Today, we are announcing an update to our requirements for SMTP relay through Exchange Online. If your organization does not use Inbound Connectors of OnPremises type then this change will not affect you.
Current Requirements
Currently, to relay email through Exchange Online, two conditions must be true:
- Any of the following is an accepted domain of your organization:
- SMTP certificate domain on the SMTP connection; or
- SMTP envelope sender domain in the MAIL FROM command (P1 sender domain); or
- SMTP header sender domain, as shown in email clients (P2 sender domain).
- The sending host’s IP address or the certificate domain on the SMTP connection matches your tenant’s Inbound Connector of OnPremises type.
New Requirements
On November 1, 2023, we are removing the matching condition for the SMTP P2 sender domain (1c above). After we remove this condition, relaying email through Exchange Online will require the following:
After November 1, 2023, if either of the above conditions are not met, the relay attempt from your on-premises environment to Exchange Online will be rejected.
- Any of the following is an accepted domain of your organization:
- SMTP certificate domain on the SMTP connection; or
- SMTP envelope sender domain in the MAIL FROM command (P1 sender domain).
- The sending host’s IP address or certificate domain on the SMTP connection matches your organization’s Inbound Connector of OnPremises type.
This change may affect your organization’s email routing or delivery. Possible scenarios that are affected by this change include, but may not be limited to:
- Your organization hosts email on-premises, and you need to relay non-delivery reports (NDRs) generated by your on-premises system through Exchange Online. In this scenario, the NDRs often have null as the SMTP envelope sender (P1 sender), but the SMTP header sender domain (P2 sender domain) is your organization’s domain.
- Your organization uses an application hosted on-premises to send email and the SMTP envelope sender domain (P1 sender domain) is not an accepted domain in Exchange Online.
- You use a third-party cloud service to relay messages by creating an Inbound Connector of OnPremises type. For example, when you use a cloud service platform to relay emails through Exchange Online, the SMTP envelope sender domain (P1 sender domain) will be the 3rd party service’s domain (perhaps for bounce tracking), but the SMTP header domain (P2 sender domain) is your organization’s domain.
Actions to Take
To minimize the effects of this change before November 1, 2023:
- If you need to relay emails from on-premises through Exchange Online, and some of these emails apply to the scenarios indicated above, you must update your Inbound Connector of OnPremises type to use a certificate domain (instead of IP addresses), in addition, you must add the certificate domain as an accepted domain of your organization. To learn more, see Configure a certificate-based connector to relay email messages through Microsoft 365.
- If you need to use a third-party add-on service to process email messages sent from your organization and then relay through Exchange Online, the third-party service must support a unique certificate for your organization, and the certificate domain must be an accepted domain of your organization. An example is that your organization uses a signature service to add signature/disclaimer for each email sent from your organization. To learn more, see Scenario: Integrate Exchange Online with an email add-on service.
-- Exchange Online Transport Team
Source:
