Manage mail flow in Exchange Online deployments

  • 6 minutes

Managing mail flow for Exchange Online is the easiest way of configuring mail flow because it’s all configured by default and managed by Microsoft. As such, mail flow in Exchange Online is considered a “black box” because mail flow is handled internally within Exchange Online with no assistance from Exchange Administrators. While administrators can create other connectors to improve the organization's mail flow, they have no other impact on the mail flow process.

Because mail flow in Exchange Online is designed for ease of use, the only requirements an organization must configure in an Exchange Online deployment are:

  • The organization's DNS MX record must point inbound to Exchange Online.
  • Internet SMTP email must be sent out directly from Exchange Online Protection to the recipient’s mail server.

graphic showing mail flow to Exchange Online from the internet with MX and SPF records for contoso.com

Manage mail flow in Exchange Online

Managing the mail flow for Exchange Online includes the creation of connectors, accepted domains, and optional mail flow rules. These features can be created in the Exchange Admin Center and with Exchange Online PowerShell.

There are also several features to configure in the Microsoft Defender portal to control the data loss prevention filtering for email flowing through your organization and anti-spam, anti-spoofing, and anti-malware settings.

Further reading. For more information, see Mail flow best practices for Exchange Online and Office 365 (overview).

Manage connectors in Exchange Online

Exchange Online was developed in a way that mail flow is configured automatically for the most common scenarios. However, there may be scenarios where you need to create a connector. The following table provides an overview of these scenarios.

Scenario Description Connector required? Connector settings
You have a standalone EOP subscription. You have your own on-premises email servers, and you subscribe to EOP only for email protection services for your on-premises mailboxes (you have no mailboxes in Exchange Online). Yes Connector for incoming email:
  • From: Your on-premises email server
  • To: Office 365

Connector for outgoing email:

  • From: Office 365
  • To: Your on-premises mail server
Some of your mailboxes are on your on-premises email servers, and some are in Exchange Online. Before you manually configure connectors, check whether an Exchange hybrid deployment better meets your business needs. Yes Connector for incoming email:
  • From: Your on-premises email server
  • To: Office 365

Connector for outgoing email:

  • From: Office 365
  • To: Your on-premises email server
All of your mailboxes are in Exchange Online, but you need to send email from sources in your on-premises organization. You don't have your own email servers, but you need to send email from non-mailboxes: printers, fax machines, apps, or other devices. Optional Only one connector for incoming email:
  • From: Your organization's email server
  • To: Office 365
You frequently exchange sensitive information with business partners, and you want to apply security restrictions. You want to use Transport Layer Security (TLS) to encrypt sensitive information or you want to limit the source (IP addresses) for email from the partner domain. Optional Connector for incoming email:
  • From: Partner organization
  • To: Office 365

Connector for outgoing email:

  • From: Office 365
  • To: Partner organization

Knowledge check

Choose the best response for the following question. Then select Check your answers.

Check your knowledge

1.

As the Messaging Administrator for Contoso, Holly Dickson is configuring the company's Exchange Online deployment. Holly has configured Internet SMTP email to be sent out directly from Exchange Online Protection to the recipient’s mail server. What other configuration must Holly complete in Contoso's Exchange Online deployment?