Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how you can update your requirements for SMTP relay through Exchange Online. If your organization doesn't use OnPremises type inbound connectors, then this change doesn't affect you.
Old requirements
The old requirements to relay email through Exchange online required an accepted domain of your organization that met both of the following conditions:
- The domain used to relay mail is an accepted domain of your organization that meets any of the following conditions:
- The domain in the SMTP certificate matches the domain in the SMTP connection.
- The domain is in the MAIL FROM address (also known as the
5321.MailFromaddress, P1 sender, or envelope sender) used in the SMTP transmission of the message. - The domain is in the email address in the From header field shown as the message sender in email clients (also known as the
5322.Fromaddress or P2 sender).
- The source IP address or the certificate domain on the SMTP connection matches your organization's OnPremises type inbound connector.
Current requirements
As of November 1 2023, the matching condition for the From address domain is removed, so relaying email through Exchange Online requires an accepted domain that meets the following requirements:
- The domain used to relay mail is an accepted domain of your organization that meets any of the following conditions:
- The domain in the SMTP certificate matches the domain in the SMTP connection.
- The domain is in the MAIL FROM address used in the SMTP transmission of the message.
- The source IP address or the certificate domain on the SMTP connection matches your organization's OnPremises type inbound connector.
If either of the previously described conditions aren't met, the relay attempt from your on-premises environment to Exchange Online is rejected.
The change in requirements might affect your email routing or delivery. For example:
You need to relay nondelivery reports (also known as NDRs or bounce messages) generated by your on-premises email environment through Exchange Online. In this scenario, the NDRs often have null as the MAIL FROM sender address, but the domain in the From address is your organization's domain.
Your organization uses an on-premises application to send email, and the MAIL FROM address domain isn't an accepted domain in Exchange Online.
You use a non-Microsoft service to relay messages by creating an OnPremises type inbound connector. For example, when you use a cloud service to relay email through Exchange Online, the domain in the MAIL FROM address is the third party service domain, but the From address is in your organization's domain.
Check if your organization is affected by this change
You can use the extended report type by running Start-HistoricalSearch cmdlet in Exchange Online PowerShell to generate an extended report specific to this scenario. Replace the NotifyAddress value with your admin email address in the following examples.
Example 1:
Start-HistoricalSearch -EndDate "2023/09/22" -StartDate "2023/09/18" -ReportTitle "Report all emails using non accepted domains as the sender" -ReportType "P2SenderAttribution" -NotifyAddress admin@contoso.com
Example 2:
Start-HistoricalSearch -EndDate "2023/09/22" -StartDate "2023/09/18" -ReportTitle "Report on emails using a specific sender domain (non accepted domain) as the sender" -ReportType "P2SenderAttribution" -NotifyAddress admin@contoso.com -SenderAddress *@contoso.com
Tip
The SenderAddress must be in an accepted domain of your organization.
Example 2:
Start-HistoricalSearch -EndDate "2023/09/22" -StartDate "2023/09/18" -ReportTitle "Report on emails for a recipient domain using non accepted domains as the sender" -ReportType "P2SenderAttribution" -NotifyAddress admin@contoso.com -RecipientAddress *@fabrikam.com
Tip
The RecipientAddress value can contain any domain where your organization send email.
You can use the Get-HistoricalSearch cmdlet to report the status of the extended report job.
Replace <JobID> with the GUID value of your job from the previous examples, and then run the following command::
Get-HistoricalSearch -JobId <JobID> | Format-List
The ReportStatusDescription value "Complete - No results found" means your organization isn't impacted by the scenario.
Minimize the effects of this change
If you need to relay email from on-premises through Exchange Online, and some of the previous scenarios apply to you, you need to update your OnPremises type inbound connector:
- Use a certificate for domain verification instead of IP addresses.
- Add the certificate domain as an accepted domain in your organization. For more information, see Configure a certificate-based connector to relay email messages through Microsoft 365.
If you use a non-Microsoft service to process email messages sent from your organization, the non-Microsoft service must support the following requirements:
- A unique certificate for your organization.
- The certificate domain must be an accepted domain in your organization.
For example:
- You use a signature service to add signatures or disclaimers to all outbound messages.
- You use a CRM service to send email on behalf of your organization to internal and external recipients.
For more information, see Scenario: Integrate Exchange Online with an email add-on service.