Mail flow in Exchange Online Protection

For most organizations that use Microsoft, we host your mailboxes and take care of mail flow. It's the simplest configuration and means that Microsoft manages all mailboxes and filtering. However, some organizations have a business need to keep all their mailboxes on premises. Exchange Online Protection (EOP) lets you do that and provides antivirus and anti-spam mail processing in the cloud. For more information and to purchase EOP, go to Exchange Online Protection.

Looking for information about domain management or Directory Based Edge Blocking (DBEB)? See Recipient, domain, and company management. To learn more about all EOP features, see the Exchange Online Protection service description.

Routing email between Microsoft and your own email servers

You can configure a connector to enable mail flow between Microsoft (including Exchange Online or EOP) and an SMTP-based email server such as Exchange. For details about this, see Do I need a connector? And Set up connectors to route mail between Microsoft and your own email servers.

Secure messaging with a trusted partner

As an EOP customer, you can set up secure mail flow with a trusted partner by using Microsoft connectors. Microsoft supports secure communication through Transport Layer Security (TLS), and you can create a connector to enforce encryption via TLS. TLS is a cryptographic protocol that provides security for communications over the internet. By using connectors, you can configure both forced incoming and outgoing TLS using self-signed or certification authority (CA)-validated certificates. You can also apply other security restrictions, such as specifying domain names or IP address ranges from which your partner organization sends mail.

For more information, see Set up connectors for secure mail flow with a partner organization.

Safe listing a partner's IP address

You can add a trusted partner's IP address to a safe list to ensure that messages they send to you are not subject to spam filtering. To do this, you can use the connection filter's IP Allow list. For more information, see Configure the connection filter policy.

Conditional mail routing

You can configure a connector with a Transport rule that routes mail to a specific site, based on conditions. For more information, see Scenario: Conditional email routing.

Hybrid mail routing

Hybrid means that you host a portion of your mailboxes on premises, and a portion in the cloud (Exchange Online). You can move from a standalone (on-premises) deployment to a hybrid deployment.

If you have a hybrid deployment, you can protect your cloud and on-premises mailboxes with EOP. Standalone licenses are required for on-premises mailboxes, when they are protected by EOP. For more information about mail routing in a hybrid deployment, see Transport routing in Exchange hybrid deployments.

The Microsoft Exchange Server Deployment Assistant also provides detailed hybrid deployment provisioning and hybrid message transport guidance.

Feature availability

To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.