Mail Flow

Office 365

Applies to: Office 365

Topic Last Modified: 2018-06-13

For most organizations using Office 365, we host your mailboxes and take care of mail flow. It's the simplest configuration and means that Office 365 manages all mailboxes and filtering. However, some organizations need more complex mail flow setups to make sure that they comply with specific regulatory or business needs. You can find out about those options here.

Microsoft Exchange Online can route mail flowing from your organization through an on-premises server or a hosted service (sometimes called “smart hosting”). This enables your organization to use data loss prevention (DLP) appliances, perform custom post-processing of outgoing email, and deliver email to business partners through private networks. Exchange Online also supports Address Rewrite, which routes outgoing email through an on-premises gateway that modifies the addresses. This feature enables you to hide sub-domains, make email from a multi-domain organization appear as a single domain, or make partner-relayed email appear as if it were sent from inside your organization. Administrators configure custom email routing within the Exchange admin center (EAC).

For more information, see Set up connectors to route mail between Office 365 and your own email servers.

Exchange Online can deliver mail flowing into and out of your organization.

As an Exchange Online customer, you can set up secure mail flow with a trusted partner by using Office 365 connectors. Office 365 supports secure communication through Transport Layer Security (TLS), and you can create a connector to enforce encryption via TLS. TLS is a cryptographic protocol that provides security for communications over the Internet. By using connectors, you can configure both forced incoming and outgoing TLS using self-signed or certification authority (CA)-validated certificates. You can also apply other security restrictions, such as specifying domain names or IP address ranges from which your partner organization sends mail.

For more information, see Set up connectors for secure mail flow with a partner organization.

A CA-validated certificate may be required.

You can direct mail to specific sites by using connectors and transport rules. With criteria-based routing, you can choose a connector based on specific conditions.

For more information, see Scenario: Conditional mail routing.

You can add a trusted partner’s IP address to a safe list to ensure that messages the partner sends to you are not subject to anti-spam filtering. To do this, you can use the connection filter’s IP Allow list.

For more information, see Configure the connection filter policy.

A hybrid deployment gives organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. With hybrid transport, messages sent between recipients in either organization are authenticated, encrypted, and transferred using Transport Layer Security (TLS), and appear as “internal” to Exchange components such as transport rules, journaling, and anti-spam policies. You configure hybrid transport by using the Hybrid Configuration Wizard in Exchange Server.

For more information about mail routing in a hybrid deployment, see Transport routing in Exchange hybrid deployments.

The Microsoft Exchange Server Deployment Assistant also provides detailed hybrid deployment provisioning and hybrid message transport guidance.

Shared Address Space with On-Premises Routing Control (MX Points to On-Premises) is a hybrid deployment mail-routing scenario in which your mailboxes are hosted partially in Exchange Online and partially on-premises, and incoming and outgoing Internet mail flow is routed through the on-premises Exchange organization. This scenario is also called centralized mail transport. In this scenario, Exchange Online is provisioned with EOP and incoming Internet mail is routed to your on-premises mail server before being routed to EOP and finally to mailboxes hosted in Exchange Online. Additionally, outgoing mail from Exchange Online mailboxes is routed through the on-premises Exchange organization for messages sent to external recipients. With this configuration, you can use a single SMTP domain namespace for all mailboxes in both your on-premises Exchange organization and your Exchange Online organization.

For more information about transport options in a hybrid deployment, see Transport options in Exchange hybrid deployments.

Shared Address Space without On-Premises Routing Control (MX Points to EOP) is a hybrid mail-routing scenario in which your mailboxes are hosted partially in the cloud using Exchange Online and partially on-premises, and your MX record points to EOP. This scenario is appropriate when you use the Office 365 service to host some of your organization’s mailboxes and you want EOP to protect both your on-premises and cloud mailboxes. In this scenario, mail sent to recipients within your organization is initially routed through EOP, where spam and policy filtering occurs, before it reaches your on-premises mailboxes and cloud mailboxes.

For more information about transport options in a hybrid deployment, see Transport options in Exchange hybrid deployments.

Using the Hybrid Configuration Wizard to configure a hybrid deployment in Microsoft Exchange Server greatly minimizes the potential that the hybrid deployment will experience problems. However, there are some typical areas outside the scope of the Hybrid Configuration Wizard that, if misconfigured, may present problems in a hybrid deployment. These include proper Client Access server configuration and proper certificate installation and configuration.

For more information about troubleshooting a deployment with the Hybrid Configuration Wizard, see Troubleshoot a hybrid deployment.

You can modify an existing hybrid configuration by changing settings in the Hybrid Configuration Wizard. Scenarios include disabling centralized transport or disabling secure mail transport.

For more information about managing a hybrid deployment configuration, see Manage a hybrid deployment.

For more information about hybrid deployment requirements, see Hybrid deployment prerequisites.

In some hybrid configurations, you may need to purchase Exchange Online Protection licenses for your on-premises mailboxes.

To view feature availability across Office 365 plans, standalone options, and on-premise solutions, see the Exchange Online Service Description.