Manage mail flow using a third-party cloud service with Exchange Online and on-premises mailboxes
This topic covers the most complex mail flow scenario using Office 365.
Examples in this guide use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the Contoso mail server is 188.8.131.52, and its third-party provider uses 10.10.10.1 for their IP address. These are just examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where necessary.
Using a third-party cloud service with mailboxes in Exchange Online and on my organization's email servers
- I'm migrating my mailboxes to Exchange Online, and I want to keep some mailboxes on my organization's on-premises email server. I want to use a third-party cloud service to filter spam from the internet. My messages to the internet must route through Office 365 to prevent my on-premises servers' IP addresses from being added to external block lists.
In this scenario, your organization's mail flow setup looks like the following diagram.
Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add users and domains.
Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the instructions on this page.) The following DNS records control mail flow:
MX record: Point your MX record to your third-party service. Follow their guidelines for configuring your MX record.
SPF record: Because your domain's MX record must point to a third-party service (in other words, you require complex routing), include the third-party service in your SPF record. Follow the third-party provider's guidelines for adding them to your SPF record. Also add Office 365 and the IP addresses of your on-premises servers as valid senders. For example, if contoso.com is your domain name, the third-party cloud service IP address is 10.10.10.1, and your on-premises server IP address is 184.108.40.206, the SPF record for contoso.com should be:
v=spf1 ip4:10.10.10.1 ip4:220.127.116.11 include:spf.protection.outlook.com -all
Alternatively, depending on the third-party's requirements, you might need to include the domain from the third-party, as shown in the following example:
v=spf1 ip4:18.104.22.168 include:spf.protection.outlook.com include:third_party_cloud_service.com -all
There are additional considerations in hybrid deployments between on-premise Exchange and Office 365. For more information, see Exchange Server hybrid deployments.