Configure outbound mail via Office 365 (2024)

In the previous article, we did update MX records to Office 365. This time, we will configure outbound mail flow via Office 365 for Exchange Hybrid environments. Doing that will ensure that all emails sent from Exchange on-premises go through Exchange Online Protection (EOP).

Introduction

Right now, the on-premises Exchange organization has a send connector for outbound mail to the internet. This means that when an on-premises mailbox user sends an email, the shortest route to the internet is to use that connector.

Inspecting the headers from an on-premises mailbox user to a Gmail address in Message Header Analyzer, we can see that route from the on-premises server directly to Google servers. The message does not traverse through Exchange Online.

Organizations often want to use Exchange Online for outbound mail because of Exchange Online Protection (message hygiene). It’s already included in the Exchange Online subscription license, and this way, you don’t need a third-party spam filter for extra costs.

You can change the outgoing mail via Exchange Online:

• Before you start the migration
• At the halfway point of the migration
• End of the migration

In our example, we will configure outgoing mail via Exchange Online before we migrate mailboxes to Office 365.

Important: We recommend doing the below change in production environments outside of business hours in case of some impact on your normal mail flow.

Get Exchange on-premises send connectors

Let’s get the outbound send connectors in the organization. Run Exchange Management Shell as administrator and run the Get-SendConnector cmdlet.

[PS] C:\>Get-SendConnector | ft Name,AddressSpacesName AddressSpaces---- -------------Internet email {SMTP:*;1}Outbound to Office 365 - d1c9beac-0655-48e7-9949-5e497af1d38d {smtp:exoip365.mail.onmicrosoft.com;1}

Do you want to check the outbound send connectors in Exchange admin center? Sign in to the on-premises Exchange admin center. Go to mail flow > send connectors.

We have two send connectors in the organization, which are:

• Internet email for outbound mail to the internet
• Outbound to Office 365 for hybrid mail flow

The Outbound to Office 365 send connector is already configured when you run the Hybrid Configuration Wizard.

Get Office 365 connectors

The Hybrid Configuration Wizard configures one send connector on your on-premises Exchange Server and two connectors (inbound and outbound) in Office 365.

Sign in to the Microsoft 365 Exchange admin center and verify the connectors.

Now that we have identified that we have a send connector to the internet and the connectors which the Hybrid Configuration Wizard adds are in place, we can proceed to the next step.

Add send connector for outbound mail via Office 365

We need to add a send connector that sends outbound mail via Office 365. Before we do that, we need to find the Office 365 MX record.

Get Office 365 MX record

Sign in to Microsoft 365 admin center and navigate to Settings > Domain. Select the domain and go to the DNS records page. Copy the MX record value, as you will need it in the next step.

Create new send connector

Run Exchange Management Shell as administrator. Run the New-SendConnector cmdlet and fill in the details:

• Name: Outbound to Internet via Office 365.
• AddressSpaces: Use the asterisk (wildcard). This will match all domains that don’t have more specific routes to find, such as the hybrid namespace, which has its own connector.
• CloudServicesMailEnabled: Set to true.
• Fqdn: The Fully Qualified Domain Name is what the server will announce itself as when it issues the HELO command during the SMTP connection.
• RequireTLS: Set to true.
• DNSRoutingEnabled: Set DNS routing enabled to false, so this connector will not rely on MX records in DNS to determine where to send messages to.
• SmartHosts: The Exchange Online Protection (EOP) endpoint. So all mail goes through Exchange Online first regardless of its eventual destination out there on the internet. We define that as a smart host instead of allowing MX records routing.
• TLSAuthLevel: The certificate validation ensures that TLS encryption is used, and the certificates must also pass validation checks. The server won’t accept a self-signed certificate or any other invalid certificates.

[PS] C:\>New-SendConnector -Name "Outbound to Internet via Office 365" -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn mail.exoip.com -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts exoip-com.mail.protection.outlook.com -TLSAuthLevel CertificateValidationIdentity AddressSpaces Enabled-------- ------------- -------Outbound to Internet via Office 365 {smtp:*;1} True

The new send connector will look as follow in the on-premises Exchange admin center.

Important: Port 25 must be allowed on the Exchange Server for outgoing mail flow to Office 365 in Exchange Hybrid environments. Read more in the article Exchange Hybrid firewall ports.

Disable old internet send connector

When that is done, we can disable the other send connector for outbound mail to the internet. After testing the mail flow, we can remove the send connector.

[PS] C:\>Set-SendConnector -Identity "Internet email" -Enabled $false

Restart Microsoft Exchange Transport service

Note: Changes to the transport configuration in Exchange do not take effect quickly as the server will load the configuration from Active Directory and then cache it for some time. Usually about 15 minutes.

If you want to speed up your testing, you will need to restart the Microsoft Exchange Transport Service on the server, which forces it to reload the configuration.

[PS] C:\>Restart-Service MSExchangeTransport

Read more: Restart Exchange Server services through PowerShell »

Test outbound mail flow via Office 365

Send a test mail from an Exchange on-premises mailbox to a Gmail address. After the message arrives, copy the headers and paste them into the Message Header Analyzer.

The mail went from on-premises Exchange Server to Exchange Online. It went through a few hops in Exchange Online before eventually traveling out to Google mail servers.

Compared with the first test email, you can see the difference that it made to email routing.

Remove old outbound send connector

You can now remove the old outbound send connector or wait a couple of days before you do a removal.

[PS] C:\>Remove-SendConnector "Internet email"

In the next article, we will migrate mailboxes to Office 365.

Conclusion

We showed how to configure outbound mail via Office 365. Change the Exchange on-premises outbound mail flow before, during, or after migration. From that point, the outbound mail flow will go via Exchange Online Protection and land in the recipient’s mailbox.

Did you enjoy this article? You may also like Renew certificate in Exchange Hybrid. Don’t forget to follow us and share this article.