Office 365 MailFlow Scenarios and Best Practices

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam filter and Maiflow of your organisation. However, you may have already invested your infrastructure handle mail flow. Microsoft also accepts this situation and allow you to use your own spam filter.

The below scenario and use cases will allow you to determine how you can configure MailFlow of your organisation.

Mailbox Location MailFlow Entry Point Scenario & Usecases Recommended MailFlow Configuration  and Example MX record
Office 365 Office 365 Use Microsoft EOP

Demote or migrate all mailboxes to office 365

Use Office 365 mailboxes

MX record Pointed to Office 365

MX: domain-com.mail.protection.outlook.com

SPF:  v=spf1 include:spf.protection.outlook.com -all

 

On-premises On-prem Prepare the on-prem to be cloud ready

Build and Sync AAD Connect

Built ADFS Farm

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Third-party cloud, for example, G-Suite Both third-party and office 365 Prepare to migrate to Office 365

Stage mailbox data

MailFlow co-existance

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com include: ASPMX.L.GOOGLE.COM -all

Combination of On-premises and Office 365 On-premises Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to On-prem spam filter

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Combination of On-premises and Office 365 Third-party cloud spam filter Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to third-party cloud spam filter

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com -all

MailFlow Configuration Prerequisites:

  1. Make sure that your email server (also called “on-premises mail server”) is set up and capable of sending and receiving mail to and from the Internet.
  2. Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid public certification authority-signed (CA-signed) certificate.
  3. Make a note of the name or IP address of your external-facing email server. If you’re using Exchange, this will be the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive an email from Office 365.
  4. Open port 25 on your firewall so that Office 365 can connect to your email servers.
  5. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online Protection IP addresses for the published IP address range.
  6. Make a note of an email address for each domain in your organisation. You’ll need this later to test that your connector is working correctly.
  7. Make sure you add all datacenter IP addresses of Office 365 into your receive connector of on-premises Exchange server

Configure mail to flow from Office 365 to your email server and vice-versa. There are three steps for this:

  1. Configure your Office 365 environment.
  2. Set up a connector from Office 365 to your email server.
  3. Change your MX record to redirect your mail flow from the Internet to Office 365.

Note: For Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365 and Exchange Server will be set up already and listed here. You don’t need to set them up again, but you can edit them here if you need to.

  1. To create a connectorExchange in Office 365, click Admin, and then click to go to the Exchange admin center. Next, click mail flow click mail flow, and click connectors.
  2. To start the wizard, click the plus symbol +. On the first screen, choose the appropriate options when creating MailFlow from Office 365 to On-premises Server
  3. Click Next, and follow the instructions in the wizard.
  4. Repeat the step to create MailFlow between On-premises to Office 365.
  5. To redirect email flow to Office 365, change the MX (mail exchange) record for your domain to Microsoft EOP, i.e. domain-com.mail.protection.outlook.com

Relevant Articles:

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Centralized MailFlow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

How to Configure Office 365 SMTP Relay

There are three ways you can setup SMTP Relay for Applications and multi-function devices using Office 365. All three options are elaborated here. Option 1 and Option 2 are configured within the application and devices. Option 3 are setup within the application/devices and within Office 365 Admin Centre.

Option1 – Client submission: Authenticate device or application directly with an Office 365 mailbox.

Smart Host: smtp.office365.com

Port: 587 TLS Enabled or Port 25

Feature:

  • Send email to inside or outside of the organisation.
  • Send email from any devices or IP addresses.
  • Send email from any location

Limitation:

30 messages sent per minute, and a limit of 10,000 recipients per day.

Username: Azure AD username printer@domain.com or printer@tenant.onmicrosoft.com and Azure AD Password

Option 2- Direct Send: Send mail directly from a printer or an application to Office 365

Smart Host: FQDN of the MX record of your domain.

SPF Record: v=spf1 ip4:<public IP address of registered domain> include:spf.protection.outlook.com ~all

Port: 25

Feature:

  • Uses Office 365 to send emails, but does not require a dedicated Office 365 mailbox.
  • Doesn’t require your device or application to have a static IP address. However, this is recommended if possible.
  • Doesn’t work with a connector; never configure a device to use a connector with direct send, this can cause problems.
  • Doesn’t require your device to support TLS.

Limitation:

  • Direct send cannot be used to deliver email to external recipients, for example, recipients with Yahoo or Gmail addresses.
  • Your messages will be subject to antispam checks.
  • Sent mail might be disrupted if your IP addresses are blocked by a spam list.
  • Office 365 uses throttling policies to protect the performance of the service.

Username: Any email address for one of your Office 365 accepted domains user1@domain.com and Azure AD Password

Option 3 – Special Send Connector: Configure a connector to send mail using Office 365 SMTP relay

Smart Host: FQDN of the MX record of your domain.

SPF Record: v=spf1 ip4:<Public IP Address of registered domain> include:spf.protection.outlook.com ~all

Port: 25

Username: Any email address for one of your Office 365 accepted domains user1@domain.com and Azure AD Password

Feature:

  • Office 365 SMTP relay does not require the use of a licensed Office 365 mailbox to send emails.
  • Office 365 SMTP relay has higher sending limits than SMTP client submission; senders are not bound by the 30 messages per minute or 10,000 recipients per day limits.

Limitation

  • Sent mail can be disrupted if your IP addresses are blocked by a spam list.
  • Reasonable limits are imposed for sending.
  • Requires static un-shared IP addresses (unless a certificate is used).

Setting Up Option 3:

Step1:

  1. Sign in to Office 365.
  2. Select Domains. Select the Domain e.g. domain.com. Click Manage DNS and find the MX record. The MX record will have a POINTS TO ADDRESS value that looks similar to domain-com.mail.protection.outlook.com.
  3. Make a note of the MX record POINTS TO ADDRESS
  4. Go to a MX recording finding web site and find the IP address of MX record using below steps.

Open Command Prompt from internet connected computer, Type

Nslookup

>Set q=mx

>domain.com where domain.com is your domain name.

Step2:

  1. In Office 365, click Admin, and then click Exchange to go to the Exchange admin center.
  2. In the Exchange admin center, click mail flow, and click connectors. click the plus symbol +. On the first screen, choose the options From Your Organisation to Office 365, Click Next, and give the connector a name.
  3. On the next screen, choose the option By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization, and add the IP address of MX Record from step 1.
  1. Leave all the other fields with their default values, and select Save.
  2. Test the configuration, send a test email from your device or application, and confirm that it was received by the recipient.