Manage mail flow using a third-party cloud service with Exchange Online
This topic covers the following complex mail flow scenarios using Exchange Online:
Examples in this topic use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the Contoso mail server is 18.104.22.168, and its third-party provider uses 10.10.10.1 for their IP address. These are just examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where necessary.
Using a third-party cloud service with Office 365
Scenario 1 - MX record points to third-party spam filtering
I plan to use Exchange Online to host all my organization's mailboxes. My organization uses a third-party cloud service for spam, malware, and phish filtering. All email from the internet must first be filtered by this third-party cloud service before being routed to Office 365.
For this scenario, your organization's mail flow setup looks like the following diagram:
Best practices for using a third-party cloud filtering service with Office 365
Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add users and domains.
Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the instructions on this page.) The following DNS records control mail flow:
MX record: Your domain's MX record must point to your third-party service provider. Follow their guidelines for how to configure your MX record.
SPF record: All mail sent from your domain to the internet originates in Office 365, so your SPF record requires the standard value for Office 365:
v=spf1 include:spf.protection.outlook.com -all
You would only need to include the third-party service in your SPF record if your organization sends outbound internet email through the service (where the third-party service would be a source for email from your domain).
When you're configuring this scenario, the "host" that you need to configure to receive email from the third-party service is specified in the MX Record. For example:
In this example, the host name for the Office 365 host should be hubstream-mx.mail.protection.outlook.com. This value can vary from domain to domain, so check your value at Configuration > Domain > <select domain> to confirm your actual value.
Since the anti-spam service is external, you need to create a mail flow rule (also known as a transport rule) in the Exchange admin center (EAC) at Exchange admin > Mail flow > Rules to prevent a double anti-spam check, which would result in the followin rejection of the messages:
Scenario 2 (unsupported) - MX record points to third-party solution without spam filtering
I plan to use Exchange Online to host all my organization's mailboxes. All email that's sent to my domain from the internet must first flow through a third-party archiving or auditing service before arriving in Exchange Online. All outbound email that's sent from my Exchange Online organization to the internet must also flow through the service. However, the service doesn't provide a spam filtering solution.
We don't recommend or support this scenario because the inbound mail flow through the service causes Office 365 spam and phish filtering to not work properly (mail from all internet senders appears to originate from the third-party service, not the true email source on the internet). If you choose this scenario, your organization's mail flow setup looks like the following diagram:
Best practices for using a third-party cloud service with Office 365
Don't use this scenario because it isn't currently supported. We recommend that you use the archiving and auditing solutions that are provided by Office 365.