Update 11/13/2023: We added new information on how to know when this change is released to your organization.
Today, we are announcing an update to our requirements for SMTP relay through Exchange ...
Updated Feb 22, 2024
Version 19.0
Blog Post
Carolyn_Liu
Microsoft
Microsoft"@Carolyn_Liu , on certificate option 1a will subdomains be accepted as a pass on the requirement? For example, if the certificate is webmail.domain.com and the EHLO string is webmail.domain.com but the accepted domain in Exchange Online is only domain.com, will it pass? Or will it be necessary perhaps to add the subdomain as an explicit subdomain (something easily done I believe as long as the top-level domain is already validated in the tenant.
"
Answer:
The safest way is to add the subdomain to the accepted domain. Alternatively, in the connector, you can use *.domain.com as the certificate domain, but you have to ensure that your organization does not use other subdomains in a different certificate that is used elsewhere. For example, some customers config their mails to internet (which happen to be hosted in O365) via certificate domain internet.domain.com, and use o365.domain.com as the cert for their own tenant mailflow to O365. If they use *.domain.com in their inbound connector, the mails to other tenants (intended for internet mails) will match their inbound connector which is unintended.