Forum Discussion

OleksiiD's avatar
OleksiiD
Copper Contributor
Apr 14, 2025

Security Considerations for SMTP Add-on Service Receiving Emails from Exchange Online

Hello everyone,

I'm developing an email processing service for Microsoft 365 / Exchange Online customers. This service acts as an SMTP endpoint that receives all outbound emails from our customers' Exchange Online tenants via Outbound Connectors, processes them, and then relays the messages back to Exchange Online for final delivery.

I found the https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/integrate-office-365-with-an-email-add-on-service page with suggestions.

We're currently evaluating security risks and would like to clarify how much trust can be placed in messages coming from Exchange Online.

Scenario Summary

  1. Our customers configure an Exchange Online Outbound Connector to route outbound emails to our service.
  2. We process these emails and then reinject them to Exchange Online, possibly via a smart host or authenticated SMTP relay.
  3. All emails received by our service originate from Exchange Online IP ranges, and our SMTP service is restricted to accept connections only from those IPs.

Questions

  1. Can messages from Exchange Online IPs be spoofed? Given that all customers share Exchange Online's IP ranges, can an attacker:
    1. Forge the MAIL FROM envelope address?
    2. Spoof the From: header field?
    3. Impersonate another customer (tenant) using the shared infrastructure?
    4. What level of trust can we place in the envelope sender (MAIL FROM) and header From address?
  2. What security signals or headers should we rely on? Are there Exchange Online-specific SMTP headers or identifiers we can use to validate the authenticity and origin of the message? For example:
    1. Is the tenant ID or authenticated user available in the headers?
    2. Can we reliably identify the sending customer?
  3. What authentication or validation mechanisms are recommended? What are Microsoft's best practices for:
    1. Validating tenant identity for messages received via connector?
    2. Preventing cross-tenant spoofing, especially when IPs are shared?
    3. Verifying message integrity (e.g., should we re-verify DKIM, SPF?)
  4. Any other Microsoft-recommended protections?

Thanks in advance to anyone from the Microsoft team or the community who can provide insights or suggestions!

exchange online
outbound
saas
security
Tenants

3 Replies

  • OleksiiD's avatar
    OleksiiD
    Copper Contributor
    May 02, 2025

    Here is what Microsoft EO security team answered:

     

    Spoofing Possibility

    Messages coming from Exchange Online IP addresses can potentially be spoofed. Since Exchange Online uses shared IP ranges for all tenants, it is possible for one tenant (or an attacker) to send emails that spoof another tenant’s MAIL FROM or from header.

    Measures to Prevent Spoofing

    Microsoft suggests several measures to prevent spoofing:

    1. Email Authentication: Implement SPF, DKIM, and DMARC records for your domains. These records help destination email systems verify the validity of messages claiming to be from your domains.
    2. Enhanced Filtering for Connectors: Enable Enhanced Filtering for Connectors or bypass filtering completely using a mail flow rule. This helps prevent misclassification of inbound mail and ensures a better experience for Microsoft 365 email and protection features.
    3. Spoof Intelligence Insight: Use the spoof intelligence insight feature in Exchange Online Protection (EOP) to review detected spoofed messages from senders in internal and external domains. You can manually create allow or block entries for spoofed senders.
    4. Anti-phishing Policies: Configure anti-phishing policies in EOP and Microsoft Defender for Office 365 to include anti-spoofing settings.

    Trust in Envelope Sender and From Address

    The third-party service can place limited trust in the envelope sender and the from address. Exchange Online Protection (EOP) validates the from address to prevent phishing by requiring inbound messages to include an RFC-compliant from address. However, the third-party service should also implement its own email authentication checks and monitor for spoofed messages.

    Summary

    1. Spoofing is possible due to shared IP ranges in Exchange Online.
    2. Preventive measures include email authentication (SPF, DKIM, DMARC), Enhanced Filtering for Connectors, spoof intelligence insight, and anti-phishing policies.
    3. Trust in sender information should be limited and supplemented with additional checks by the third-party service.
  • randieriko's avatar
    randieriko
    Copper Contributor
    Apr 16, 2025

    First of all, why would you reroute outbound email back to the tenant?

    • OleksiiD's avatar
      OleksiiD
      Copper Contributor
      Apr 17, 2025

      For final delivery. It is what MS suggested in the article (see the link in the original post). It can be Mimecast or smth else. It does not matter, I think. My concerns are related to emails coming from EO to my service.

Resources