Fixing connector validation errors

Article
11/12/2015

Applies to: Exchange Online, Exchange Online Protection

You're trying to make sure a connector that you want to create will work properly. You've run the validation check, but something is wrong. In this topic, you can learn more about the failures and what to do about them. Skip ahead to the section later that corresponds with a failure you're getting. You can save a connector that does not validate, but this can cause problems because it will prevent you from sending email.

What happens when you validate a connector

When you validate a connector, there are two general tasks that follow. First, Office 365 tests each smart host that you entered to help ensure that Office 365 can connect to each of them via SMTP. Second, Office 365 tests the ability to send an email through your new connector. The Validation Result and the associated details describe what happened in each of the two tasks. For any task that failed, check below to learn what to do about it.

Resolve task failed

Try these steps if you get a resolve-related failure:

Click Back to see the smart host entry and check for any simple typographical mistakes. 
If you used an FQDN for the smart host, such as mail.contoso.com, verify that it has a valid MX record or an A record and that each record can be associated with the correct IP address.

Connection task failed

Try these steps if you get a connection failure:

Click Back to see the smart host entry and check for any simple typographical mistakes. 
Check the firewall in your email server (an on-premises server) to make sure that port 25 is open.
Check that your firewall configuration does not block IP addresses from Office 365. The IP address ranges can be found at Exchange Online Protection IP addresses.

SMTP EHLO task failed

Try these steps if you get an SMTP EHLO failure:

Verify that the smart host you entered is set up to be an email server.
Close the connector validation details and wait several minutes. Click Back and then run the validation check again. It's possible that the email server was too busy to accept new connections.

TLS task failed

Try these steps if Transport Layer Security (TLS) fails:

Check that TLS is enabled in your email server (an on-premises server) or in your partner organization's email server.
Verify that the recipient's email server has a TLS certificate and that the certificate meets all the following criteria:
- It has not expired.
- It was issued by a trusted certificate authority (CA) if you chose the option to use a CA-signed certificate.
- The certificate's subject name matches the domain name that you entered if you chose to use only a specific domain name for TLS verification.

Test email failed

Try these steps if sending a test email fails:

Check the email address for any simple typographical mistakes in either the user ID name or the domain name. That is, check both sides of the at sign (@).
If you are validating a connector from Office 365 to your partner, and you can be sure the address exists, use it.
If you are validating a connector from Office 365 to your own email server (on-premises server), check that the email address you used is for an active mailbox hosted in your own email server. Make sure you can successfully send mail to this mailbox from a different location.
Ensure that the email address is within the scope of the connector you're validating. The domain part of the test email address should match the recipient domain you entered in the connector.

More information about validating a connector

You can only validate connectors for mail that flows from Office 365 to your own email server or to a partner organization.

Each time you validate a connector, the mailbox at an email address you enter will get a message from user (at) O365ConnectorValidation.com if it is a valid email addresses and Office 365 can successfully send mail to it.