365 Shared Mailboxes: MERRL Strikes Again

Shared mailboxes are a ticking time bomb thanks to MERRL

How “Free Mailboxes” Could Be At Risk

Shared mailboxes have long been a recruitment staple. You use them for job alerts, team inboxes, and marketing updates. They’re simple to set up, require no licence, and everyone assumes they’re “safe”.

But under Microsoft’s new email limits — especially the upcoming Mailbox External Recipient Rate Limit (MERRL) — shared mailboxes are not a loophole.

In fact, using them the wrong way could quietly break your entire email flow.

Why Recruitment Teams Love Shared Mailboxes

They’re convenient. You set up a generic address like:

  • jobs@agency.co.uk
  • hello@yourbrand.com
  • candidates@recruitmentgroup.com

Then give your team access to send from them. Easy. Cost-effective. No per-user licensing.

For internal collaboration, they’re still fine.

But when it comes to sending external email at scale, shared mailboxes are now a compliance risk.

How MERRL Actually Applies to Shared Mailboxes

Let’s clear this up.

1. If a user sends from a shared mailbox (“Send As” or “Send on Behalf of”)

The sender’s mailbox gets the external recipient count.
So if your recruiter sends 800 emails from their own address and another 1,300 “from” jobs@, they have still hit 2,100 and will be blocked under MERRL.

MERRL follows the person, not the display address.

2. If an app uses a shared mailbox (SMTP, Power Automate or MS Graph)

The shared mailbox gets its own MERRL quota.
If it sends 2,000 emails in a 24-hour window, it will be blocked from sending externally.

This is where many automations break.

3. If the shared mailbox is unlicensed and pushing volume

Microsoft may consider this misuse. Even before MERRL formally hits, they may start throttling or disabling that mailbox without warning.

Real-World Examples

Your CRM sends campaigns from talent@

You set up the CRM to use SMTP with the shared mailbox login. It sends 1,800 personalised outreach emails today. Then your team replies to candidates manually from the same mailbox. Total: over 2,000 external sends.
Result: Blocked.

Recruiters send BD emails “from” hello@agency.co.uk

They are using “Send As” rights, thinking this keeps their personal usage down.
Wrong. Microsoft applies the usage to each user, even when sending on behalf of a shared mailbox.
If your recruiter is in four sequences and sending as both themselves and a shared mailbox, they could hit the MERRL limit quickly.

A marketing tool sends job alerts from a shared mailbox

It is not licensed, but it is used by your job board or automation platform.
Microsoft sees this as “unauthorised high-volume sending” and may throttle it preemptively.
Your alerts stop without explanation.

Why This Is a Huge Risk for Recruiters

Shared mailboxes feel like a workaround, but under the hood, Microsoft still sees and enforces:

  • Who is sending
  • What they are sending
  • How many people they are sending to

The outcome? Even if you think you’re being clever with shared infrastructure, Microsoft still enforces 2,000 external recipients per sender identity.

This means:

  • Campaigns can fail silently
  • Multiple recruiters may trip limits at the same time
  • Shared mailboxes become a single point of failure

And with no good reporting until late 2025, you may not even realise why deliverability is dropping.

What You Should Do Instead

1. Audit All Shared Mailboxes

  • What tools or automations use them?
  • Who is sending from them?
  • Are they being accessed directly, or delegated?

2. License Them If They Send At Volume

Microsoft’s own guidance is clear:
If a shared mailbox is used to send a high volume of messages — especially to external recipients — it must be licensed and treated like a user mailbox.

This unlocks better support, clear limits, and aligns you with Microsoft’s enforcement policies.

3. Migrate Campaign Sending to the Right Platform

Shared mailboxes were never meant to be outbound marketing engines. Move high-volume sends to platforms built for it:

  • Azure Communication Services
  • SendGrid, Brevo, Mailgun
  • CRM platforms that send from their own infrastructure

This gives you compliance, control, and visibility.

4. Understand What’s Sending What (Even Without MERRL Reporting)

MERRL is enforced per mailbox, but Microsoft’s tools for tracking usage are limited until late 2025. Here’s how to get ahead of it now:

Use Quinset Powermail for domain-level visibility
Quinset Powermail provides DMARC-based reporting. It shows:

  • Which platforms and systems are sending on behalf of your domain
  • Volume trends across all sending tools
  • Whether unexpected systems (or shadow tools) are creating risk

To see mailbox-specific usage, you will need to:

  • Use PowerShell to query message traces manually
  • Use Defender for Office 365 if available
  • Wait for Microsoft’s promised Exchange Admin Center report: “Outbound External Recipients per Mailbox”

Combining Powermail with PowerShell gives you a head start. You can map what sends from where, monitor platform usage, and avoid surprises when enforcement begins.

TL;DR

Recruiters often use shared mailboxes to manage outreach, assuming they are exempt from Microsoft’s limits. They are not. Under MERRL:

  • Shared mailboxes do count toward the 2,000 external recipient limit
  • If a recruiter sends “as” a shared mailbox, their own mailbox is affected
  • If a system sends directly from the shared mailbox, that mailbox can hit the limit independently
  • Unlicensed shared mailboxes used for automations may be throttled or blocked without notice
  • Most teams do not realise this until email starts silently failing

The fix is simple: audit your shared mailbox use, license where needed, and move campaign traffic to appropriate platforms. Use Quinset Powermail to understand what is sending from your domain, and prepare your systems before MERRL hits full enforcement in 2025 and 2026.