Export (0) Print
Expand All
22 out of 31 rated this helpful - Rate this topic

How to Allow a Multi-function Device or Application to Send E-mail through Office 365 Using SMTP

Exchange Online
 

Topic Last Modified: 2014-02-13

SMTP (Simple Mail Transfer Protocol) is used when you set up an on-premises multi-function printer, scanner, fax, or line of business (LOB) application that needs to send email. If some or all of your mailboxes are in Office 365, there are a few options available: SMTP relay, client SMTP submission, or Direct Send

  • SMTP Relay An SMTP relay is used to send mail from your organization by authenticating the IP address or certificate of the sender. Any email address (including non-Office365 mailboxes) can send mail using an SMTP relay, as long as it uses a domain that’s set up as yours in Office 365.

  • Client SMTP Submission Client SMTP submission allows your device or LOB application to send emails using an email address associated with an Office 365 mailbox by authenticating itself using that account. Each device can have their own sender address or all devices can use one address such as printer@yourdomain.com.

  • Direct Send Direct Send can be used if the device or LOB application has the ability to send mail by itself. If so, the device or LOB application does not use Office 365 to send the mail, but the mail is received by Office 365 for delivery to your Office 365 accounts.

The following table will help you decide which one of these options will meet your needs. Detailed information and setup steps follow each method.

 

Option SMTP Relay Client SMTP Submission Direct Send

Send to recipients in our domain(s)

Yes

Yes

Yes

Relay to Internet via Office 365

Yes

Yes

No. Direct delivery only.

Configuration requirements

  • Port 25

  • TLS optional

  • One or more static IP addresses are required.

    TipTip:
    This method cannot be used with Azure or addresses on a Policy Block List.
  • Port 587 or 25

  • TLS required

  • Dynamic IPs allowed

  • Port 25

  • TLS optional

Requires authentication

No. IP address provides authentication.

Yes. However if the device does not support this option, you can use on-premises Windows SMTP relay.

No

Bypasses anti-spam

No. Suspicious emails may be filtered. We recommend a custom SPF record.

Yes if the mail is destined for an Office 365 mailbox.

No. Suspicious emails may be filtered. We recommend a custom SPF record.

Throttling Limits

Reasonable limitsare imposed. The service cannot be used to send spam.

10,000 recipients per day.

None

Licensing requirements

Requires Exchange Online Protection licenses for each sender. Office 365 mailboxes have this license.

Can use a standard or shared mailbox.

Email sender licensing not required.

FQDN of SMTP Endpoint

To obtain the string for your domain, go to Domains in the Office 365 Portal.

smtp.office365.com

No endpoint required. This method uses DNS based routing.

This method of relaying messages allows Office 365 to handle email delivery on your behalf by authenticating using your public IP address or a certificate.  Your device or LOB application can send email as any email address within your owned and verified domains. The address does not have to resolve to an Office 365 mailbox. However, if the email address doesn’t exist, then recipients that reply to the emails will receive a Non-Delivery Report (NDR). If the device or application is used to send spam or bulk email against the Office 365 Terms of Service, the email address and/or IP may be blocked by Office 365. If your device or LOB application supports or requires authentication (for example, if your users need to send emails only as their own accounts), you may want to consider the Client SMTP Submission method instead.

If all of your users have Office 365 mailboxes, you don’t need any additional licensing to use this option. If you have senders using the device or LOB application who don’t have an Office 365 mailbox, then you should make sure that each non-Office 365 user has an Exchange Online Protection license to cover outbound and/or inbound relay.

If you have already setup Exchange Hybrid or have an Exchange Online Protection Inbound On-premises Connector configured, then it is likely that no additional setup will be required for Office 365.

  1. Obtain the public IP address you’re using. A dynamic IP address isn’t supported or allowed. You can share the IP with other devices and users, but you shouldn’t be sharing the IP with anyone outside of your company. Make note of this IP address for later.

  2. Log on to the Office 365 Portal.

  3. Select Domains. Highlight one of your domains and use the wizard to obtain your MX record. The MX record will look similar to contoso.com.mail.protection.outlook.com. Make a note of the MX record for later.

  4. In the upper right, select Admin and then select Exchange from the drop down. If you have Small Business, then see the instructions here.

  5. In the Exchange Admin Center, select Mail Flow > Connectors.

  6. If no inbound connector exists, create one.

    1. Give the connector a name.

    2. Select On-Premises for the Connector Type.

    3. Under Domains, add a single asterisk (*). This will allow sending to any domain. Other values in this field will limit the domains that you can send mail to.

    4. In the IP Addresses section, add the IP address from Step 1.

    5. Leave all the other fields with their default values and select Save.

  7. In the DNS for your domain, we suggest that you modify your SPF record to include the IP address from Step 1. The finished string should look similar to this: v=spf1 ip4:10.1.2.3 include:spf.protection.outlook.com ~all where 10.1.2.3 is your public IP address. Skipping this step could cause email to be sent to recipients’ junk mail folders.

  8. In the device’s settings, specify a Smart Host value equal to the MX record value you recorded in Step 3.

This method uses Office 365 to send email via SMTP using an Office 365 mailbox account’s credentials. Each email needs to be sent by a valid email address associated with an Office 365 mailbox. Mailboxes that are outside of Office 365 aren’t supported. If the device or application is used to send spam or bulk email against the Office 365 Terms of Service, the email address and/or IP may be throttled or blocked by Office 365.

  1. Confirm that your device or application supports Transport Layer Security (TLS) for SMTP on either port 587 or port 25 (587 is recommended). You may want to verify with the device or application vendor if there are firmware or software updates, particularly if the device or application is more than a few months old. If TLS is not supported, then you may want to consider using the SMTP Relay method or install and configure Windows SMTP on-premises to handle the communication to Office 365. TLS v1.1 or later is required, and a number of ciphers are supported. If your application or device is having trouble with the STARTTLS exchange, then you may want to make sure all patches are applied.

  2. Decide if the device or application allows users to specify their own email address and credentials on a per-user basis, or if a single or shared mailbox can be used to send all email as a single sender. If you’re sending as a single email address, for example printer@contoso.com, you’ll need to ensure that the following statements are true:

    1. The domain portion, for example contoso.com, must be a verified and accepted domain for your Office 365 tenant.

    2. The full SMTP address must be added to either an existing Office 365 mailbox or a new Office 365 Shared Mailbox.

  3. Exact configuration options will vary by device and application. For more information, see How to configure Internet Information Server (IIS) for relay with Office 365. At a minimum, the following must be configured on the device:

    • Smart host smtp.office365.com

    • Port 25 or 587. If your device or application doesn’t allow you to specify a port, then 25 will be used. However, 587 is highly recommended as many ISPs will block port 25.

    • Use Transport Layer Security (TLS) Office 365 requires TLS to ensure that your credentials are passed securely. Use of SSL over port 465 is not supported.

    • Email address/credentials The credentials must be valid Office 365 credentials. Some devices or applications may also allow you to specify the email address. Although the email address and the username can be different, they must be associated with the same Office 365 account.

Another option to consider when setting up devices and LOB applications to send email messages is to use direct SMTP send. In this case, the device or application will handle all email delivery directly, regardless of destination, and Office 365 is not used to send the messages. There are several scenarios where this can be the best choice:

  1. If the device or application is only sending email to your own Office 365 users, then this is the simplest method, as there is absolutely nothing to configure.

  2. If the device or application has a built-in SMTP server capability and you want to manage and control it separately. This may be particularly useful if you don’t want Office 365 to throttle or scan your outbound email for viruses and spam.

  3. If you’re sending bulk email or newsletters, as Office 365 does not support this. You may want to enlist the help of a bulk email service provider to assist you. There are best practices that should be followed.

Windows SMTP can provide this direct send routing capability if your device/application does not support it, but this is still the best choice for you.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.