Office 365 MailFlow Scenarios and Best Practices

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam filter and Maiflow of your organisation. However, you may have already invested your infrastructure handle mail flow. Microsoft also accepts this situation and allow you to use your own spam filter.

The below scenario and use cases will allow you to determine how you can configure MailFlow of your organisation.

Mailbox Location MailFlow Entry Point Scenario & Usecases Recommended MailFlow Configuration  and Example MX record
Office 365 Office 365 Use Microsoft EOP

Demote or migrate all mailboxes to office 365

Use Office 365 mailboxes

MX record Pointed to Office 365

MX: domain-com.mail.protection.outlook.com

SPF:  v=spf1 include:spf.protection.outlook.com -all

 

On-premises On-prem Prepare the on-prem to be cloud ready

Build and Sync AAD Connect

Built ADFS Farm

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Third-party cloud, for example, G-Suite Both third-party and office 365 Prepare to migrate to Office 365

Stage mailbox data

MailFlow co-existance

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com include: ASPMX.L.GOOGLE.COM -all

Combination of On-premises and Office 365 On-premises Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to On-prem spam filter

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Combination of On-premises and Office 365 Third-party cloud spam filter Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to third-party cloud spam filter

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com -all

MailFlow Configuration Prerequisites:

  1. Make sure that your email server (also called “on-premises mail server”) is set up and capable of sending and receiving mail to and from the Internet.
  2. Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid public certification authority-signed (CA-signed) certificate.
  3. Make a note of the name or IP address of your external-facing email server. If you’re using Exchange, this will be the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive an email from Office 365.
  4. Open port 25 on your firewall so that Office 365 can connect to your email servers.
  5. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online Protection IP addresses for the published IP address range.
  6. Make a note of an email address for each domain in your organisation. You’ll need this later to test that your connector is working correctly.
  7. Make sure you add all datacenter IP addresses of Office 365 into your receive connector of on-premises Exchange server

Configure mail to flow from Office 365 to your email server and vice-versa. There are three steps for this:

  1. Configure your Office 365 environment.
  2. Set up a connector from Office 365 to your email server.
  3. Change your MX record to redirect your mail flow from the Internet to Office 365.

Note: For Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365 and Exchange Server will be set up already and listed here. You don’t need to set them up again, but you can edit them here if you need to.

  1. To create a connectorExchange in Office 365, click Admin, and then click to go to the Exchange admin center. Next, click mail flow click mail flow, and click connectors.
  2. To start the wizard, click the plus symbol +. On the first screen, choose the appropriate options when creating MailFlow from Office 365 to On-premises Server
  3. Click Next, and follow the instructions in the wizard.
  4. Repeat the step to create MailFlow between On-premises to Office 365.
  5. To redirect email flow to Office 365, change the MX (mail exchange) record for your domain to Microsoft EOP, i.e. domain-com.mail.protection.outlook.com

Relevant Articles:

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Centralized MailFlow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

Centralized Mailflow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

 Environment:

  • Mailbox hosted on the Exchange Online
  • Hybrid on-prem Exchange 2010/2013 with Microsoft Exchange Online
  • Centralized Mailflow configured for Exchange 2013
  • Route all emails through on-premises configured for Exchange 2010
  • Accepted domain configured either Managed or Authoritative on the Exchange Online Side 
  • MX Record pointed to third party cloud Antispam or On-prem Antispam/Firewall

 Issue: When you send email from a mailbox hosted in Exchange Online to an internal recipient or an external recipient via on-premises server, you receive a NDR ‘550 5.7.1 Unable to relay’

Root Cause: There are customers who would like to utilize existing investment on the on-premises Antispam filter or use third part cloud based Antispam filter for compliance purpose. Hence these customers configured centralized mailflow on the hybrid configuration wizard which lead to “unable to relay” NDR when they change few configuration and introduce new domain on the Exchange Online. There are many possible reasons why you have been issued with a NDR ‘550 5.7.1 Unable to relay’.

  • You have added multiple federated domains (e..g @domain1.com, @domain2.com ) but these domains (e.g. @domain1.com, @domain2.com) are not in Hybrid Configuration
  • You have added multiple federated domains (e.g. @domain1.com, @domain2.com ) and domains (e.g. @domain1.com, @domain2.com ) have been setup as “Authoritative Domain” instead of “Internal Relay” on the Exchange Online side
  • You have added multiple federated domains (e.g. @domain1.com, @domain2.com ) but you have configured Office 365 Connectors to Send and Receive Email from only One Domain e.g. domain.com. Wild card “*” not configured within the Send Connector of Exchange Online.
  • Microsoft has changed EOP IP addresses and you did not add latest EOP IP Addresses on the Receive Connector of Edge Server
  • You configured an application to use Office 365 SMTP Relay but the Receive Connector of on-premises server has not been configured to accept email from any recipient

 To remediate the root cause, follow the steps.

  1. Copy the Message Header of Original NDR and Paste on the message analyser of https://testconnectivity.microsoft.com/ website. Analyse the message. Find out which IP address the message coming from e.g. EOP APAC IP Address is 104.47.64.0/18. Make sure these EOP IP Addresses are added on the receive connector of the on-premises server. List of EOP IP Addresses are subject to change without notice. Add all EOP IP addresses on the receive connector “Inbound from Office 365”. Refer to Microsoft KB 2750145
  2. Make sure Datacentre IP Addresses are added on the Receive Connector Properties. Refer to TechNet Blog.
  3. View Extended Rights of Receive Connectors of On-premises Server.

 Get-ReceiveConnector | Get-ADPermission | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights,accessrights

     4. Assign Extended Rights to accept email from any recipient.

Get-ReceiveConnector Inbound from Office 365 | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

     5. Open Office 365 Connector on the Office 365 Admin Center and make sure you have entered “*” wild card as the domain

    6. Rectify SPF Record with the following records. If you have DKIM Record and DMARC Record. Rectify those records as well. SPF Record of domain.com looks like this one

 v=spf1 ip4:<Public IP Address of domain.com>, ip4: :<Public IP Address of MX Record>, ip4: :<Public IP Address of Application/devices>, include:spf.protection.outlook.com ~all

   7. Download .NET Framework 4.5 and install .NET Framework. .NET is a Pre-req. Run Hybrid Configuration wizard select desired Federated Domains, Select all CAS Servers, Type the correct public IP addresses of Edge Server, select centralised mailflow, Select Correct certificate. Complete the Wizard.

 8. Open Send Connector on the On-premises Server, Remove all the Hub/CAS servers and add Edge Servers.

 Restart Transport Services from On-premises Server

 9. On a Hybrid Configuration, you must configure Accepted Domain as Authoritative Domain on the On-premises side and Office 365 side as Internal Relay. For Example, domain1.com should be configured as Authoritative Domain on the on-premises side and domain1.com should be configured as Internal Relay on the Exchange Online side.  

 10. Open On-premises Exchange Management Shell and run Start-EdgeSynchronization start syncing Edge Transport Server.

 11. Test mailflow from internal and external sender to internal recipient

 Relevant Articles

Fix email delivery issues for error code 5.7.1 in Office 365

Exchange Online Protection IP addresses

Hybrid Mailflow Best Practices

Set up connectors to route mail between Office 365 and your own email servers

Transport Options Hybrid Deployment

 Transport Routing Hybrid Deployment 

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

This article will explain how to create mail flow coexistence between disparate IMAP source and Exchange Online destination.

Use case:

  1. Customer wants a mailflow co-existence between hosted email e.g. Gmail and Exchange Online during mailbox migration phase.
  2. Customer has on-premises Exchange Server but does not want to create hybrid environment or have a situation where hybrid configuration is not feasible.
  3. Customer plans to migrate mailboxes, calendar, contacts, resources and distribution groups to Exchange Online in phases.
  4. Customer does not want a cutover migration to Exchange Online.

Source Environment:

  1. Email Domain: Domain.com
  2. Migration Method: IMAP
  3. Source Infrastructure: On-premises Microsoft Exchange or Hosted Gmail

Destination Environment:

  1. Office 365 Tenant: domain.onmicrosoft.com
  2. Default Domain: domain.onmicrosoft.com
  3. Email Domain: Domain.com
  4. CatchAll Domain or Subdomain: subdomain.domain.com

Migration Method:

  • Pre-stage: In pre-stage migration, data will be pre-filled to a place holder mailbox then migrate delta changes.
  • Backfill: In backfill method, data will be back filled to a real mailbox after cutover.

Prepare Source Email Domain:

  1. Add Proxy address or alias to all mailboxes.

To add proxy address, create a CSV file with the below header and run the scripts

Name, EmailAddress

User1@domain.com, user1@domain.onmicrosoft.com

Import-Csv c:\data.csv | Foreach{

$maileg = Get-Mailbox -Identity $_.Name

$maileg.EmailAddresses += $_.emailaddress

$maileg | Set-Mailbox -EmailAddresses $_.emailaddress

}

  1. Create target address or forwarding address to all mailboxes. To add target address, create a CSV file with the below header and run the script

CSV Headers are Mailbox, ForwardTo

User1@domain.com, user1@domain.onmicrosoft.com

user1@domain.com, user1@subdomain.domain.com

Import-CSV “C:\CSV\Users.csv” | ForEach {Set-Mailbox -Identity $_.mailbox -ForwardingAddress $_.forwardto}

  1. Send & Receive Connector

If you have strict mailflow condition on the on-premises environment or hosted environment, you may have to create a send connector and receive connector to allow Office 365 email in both directions.

  1. MX record still pointed to source environment.

Prepare Exchange Online

  1. Create Office 365 tenant: domain.onmicrosoft.com
  2. Add customer domain e.g. domain.com on the Office 365 portal and validate the domain
  3. Go to Office 365 ECP, Select Mailflow, Click Accepted Domain, Select Domain.com, Click Edit and set the domain to Internal Relay
  4. Go to Office 365 ECP, Select Recipient, Go to Groups, Create a distribution group and add all users to the distribution group. To find a script to do the job, refer to step3 of post migration section of this article. replace remove-distributiongroupmember to add-distributiongroupmember on the script.
  5. Go to Office 365 ECP, Select Mailflow, Connectors, create an Outbound Send Connector to send email from Office 365 to Your organisation email server. When creating this Connector select the smart host option and on the smart host window, type the Public IP Address or FQDN of MX record of domain.com
  6. Go to Office 365 ECP, Select Mailflow, Rules, create a rule to forward any inbound emails coming to @domain.com and member of special distribution group created in step 4 to be forwarded to the send connector you have created in previous steps 5.
  7. Enable Mailflow for subdomain or catchall domain i.e. @subdomain.domain.com Set-AcceptedDomain -Identity domain.com -MatchSubdomains $true

Mailflow during migration phase

When an Exchange Online mailbox user1@domain send mail to user2@domain.com (On-premises/hosted Gmail), as user2 does not exist at Exchange Online side, and the domain: domain.com set as “Internal Relay” under “Accept domain” configuration, so the message will delivery to on-premises/Gmail through special outbound connector.

Post Migration:

Once you have migrated a batch of mailboxes, you have to remove proxy address and forwarding address from that batch of source mailboxes on the source email domain.

  1. Remove Proxy Address from Source Environment

CSV Headers are Name and EmailAddress

User1@domain.com, user1@domain.onmicrosoft.com

Import-Csv C:\CSV\ProxyAddress.csv | Foreach{

$maileg = Get-RemoteMailbox -Identity $_.Name

$maileg.EmailAddresses += $_.emailaddress

$maileg | Set-Mailbox -EmailAddresses @{Remove=$_.EmailAddress} }

 

  1. Remove Forwarding address from Source Environment

CSV headers are Mailbox, ForwardTo

User1@domain.com, user1@domain.onmicrosoft.com

Import-CSV “C:\CSV\Users.csv” | ForEach {Set-Mailbox -Identity $_.mailbox -ForwardingAddress @{Remove=$_.forwardto}}

  1. Remove the batch of mailboxes from the distribution groups once migrated to Office 365.

CSV Headers are

Identity, Members

Accounts, user1@domain.com

Import-Csv “C:\CSV\RemoveMembers.csv” | foreach{Remove-DistributionGroupMember -Identity $_.identity -Member $_.members}

  1. Delete special Distribution Group, Maiflow rule and Outbound Connector created on the step 4, step 5 and step 6 after MX record cutover to Office 365.