Manage mail flow using a third-party cloud service with Exchange Online and on-premises mailboxes

This topic covers the most complex mail flow scenario using Office 365.


Examples in this guide use the fictitious organization, Contoso, which owns the domain The IP address of the Contoso mail server is, and its third-party provider uses for their IP address. These are just examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where necessary.

Using a third-party cloud service with mailboxes in Exchange Online and on my organization's email servers


  • I'm migrating my mailboxes to Exchange Online, and I want to keep some mailboxes on my organization's on-premises email server. I want to use a third-party cloud service to filter spam from the internet. My messages to the internet must route through Office 365 to prevent my on-premises servers' IP addresses from being added to external block lists.

In this scenario, your organization's mail flow setup looks like the following diagram.

Mail flow diagram showing mail from the internet going to a third-party service then to Office 365 and then to on-premises servers. Mail from on-premises servers goes to Office 365 then to the internet (bypassing the third-party service).

Best practices

  1. Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add users and domains.

  2. Create user mailboxes in Exchange Online or move all users' mailboxes to Office 365.

  3. Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the instructions on this page.) The following DNS records control mail flow:

    • MX record: Point your MX record to your third-party service. Follow their guidelines for configuring your MX record.

    • SPF record: Because your domain's MX record must point to a third-party service (in other words, you require complex routing), include the third-party service in your SPF record. Follow the third-party provider's guidelines for adding them to your SPF record. Also add Office 365 and the IP addresses of your on-premises servers as valid senders. For example, if is your domain name, the third-party cloud service IP address is, and your on-premises server IP address is, the SPF record for should be:

    v=spf1 ip4: ip4: -all

    Alternatively, depending on the third-party's requirements, you might need to include the domain from the third-party, as shown in the following example:

    v=spf1 ip4: -all

More information

There are additional considerations in hybrid deployments between on-premise Exchange and Office 365. For more information, see Exchange Server hybrid deployments.

See also

Mail flow best practices for Exchange Online and Office 365 (overview)

Manage all mailboxes and mail flow using Office 365

Manage mail flow using a third-party cloud service with Office 365

Manage mail flow with mailboxes in multiple locations (Office 365 and on-prem)

Troubleshoot Office 365 mail flow

Test mail flow by validating your Office 365 connectors