputation and internal trust can be abused. In practice, the security model shifts from proving who sent the message to merely accepting that the infrastructure handled it.
Practical implication: treat unauthenticated relay paths as legacy exceptions and inventory every system still allowed to use them.
How authenticated secure relay changes non-human email governance
Authenticated secure relay restores a control point between the application or device and the mail platform. Instead of letting any sender reach the relay, approved sources are explicitly authenticated, policy enforced, and logged. That makes non-human email closer to other governed workload identities, where allowed sources, signing, and inspection can be managed centrally. For organisations running Microsoft 365, the key change is not just technical transport security. It is the creation of an accountable mail identity boundary for machines and applications.
Practical implication: route all device and application mail through authenticated relay paths that can be controlled, logged, and revoked.
Why SPF, DKIM, and DMARC matter for application mail
SPF, DKIM, and DMARC are the authentication and alignment controls that prevent domain impersonation from being treated as legitimate mail. DKIM signing is especially important for application traffic because it allows receiving systems to verify that the message was authorised by the domain owner and not simply delivered from a trusted host. DMARC then gives policy enforcement, including reject decisions, so spoofed mail is less likely to reach recipients. In a mixed human and non-human mail environment, these controls provide the minimum identity layer for outbound trust.
Practical implication: require DKIM signing for all application senders and move DMARC toward reject rather than leaving spoofed mail in deliverable gray zones.
Threat narrative
Attacker objective: The attacker wants to send convincing spoofed mail from a trusted domain and use Microsoft 365 delivery to increase the success rate of phishing or fraud.
- Entry occurs when attackers exploit unauthenticated application mail paths that allow messages to be sent through trusted Microsoft infrastructure without a user login.
- Escalation happens when spoofed sender domains inherit that trusted delivery path and bypass recipient suspicion, phishing filters, or brand expectations.
- Impact is achieved when recipients accept fraudulent or malicious mail as internal, enabling phishing, fraud, and domain abuse without compromising a legitimate account.
NHI Mgmt Group analysis
Unauthenticated application mail is a governance problem, not just an email problem. Direct Send creates a gap between delivery and identity assurance, which is exactly where spoofing campaigns thrive. When the sender is a device or application, the question is not whether mail can be delivered, but whether the sending identity is controlled, revocable, and auditable. Practitioners should treat this as a non-human identity boundary that requires the same discipline as other workload access paths.
Secure relay becomes the practical control plane for machine-generated email. The useful architectural shift is not simply encryption or scanning, but authenticated relay with central visibility over all non-human mail sources. That gives security teams one place to enforce policy, detect anomalous senders, and remove unmanaged paths. For the wider identity field, this is another example of why workload-originated communications need explicit lifecycle governance, not implicit platform trust.
DMARC only works properly when sender identity is already disciplined upstream. A domain can have policy enforcement on paper and still remain exposed if applications can emit mail through weakly governed paths. The real issue is sender authorisation, not just recipient filtering. That means email security, IAM, and platform teams need a shared ownership model for non-human sender identities before spoofing becomes a recurring operational weakness.
Non-human mail should be treated as a managed identity class. Devices, scanners, line-of-business apps, and automation platforms all generate messages that can be abused if they are not tied to named, approved, and monitored sending sources. This is where NHI governance meets email security: the identity of the sender must be as explicit as the content of the message. Organisations that leave this unmapped will keep inheriting spoofing risk through convenience features.
Direct Send shows how convenience features age into attack surface. What was reasonable for low-friction setup becomes a liability once phishing, compliance, and brand impersonation threats mature. The governance lesson is that any unauthenticated enterprise communication path needs periodic revalidation against current threat behaviour. Practitioners should assume that unmanaged mail relay will be abused eventually, and plan controls accordingly.
What this signals
Application mail needs to be folded into the same governance model as other non-human identities. Direct Send is a reminder that machine-originated communications often exist outside the controls teams apply to users, even when the messages are business critical. That leaves email, IAM, and platform owners with a shared problem: unmanaged sender identity can become a trust bypass unless it is explicitly brought under policy and ownership.
The practical signal for practitioners is to stop treating relay configuration as a transport choice and start treating it as an identity control. Teams that can map every sending source, enforce authenticated relay, and prove domain alignment will have a much tighter abuse boundary than teams relying on convenience defaults.
Managed sender identity is the control concept worth carrying forward. When non-human mail is governed like an identity class, organisations can tie senders to lifecycle, entitlement, and audit requirements instead of hoping that infrastructure trust is enough. That is the same pattern visible across broader NHI programmes, where explicit ownership matters more than the convenience of a preconfigured path.
For practitioners
- Inventory every Direct Send dependency Identify printers, scanners, apps, and legacy workflows that still use unauthenticated relay and map each one to a business owner and replacement path.
- Move non-human mail to authenticated relay Require devices and applications to use a controlled secure relay with explicit source approval, logging, and revocation capability.
- Enforce DKIM and DMARC alignment Sign all application mail with DKIM and move domains toward a reject policy so spoofed messages fail authentication instead of reaching inboxes.
- Apply lifecycle control to mail senders Treat each application or device sender like a managed non-human identity with onboarding, review, and offboarding steps when systems change.
Key takeaways
- Unauthenticated Direct Send turns a convenience feature into a spoofing and fraud exposure because delivery trust is not the same as sender identity.
- The strongest control shift is to authenticated secure relay with DKIM and DMARC alignment, so non-human mail is governed rather than merely delivered.
- Application and device senders should be managed as non-human identities with owners, approval, monitoring, and offboarding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Direct Send exposes unmanaged non-human sender identities and weak relay controls. |
| NIST CSF 2.0 | PR.AC-1 | Unauthenticated relay weakens access control over who can send as the domain. |
| NIST SP 800-53 Rev 5 | IA-5 | Application email depends on authenticator management and controlled sender validation. |
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access | Spoofed mail is commonly used to gain initial access and harvest credentials. |
| NIST AI RMF | GOVERN | The article touches governance for non-human communication paths and accountability. |
Assign clear ownership for machine-generated mail and document policy, monitoring, and escalation responsibilities.
Key terms
- Direct Send: Direct Send is a Microsoft email delivery method that can allow messages to be routed in a way that looks internal or trusted to some controls. Security teams need to understand that trusted routing does not automatically mean trusted content, especially when adversaries are abusing the path.
- Secure Email Relay: A secure email relay is a controlled outbound mail path that applies policy, inspection, and trust checks before delivery. It centralises governance for application, device, and partner email so security teams can enforce authentication, data protection, and reporting consistently across multiple senders.
- DNS Spoofing: DNS spoofing is the manipulation of name resolution so a victim is sent to a fake destination instead of the intended service. In identity security, it matters because users may trust the right brand while unknowingly sending credentials or tokens to an attacker-controlled endpoint.
- Non-Human Sender Identity: Non-human sender identity is the governance model for applications, devices, and automation systems that send mail on behalf of an organisation. It treats the sender as a managed identity with ownership, policy, logging, and lifecycle requirements, rather than as a simple transport setting.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for replacing Direct Send with Secure Email Relay in Microsoft 365 environments
- Configuration specifics for SPF, DKIM, and DMARC alignment for application-generated mail
- Operational details on centralised visibility, relay control, and threat scanning for machine mail flows
- Implementation notes for organisations handling PII or PHI in application email
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It is designed for practitioners who need a stronger control model for machine-originated access and communications.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org