When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft announces it will soon update its Exchange Online SMTP relay requirements

Neowin · · Hot! with 2 comments

Outlook mail open on a laptop screen with Exchange written on the left

Microsoft has announced a major update to the requirements for SMTP (Simple Mail Transfer Protocol) communication protocol relay via its Exchange Online platform. Although not immediately effective as the change is set to kick off later in the year at the start of November, the tech giant shared this update in advance so IT admins and system admins are aware of the upcoming alteration.

The Exchange Team published the information on a Tech Community blog post where it shared the new requirements as well as the current ones. As per the update, the SMTP P2 header (sender) domain need not match:

Current Requirements

Currently, to relay email through Exchange Online, two conditions must be true:

  1. Any of the following is an accepted domain of your organization:
    - SMTP certificate domain on the SMTP connection; or
    - SMTP envelope sender domain in the MAIL FROM command (P1 sender domain); or
    - SMTP header sender domain, as shown in email clients (P2 sender domain).
  2. The sending host’s IP address or the certificate domain on the SMTP connection matches your tenant’s Inbound Connector of OnPremises type.

New Requirements

On November 1, 2023, we are removing the matching condition for the SMTP P2 sender domain (1c above). After we remove this condition, relaying email through Exchange Online will require the following:

  1. Any of the following is an accepted domain of your organization:
    - SMTP certificate domain on the SMTP connection; or
    - SMTP envelope sender domain in the MAIL FROM command (P1 sender domain).
  2. The sending host’s IP address or certificate domain on the SMTP connection matches your organization’s Inbound Connector of OnPremises type.

After November 1, 2023, if either of the above conditions are not met, the relay attempt from your on-premises environment to Exchange Online will be rejected.

Microsoft has also outlined some of the major limitations and has detailed ways to minimize the ill effects of the update:

This change may affect your organization’s email routing or delivery. Possible scenarios that are affected by this change include, but may not be limited to:

  1. Your organization hosts email on-premises, and you need to relay non-delivery reports (NDRs) generated by your on-premises system through Exchange Online. In this scenario, the NDRs often have null as the SMTP envelope sender (P1 sender), but the SMTP header sender domain (P2 sender domain) is your organization’s domain.
  2. Your organization uses an application hosted on-premises to send email and the SMTP envelope sender domain (P1 sender domain) is not an accepted domain in Exchange Online.
  3. You use a third-party cloud service to relay messages by creating an Inbound Connector of OnPremises type. For example, when you use a cloud service platform to relay emails through Exchange Online, the SMTP envelope sender domain (P1 sender domain) will be the 3rd party service’s domain (perhaps for bounce tracking), but the SMTP header domain (P2 sender domain) is your organization’s domain.

Actions to Take

To minimize the effects of this change before November 1, 2023:

  1. If you need to relay emails from on-premises through Exchange Online, and some of these emails apply to the scenarios indicated above, you must update your Inbound Connector of OnPremises type to use a certificate domain (instead of IP addresses), in addition, you must add the certificate domain as an accepted domain of your organization. To learn more, see Configure a certificate-based connector to relay email messages through Microsoft 365.
  2. If you need to use a third-party add-on service to process email messages sent from your organization and then relay through Exchange Online, the third-party service must support a unique certificate for your organization, and the certificate domain must be an accepted domain of your organization. An example is that your organization uses a signature service to add signature/disclaimer for each email sent from your organization. To learn more, see Scenario: Integrate Exchange Online with an email add-on service.

You may find more details about the updated requirements on the Tech Community blog post on the official website. Speaking of requirements, Microsoft recently quietly updated the AMD, Intel, and Qualcomm CPU lists supported on Windows 11, right after it released the Moment 3 feature update.

Report a problem with article
WhatsApp logo displayed on iPhone
Next Article

WhatsApp gains the ability to silence unknown callers automatically

Microsoft Office
Previous Article

Microsoft fixed security issues on Excel, Outlook 2013 and 2016, for both 32 and 64-bit

Join the conversation!

Login or Sign Up to read and post a comment.

2 Comments - Add comment