Manage mail flow using a third-party cloud service with Exchange Online

This topic covers the following complex mail flow scenarios using Exchange Online:

Scenario 1 - MX record points to third-party spam filtering

Scenario 2 - MX record points to third-party solution without spam filtering

Note

Examples in this topic use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the Contoso mail server is 131.107.21.231, and its third-party provider uses 10.10.10.1 for their IP address. These are just examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where necessary.

Using a third-party cloud service with Office 365

Scenario 1 - MX record points to third-party spam filtering

I plan to use Exchange Online to host all my organization's mailboxes. My organization uses a third-party cloud service for spam, malware, and phish filtering. All email from the internet must first be filtered by this third-party cloud service before being routed to Office 365.

For this scenario, your organization's mail flow setup looks like the following diagram:

Mail flow diagram showing inbound email from the internet to a third-party filtering service to Office 365 and from outbound mail from Office 365 to the internet.

Best practices for using a third-party cloud filtering service with Office 365

  1. Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add users and domains.

  2. Create user mailboxes in Exchange Online or move all users' mailboxes to Office 365.

  3. Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the instructions on this page.) The following DNS records control mail flow:

    • MX record: Your domain's MX record must point to your third-party service provider. Follow their guidelines for how to configure your MX record.

    • SPF record: All mail sent from your domain to the internet originates in Office 365, so your SPF record requires the standard value for Office 365:

      v=spf1 include:spf.protection.outlook.com -all
      

      You would only need to include the third-party service in your SPF record if your organization sends outbound internet email through the service (where the third-party service would be a source for email from your domain).

Scenario 2 (unsupported) - MX record points to third-party solution without spam filtering

I plan to use Exchange Online to host all my organization's mailboxes. All email that's sent to my domain from the internet must first flow through a third-party archiving or auditing service before arriving in Exchange Online. All outbound email that's sent from my Exchange Online organization to the internet must also flow through the service. However, the service doesn't provide a spam filtering solution.

We don't recommend or support this scenario because the inbound mail flow through the service causes Office 365 spam and phish filtering to not work properly (mail from all internet senders appears to originate from the third-party service, not the true email source on the internet). If you choose this scenario, your organization's mail flow setup looks like the following diagram:

Mail flow diagram showing inbound mail from the internet to a third-party solution to Office 365 and outbound mail from Office 365 to the third-party solution to the internet.

Best practices for using a third-party cloud service with Office 365

Don't use this scenario because it isn't currently supported. We recommend that you use the archiving and auditing solutions that are provided by Office 365.

See also

Mail flow best practices for Exchange Online and Office 365 (overview)

Set up connectors for secure mail flow with a partner organization

Manage all mailboxes and mail flow using Office 365

Manage mail flow with mailboxes in multiple locations (Office 365 and on-premises Exchange)

Manage mail flow using a third-party cloud service with Exchange Online and on-premises mailboxes

Troubleshoot Office 365 mail flow

Test mail flow by validating your Office 365 connectors