Mail flow best practices for Exchange Online and Office 365 (overview)
Use Microsoft Exchange Online and Office 365 to manage mail flow. Find out how, and get tips and best practices for setting up and managing your email.
This article is intended for IT Pros. Want something else?
Office 365 gives you flexibility in determining the best arrangement for how email is delivered to your organization's mailboxes. The path email takes from the internet to a mailbox and vice versa is called mail flow. Most organizations want Office 365 to manage all their mailboxes and filtering, and some organizations need more complex mail flow setups to make sure that they comply with specific regulatory or business needs. If you're part of a small business or simply an organization that wants Office 365 to manage all your mailboxes and mail flow, we recommend following the steps in Set up Microsoft 365 for business. That article provides a complete checklist for setting up Office 365 services and programs, including how to set up your mail flow and email clients.
For information about how your email is protected with EOP, see Exchange Online Protection Overview.
Are you new to Office 365 mail flow? Check out the External Domain Name System records for Office 365 topic. We especially recommend reading the part about SPF records because customers often list the wrong values in their SPF record, which can cause mail flow problems.
Office 365 mail flow covers the following scenarios:
|Mail flow setup||Your organization's scenario||Complexity|
|Manage all mailboxes and mail flow using Office 365||Scenario 1
I'm a new Office 365 customer, and all my users' mailboxes are in Office 365. I want to use all filtering solutions offered by Office 365.
I'm a new Office 365 customer. I have an existing email service but plan to move all the existing users' mailboxes to the cloud at once. I want to use all filtering solutions offered by Office 365.
|Manage mail flow using a third-party cloud service with Office 365||Scenario 1
I plan to have Office 365 host all of my organization's mailboxes. My organization uses (or plans to use) a third-party (mail services) cloud solution for filtering spam and malware. All email sent from the internet must be filtered by this third-party cloud service.
I plan to have Office 365 host all my organization's mailboxes. My organization needs to send all email to a third-party service, such as archiving or auditing. However, the third-party service doesn't provide a spam filtering solution.
|Manage mail flow with mailboxes in multiple locations (Office 365 and on-prem)
Important: In the near future, Office 365 will reject email from unknown senders that are relayed from on-premises servers. This means that if the sender or recipient domain of a message doesn't belong to your organization, Office 365 will reject the message unless you have created a connector to allow this behavior. This change will help prevent unauthorized parties from using your organization to send spam or malware through Office 365.
This change potentially affects your mail flow if you use any scenario in this section. Each scenario has best practices to ensure that your mail flow continues uninterrupted.
I'm migrating my mailboxes to Office 365, and I want to keep some mailboxes on my organization's mail server (on-premises server). I want to use Office 365 as my spam filtering solution and would like to send my messages from my on-premises server to the internet via Office 365. Office 365 sends and receives all messages.
I'm migrating my mailboxes to Office 365, and I want to keep some mailboxes on my organization's mail server (on-premises server). I want to use the filtering and compliance solutions that are already in my on-premises environment. And all messages coming from the internet to my cloud mailboxes or messages sent to the internet from my cloud mailboxes need to route through my on-premises servers.
I'm migrating my mailboxes to Office 365, and I want to keep some mailboxes on my organization's mail server (on-premises server). I want to use the filtering and compliance solutions that are already in my on-premises email environment. All messages coming from the internet to my cloud mailboxes or messages sent to the internet from cloud mailboxes must route through my on-premises servers. And I need to point my domain's MX record to my on-premises server.
I'm migrating my mailboxes to Office 365, and I want to keep some mailboxes on my organization's mail server (on-premises server). I want to use the filtering and compliance solutions that are already in my on-premises email environment. All messages sent from my on-premises servers must relay through Office 365 to the internet. And I need to point my domain's MX record to my on-premises server.
|Manage mail flow using a third-party cloud service with mailboxes on Office 365 and on-prem||Scenario
I'm migrating my mailboxes to Office 365, and I want to keep some mailboxes on my organization's mail server (on-premises server). I want to use a third-party cloud service to filter spam from the internet. My messages to the internet need to route through Office 365 to protect my on-premises servers' IP addresses from being added to external block lists.
|Send emails from a multifunction printer/scanner/fax/application through Office 365
For details about this scenario, see How to set up a multifunction device or application to send email using Office 365.
All my organization's mailboxes are hosted in Office 365, but I have a multifunction printer, scanner, fax machine, or an application that needs to send email.
|Using Exchange Online Protection (EOP) standalone
For details about this scenario, see Mail Flow in EOP and How connectors work with my on-premises email servers
I have my own email servers (on-premises servers), and I subscribe to EOP for email protection services only.
For information about migrating your email to Microsoft Exchange Online, see Ways to migrate multiple email accounts to Office 365.
Introduction to the basics of Office 365 mail flow
Office 365 uses domains, like contoso.com, to route email messages. When you set up email in Office 365, you typically switch from the default domain that you got when you first signed up for Office 365 (the domain ending with .onmicrosoft.com) to your organization's domain. Domain names, like contoso.com, are managed by using a worldwide system of domain registrars (for example, GoDaddy, HostGator, or Moniker) and databases called the Domain Name System (DNS). DNS provides a mapping between human-readable computer hostnames and the IP addresses used by networking equipment. If you're new to DNS, we recommend that you read DNS basics. The following video provides you with a quick overview of some of the most important concepts about what DNS is and how it works.
Understanding how DNS records control mail flow
In Office 365 mail flow, there are several components of DNS that are particularly important for email authentication and delivery: MX records, SPF, DKIM, and DMARC.
MX (mail exchanger) records provide an easy way for mail servers to know where to send email. You can think of the MX record as a type of postal address. If you want Office 365 to receive all email addressed to firstname.lastname@example.org, the MX record for contoso.com should point to Office 365, and it will look like the following example:
Hostname: contoso-com.mail.protection.outlook.com Priority: 0 TTL: 1 hour
SPF (sender policy framework) is a specially formatted TXT record in DNS. SPF validates that only the organization that owns a domain is actually sending email from that domain. SPF is a security measure that helps makes sure someone doesn't impersonate another organization. This impersonation is often called spoofing. As a domain owner, you can use SPF to publish a list of IP addresses or subnets that are authorized to send email on your organization's behalf. This can be helpful if you want to send email from multiple servers or services with different IP addresses.
You can only have one SPF record per domain. Having multiple SPF records will invalidate all SPF records and cause mail flow problems.
Because most modern email servers look up a domain's SPF record before they accept any email from it, it's important to set up a valid SPF record in DNS when you first set up mail flow. For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Office 365 to help prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing.
DomainKeys Identified Mail (DKIM). lets you attach a digital signature to email messages in the message header of emails you send. Email systems that receive email from your domain use this digital signature to determine if incoming email that they receive is legitimate. For information about DKIM and Office 365, see Use DKIM to validate outbound email sent from your domain in Office 365.
Domain-based Message Authentication, Reporting, and Conformance (DMARC). helps receiving mail systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners. For information on setting up DMARC, see Use DMARC to validate email in Office 365.
Use SPF, DKIM, and DMARC together for the best experience.
How MX records affect spam filtering
For the best mail flow experience (especially for spam filtering) we recommend pointing the MX record for your organization's domain to Office 365. Spam scanning is the initial connection point to the Office 365 service. Who is sending the message, the IP address of the server that originally sent the message, and the behavior of the connecting mail server, all help determine whether a message is legitimate or spam. If your domain's MX record doesn't point to Office 365, the spam filters won't be as effective. If your MX record doesn't point to Office 365, there will be some valid messages that the service misclassifies as spam and some spam messages that the service misclassifies as legitimate email.
With that said, there are legitimate business scenarios that require your domain's MX record to point to somewhere other than Office 365. For example, email destined for your organization might need to initially arrive at another destination (such as a third-party archiving solution), then route through Office 365, and then be delivered to mailboxes on your organization's mail server. This setup might provide the best solution to meet your business requirements.
Whatever your needs, this guide will help you understand how your MX records, SPF, and, potentially, connectors need to be set up.
For more information
The following are additional topics related to mail flow in Exchange Online: