Do you have an Exchange Hybrid environment, and do you want to convert user mailbox…
Configure outbound mail via Office 365
In the previous article, we did update MX records to Office 365. This time, we will configure outbound mail flow via Office 365 for Exchange Hybrid environments. Doing that will ensure that all emails sent from Exchange on-premises go through Exchange Online Protection (EOP).
Table of contents
Introduction
Right now, the on-premises Exchange organization has a send connector for outbound mail to the internet. This means that when an on-premises mailbox user sends an email, the shortest route to the internet is to use that connector.
Inspecting the headers from an on-premises mailbox user to a Gmail address in Message Header Analyzer, we can see that route from the on-premises server directly to Google servers. The message does not traverse through Exchange Online.
Organizations often want to use Exchange Online for outbound mail because of Exchange Online Protection (message hygiene). It’s already included in the Exchange Online subscription license, and this way, you don’t need a third-party spam filter for extra costs.
You can change the outgoing mail via Exchange Online:
- Before you start the migration
- At the halfway point of the migration
- End of the migration
In our example, we will configure outgoing mail via Exchange Online before we migrate mailboxes to Office 365.
Important: We recommend doing the below change in production environments outside of business hours in case of some impact on your normal mail flow.
Get Exchange on-premises send connectors
Let’s get the outbound send connectors in the organization. Run Exchange Management Shell as administrator and run the Get-SendConnector cmdlet.
[PS] C:\>Get-SendConnector | ft Name,AddressSpaces
Name AddressSpaces
---- -------------
Internet email {SMTP:*;1}
Outbound to Office 365 - d1c9beac-0655-48e7-9949-5e497af1d38d {smtp:exoip365.mail.onmicrosoft.com;1}Do you want to check the outbound send connectors in Exchange admin center? Sign in to the on-premises Exchange admin center. Go to mail flow > send connectors.
We have two send connectors in the organization, which are:
- Internet email for outbound mail to the internet
- Outbound to Office 365 for hybrid mail flow
The Outbound to Office 365 send connector is already configured when you run the Hybrid Configuration Wizard.
Get Office 365 connectors
The Hybrid Configuration Wizard configures one send connector on your on-premises Exchange Server and two connectors (inbound and outbound) in Office 365.
Sign in to the Microsoft 365 Exchange admin center and verify the connectors.
Now that we have identified that we have a send connector to the internet and the connectors which the Hybrid Configuration Wizard adds are in place, we can proceed to the next step.
Add send connector for outbound mail via Office 365
We need to add a send connector that sends outbound mail via Office 365. Before we do that, we need to find the Office 365 MX record.
Get Office 365 MX record
Sign in to Microsoft 365 admin center and navigate to Settings > Domain. Select the domain and go to the DNS records page. Copy the MX record value, as you will need it in the next step.
Create new send connector
Run Exchange Management Shell as administrator. Run the New-SendConnector cmdlet and fill in the details:
- Name: Outbound to Internet via Office 365.
- AddressSpaces: Use the asterisk (wildcard). This will match all domains that don’t have more specific routes to find, such as the hybrid namespace, which has its own connector.
- CloudServicesMailEnabled: Set to true.
- Fqdn: The Fully Qualified Domain Name is what the server will announce itself as when it issues the HELO command during the SMTP connection.
- RequireTLS: Set to true.
- DNSRoutingEnabled: Set DNS routing enabled to false, so this connector will not rely on MX records in DNS to determine where to send messages to.
- SmartHosts: The Exchange Online Protection (EOP) endpoint. So all mail goes through Exchange Online first regardless of its eventual destination out there on the internet. We define that as a smart host instead of allowing MX records routing.
- TLSAuthLevel: The certificate validation ensures that TLS encryption is used, and the certificates must also pass validation checks. The server won’t accept a self-signed certificate or any other invalid certificates.
[PS] C:\>New-SendConnector -Name "Outbound to Internet via Office 365" -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn mail.exoip.com -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts exoip-com.mail.protection.outlook.com -TLSAuthLevel CertificateValidation
Identity AddressSpaces Enabled
-------- ------------- -------
Outbound to Internet via Office 365 {smtp:*;1} TrueThe new send connector will look as follow in the on-premises Exchange admin center.
Important: Port 25 must be allowed on the Exchange Server for outgoing mail flow to Office 365 in Exchange Hybrid environments. Read more in the article Exchange Hybrid firewall ports.
Disable old internet send connector
When that is done, we can disable the other send connector for outbound mail to the internet. After testing the mail flow, we can remove the send connector.
[PS] C:\>Set-SendConnector -Identity "Internet email" -Enabled $falseRestart Microsoft Exchange Transport service
Note: Changes to the transport configuration in Exchange do not take effect quickly as the server will load the configuration from Active Directory and then cache it for some time. Usually about 15 minutes.
If you want to speed up your testing, you will need to restart the Microsoft Exchange Transport Service on the server, which forces it to reload the configuration.
[PS] C:\>Restart-Service MSExchangeTransportRead more: Restart Exchange Server services through PowerShell »
Test outbound mail flow via Office 365
Send a test mail from an Exchange on-premises mailbox to a Gmail address. After the message arrives, copy the headers and paste them into the Message Header Analyzer.
The mail went from on-premises Exchange Server to Exchange Online. It went through a few hops in Exchange Online before eventually traveling out to Google mail servers.
Compared with the first test email, you can see the difference that it made to email routing.
Remove old outbound send connector
You can now remove the old outbound send connector or wait a couple of days before you do a removal.
[PS] C:\>Remove-SendConnector "Internet email"In the next article, we will migrate mailboxes to Office 365.
Conclusion
We showed how to configure outbound mail via Office 365. Change the Exchange on-premises outbound mail flow before, during, or after migration. From that point, the outbound mail flow will go via Exchange Online Protection and land in the recipient’s mailbox.
Did you enjoy this article? You may also like Renew certificate in Exchange Hybrid. Don’t forget to follow us and share this article.
What Others Are Reading
Hi Ali,
Thank you so much, we are in hybrid environment, SPF and DKIM were OK for the emails sent from o365, but emails sent from the “internet email” send connector were failing DKIM because an exchange server 2016 does not have built-in DKIM signature capability.
I followed your instructions and created a new connector, and everything is working now.
Thanks again.
Thanks for the helpful post; just one thing that I’ve noticed when running HealthChecker for Exchange:
Frequent Configuration Issues
—————————–
EXO Connector Present: True
Send Connector -[send connector name]: Misconfigured to send authenticated internal mail to M365.
CloudServicesMailEnabled: True
TLSCertificateName set: False
More Information: https://aka.ms/HC-ExoConnectorIssue
Am I correct in understanding that this connector should have a TLS certificate name specified during creation?
I made the connector as indicated but now (February 24) Microsoft Exchange HealthChecker reports an error:
EXO Connector Present: True
Send Connector – : Misconfigured to send authenticated internal mail to M365.
CloudServicesMailEnabled: True
TLSCertificateName set: False
More Information: https://aka.ms/HC-ExoConnectorIssue
On exchange on prem side, I get:
4.4.4 Mail received as unauthenticated, incoming to a recipient domain configured in a hosted tenant which has no mail-enabled subscriptions.
??
nevermind, seems it was an issue with UTM policies on the firewall blocking traffic (specifically SSL certificate UTM)
Hi Ali,
Thanks for it’s process/article.
Does this process use the default SMTP port (25) to send these messages? I’m validating and would like to force all outgoing SMTP connections between ExchangeOnPremise to ExchangeOnline be done using the secure SMTP protocol (587). Creating the connection in this way would be using what port? How could ensure that it is only use 587?
Hello Ali,
is there a way to set o365 outbound connector (o365 to your org) for smtpmaxmessagesperconnection over 20? Default limit for on-prem send connector is 20.
Thanks,
Marinko
Your work has been immensely valuable to me. Where can I donate to show my appreciation for your time and talent?
Hi Ali, thanks for this Tutorial. I actually have more than just one internal Domain that I want to route to EOP. If I set domain1-com.mail.protection.outlook.com wha about Domain2.com and Domain3.com. The external MX-Record for this Domains are set domain2-com.mail.protection.outlook.com and domain3-com.mail.protection.outlook.com.
Do I have to set more than one SendConnector or can I intergrate all 3 Domains in one Connector?
Thank you in advance.
Hi Ali!
Thanks for this post!
Is it necessary to specify the certificate in the TlsCertificateName parameter, just like the “Outbound to Office 365 – d1c9beac-0655-48e7-9949-5e497af1d38d” Send Connector is configured? How Send Connector understand which certificate is going to use?
Thanks!
Hi,
I want to send messages via the Exchange Online from my Exchanage Onpremise to the internet recipients.
But I think one thing is not clear.
Have I include in my spf record ip addresses of my exchange onpremise server?
Hi Radek,
You don’t need to include the Exchange Server on-premises public IP address in the SPF record anymore and can remove it.
Assuming you already did configure SPF record for Office 365.
This does not seem to be the case in 2024. I’ve just had to resolve an issue in my organization’s hybrid setup where some email providers had begun to reject some emails that originated from our on-prem server even though they are routing through Exchange Online. The email headers include both the originating on-prem server as well as the Exchange Online Protection outbound servers.
We have been set up to route outbound email through EOP for years and we removed the on-prem IPs from SPF at that time, and it has not been a problem until maybe last month when we started seeing spotty reports of email rejections. I finally saw a rejection report that noted our on-prem server’s public IP, and the problems were resolved by adding that IP back to SPF.
So, it may not have been a problem a few years ago, but now it looks like providers are getting more stringent about what is required.
Hi ALI TAJRAN,
great post! What’s about the Outbound Cloud Connector with configured centralized Mail-Transport?
Would be great if you could include the procedure to your blog or reply to this comment.
Thanks in advance.
Hi TAJRAN, Thanks for the great article which i am looking for. In my infra going to decommission exchange 2016 server which is running in hybrid (All mailboxes migrated to online and only internal & Internal to external mail flow happening through On-Prem). Need your input please.
Hi Ali,
Nice blog. Question for you, if I add an outbound connector in Exchange Online to my 3rd party MX service – when an Exchange Online mailbox user sends an On-Premise mailbox user (same org, hybrid config) – will it put it through the hybrid connector or through the new outbound connector?
Wanting to route Exchange Online mailboxes through an outbound mail connector on EXO, whilst leaving on-premise to go through the on-prem Exchange servers outbound connector.
Thanks,
John
Hi Ali!
I have an hybrid scenario. Is it mandatory to have the MX value 0 pointing to the EOP fqdn in the dns? At the moment all the outbound mails from on-premise mailboxes relay trough a local postfix and its working ok, but when i configure it to relay through O365 the mails gets stuck in the Exchange queues. My main MX (0) is poiting to my on-premise relay i didn’t change it yet because i get some failures with autodiscover (i’ll see this issue later).
Hi Ali, thanks for your great article as always.
One question, is it not needed to create a receive connector on Exchange Online to accept traffic from on-premise ?
Yes, you have to create a receive connector in Exchange Online. That’s why I recommend to Run the Hybrid Configuration Wizard (HCW) (as shown in the article) and having the connectors already in place.
Hi.
Thanks for this great post!
What i don’t get is ; how it understand which certificate is going to use ? I don’t see any definition here related to identify the certificate ? Because we can have more than one certificate.
And the next question is : What should be the operation if the current certificate is going to expire ?
Thanks in advance.