skip to Main Content

Configure outbound mail via Office 365

In the previous article, we did update MX records to Office 365. This time, we will configure outbound mail flow via Office 365 for Exchange Hybrid environments. Doing that will ensure that all emails sent from Exchange on-premises go through Exchange Online Protection (EOP).


Right now, the on-premises Exchange organization has a send connector for outbound mail to the internet. This means that when an on-premises mailbox user sends an email, the shortest route to the internet is to use that connector.

Inspecting the headers from an on-premises mailbox user to a Gmail address in Message Header Analyzer, we can see that route from the on-premises server directly to Google servers. The message does not traverse through Exchange Online.

Configure outbound mail via Office 365 internet connector

Organizations often want to use Exchange Online for outbound mail because of Exchange Online Protection (message hygiene). It’s already included in the Exchange Online subscription license, and this way, you don’t need a third-party spam filter for extra costs.

You can change the outgoing mail via Exchange Online:

  • Before you start the migration
  • At the halfway point of the migration
  • End of the migration

In our example, we will configure outgoing mail via Exchange Online before we migrate mailboxes to Office 365.

Important: We recommend doing the below change in production environments outside of business hours in case of some impact on your normal mail flow.

Get Exchange on-premises send connectors

Let’s get the outbound send connectors in the organization. Run Exchange Management Shell as administrator and run the Get-SendConnector cmdlet.

[PS] C:\>Get-SendConnector | ft Name,AddressSpaces

Name                                                          AddressSpaces
----                                                          -------------
Internet email                                                {SMTP:*;1}
Outbound to Office 365 - d1c9beac-0655-48e7-9949-5e497af1d38d {;1}

Do you want to check the outbound send connectors in Exchange admin center? Sign in to the on-premises Exchange admin center. Go to mail flow > send connectors.

Configure outbound mail via Office 365 send connectors on-premises

We have two send connectors in the organization, which are:

  • Internet email for outbound mail to the internet
  • Outbound to Office 365 for hybrid mail flow

The Outbound to Office 365 send connector is already configured when you run the Hybrid Configuration Wizard.

Get Office 365 connectors

The Hybrid Configuration Wizard configures one send connector on your on-premises Exchange Server and two connectors (inbound and outbound) in Office 365.

Sign in to the Microsoft 365 Exchange admin center and verify the connectors.

Configure outbound mail via Office 365 connectors cloud

Now that we have identified that we have a send connector to the internet and the connectors which the Hybrid Configuration Wizard adds are in place, we can proceed to the next step.

Add send connector for outbound mail via Office 365

We need to add a send connector that sends outbound mail via Office 365. Before we do that, we need to find the Office 365 MX record.

Get Office 365 MX record

Sign in to Microsoft 365 admin center and navigate to Settings > Domain. Select the domain and go to the DNS records page. Copy the MX record value, as you will need it in the next step.

Configure outbound mail via Office 365 copy MX value

Create new send connector

Run Exchange Management Shell as administrator. Run the New-SendConnector cmdlet and fill in the details:

  • Name: Outbound to Internet via Office 365.
  • AddressSpaces: Use the asterisk (wildcard). This will match all domains that don’t have more specific routes to find, such as the hybrid namespace, which has its own connector.
  • CloudServicesMailEnabled: Set to true.
  • Fqdn: The Fully Qualified Domain Name is what the server will announce itself as when it issues the HELO command during the SMTP connection.
  • RequireTLS: Set to true.
  • DNSRoutingEnabled: Set DNS routing enabled to false, so this connector will not rely on MX records in DNS to determine where to send messages to.
  • SmartHosts: The Exchange Online Protection (EOP) endpoint. So all mail goes through Exchange Online first regardless of its eventual destination out there on the internet. We define that as a smart host instead of allowing MX records routing.
  • TLSAuthLevel: The certificate validation ensures that TLS encryption is used, and the certificates must also pass validation checks. The server won’t accept a self-signed certificate or any other invalid certificates.
[PS] C:\>New-SendConnector -Name "Outbound to Internet via Office 365" -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts -TLSAuthLevel CertificateValidation

Identity                            AddressSpaces Enabled
--------                            ------------- -------
Outbound to Internet via Office 365 {smtp:*;1}    True

The new send connector will look as follow in the on-premises Exchange admin center.

Configure outbound mail via Office 365 send connector

Important: Port 25 must be allowed on the Exchange Server for outgoing mail flow to Office 365 in Exchange Hybrid environments. Read more in the article Exchange Hybrid firewall ports.

Disable old internet send connector

When that is done, we can disable the other send connector for outbound mail to the internet. After testing the mail flow, we can remove the send connector.

[PS] C:\>Set-SendConnector -Identity "Internet email" -Enabled $false

Restart Microsoft Exchange Transport service

Note: Changes to the transport configuration in Exchange do not take effect quickly as the server will load the configuration from Active Directory and then cache it for some time. Usually about 15 minutes.

If you want to speed up your testing, you will need to restart the Microsoft Exchange Transport Service on the server, which forces it to reload the configuration.

[PS] C:\>Restart-Service MSExchangeTransport

Read more: Restart Exchange Server services through PowerShell »

Test outbound mail flow via Office 365

Send a test mail from an Exchange on-premises mailbox to a Gmail address. After the message arrives, copy the headers and paste them into the Message Header Analyzer.

The mail went from on-premises Exchange Server to Exchange Online. It went through a few hops in Exchange Online before eventually traveling out to Google mail servers.

EOP smarthost connector

Compared with the first test email, you can see the difference that it made to email routing.

Remove old outbound send connector

You can now remove the old outbound send connector or wait a couple of days before you do a removal.

[PS] C:\>Remove-SendConnector "Internet email"

In the next article, we will migrate mailboxes to Office 365.


We showed how to configure outbound mail via Office 365. Change the Exchange on-premises outbound mail flow before, during, or after migration. From that point, the outbound mail flow will go via Exchange Online Protection and land in the recipient’s mailbox.

Did you enjoy this article? You may also like Renew certificate in Exchange Hybrid. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 9 Comments

  1. Hi,

    I want to send messages via the Exchange Online from my Exchanage Onpremise to the internet recipients.
    But I think one thing is not clear.
    Have I include in my spf record ip addresses of my exchange onpremise server?


    great post! What’s about the Outbound Cloud Connector with configured centralized Mail-Transport?
    Would be great if you could include the procedure to your blog or reply to this comment.
    Thanks in advance.

  3. Hi TAJRAN, Thanks for the great article which i am looking for. In my infra going to decommission exchange 2016 server which is running in hybrid (All mailboxes migrated to online and only internal & Internal to external mail flow happening through On-Prem). Need your input please.

  4. Hi Ali,
    Nice blog. Question for you, if I add an outbound connector in Exchange Online to my 3rd party MX service – when an Exchange Online mailbox user sends an On-Premise mailbox user (same org, hybrid config) – will it put it through the hybrid connector or through the new outbound connector?

    Wanting to route Exchange Online mailboxes through an outbound mail connector on EXO, whilst leaving on-premise to go through the on-prem Exchange servers outbound connector.


  5. Hi Ali!

    I have an hybrid scenario. Is it mandatory to have the MX value 0 pointing to the EOP fqdn in the dns? At the moment all the outbound mails from on-premise mailboxes relay trough a local postfix and its working ok, but when i configure it to relay through O365 the mails gets stuck in the Exchange queues. My main MX (0) is poiting to my on-premise relay i didn’t change it yet because i get some failures with autodiscover (i’ll see this issue later).

  6. Hi Ali, thanks for your great article as always.
    One question, is it not needed to create a receive connector on Exchange Online to accept traffic from on-premise ?

  7. Hi.
    Thanks for this great post!
    What i don’t get is ; how it understand which certificate is going to use ? I don’t see any definition here related to identify the certificate ? Because we can have more than one certificate.
    And the next question is : What should be the operation if the current certificate is going to expire ?
    Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *