Blog Post

Exchange Team Blog
4 MIN READ

Updated Requirements for SMTP Relay through Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 19, 2023
Update 11/13/2023: We added new information on how to know when this change is released to your organization. Today, we are announcing an update to our requirements for SMTP relay through Exchange ...
Updated Feb 22, 2024
Version 19.0
announcements
exchange online
transport
JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Jun 23, 2023

__trj It took me a while to understand why the first action to take is the certificate thing.  I still had to read again after Carolyn_Liu answered.  I see now though and it's easy now that it clicked...

 

Original requirements' 1.c is going away.  Original requirements' 1.a and 1.b will stay.  If you were previously satisfying via requirement 1.c (P2 sender is an Accepted Domain), you will now need to satisfy via 1.a (certificate domain(s) include(s) one (or more) of your Accepted Domains) or 1.b (P1 sender is an Accepted Domain).  Imagine you have a website that is sending emails for you like this:

P1 Sender (a.k.a., SMTP MailFrom / Envelope From): email address removed for privacy reasons

P2 Sender (a.k.a., Header From): email address removed for privacy reasons

 

In this case, you need to be able to either override your web site's SMTP application so that the P1 sender uses on of your Accepted Domains (e.g., email address removed for privacy reasons, or email address removed for privacy reasons), or you can ensure the website's SMTP application is presenting a certificate that contains one of your Accepted Domains.  For the latter, I imagine a scenario could be that the website can present a certificate with a dedicated domain in it, and that domain would be added to EXO as an Accepted Domain just for this purpose.

 

I'm thinking if there is an on-premises Exchange server, it's WAY easier to deal with updating its cert(s) for SMTP and have SMTP relay clients go through it, then it send to EXO.  The various SMTP relay clients likely need to each be tracked down and (if possible) be updated to use the necessary P1 Sender domain.  What I imagine is the heaviest hitter worldwide for EXO SMTP relay consumption is Exch. server on-premises relaying various other apps'/systems' mail to EXO, to be delivered or relayed on from there.  Also, Exchange admins (readers here) will be the ones managing the Exchange servers, while various apps would be the responsibility of their owners to make any changes.  So the #1 action to take seems like the good candidate for the #1 spot.  It could stand to be clarified to say "and you're unable to ensure the P1 sender domain, then <yada yada yada>..."

 

The change is good if you ask me, as it ensures an SPF pass on ever relayed email, assuming all relaying-via-EXO customers have O365 in their SPF.