Would an internal relay domain work without Active Directory trust

Copper Contributor


I manage an Exchange environment and we are merging with a new company. The requirement is for a new domain to be setup and hosted by ourselves. All users will have this domain but a handful of users will have their mailboxes hosted on the other organizations mail server with a different primary domain. For these users we will be forwarding their email over to the other server. They will then need to be able to reply as our domain name (we will work on all required DNS records to get this part working).

Question is the best way to forward those emails across to the other mail server and meet all 3rd party email DNS checks etc. Testing forwarding from our external mail gateway and also Exchange server.

When adding an accepted domain I can make it an internal relay as not all recipients exist in my org. Would this scenario work without an Active Directory trust between the two orgs? Would the send connector for that domain happily route over the internet to the other orgs mail server or does it need to be private.


3 Replies
You can achieve this by setting up contacts in the source domain with a targetaddress attribute of the target primary SMTP address, or you can do it by configuring the domains as internal relay. I'd recommend dedicated send/receive connectors as you can customise the delivery and look of the messages a bit more, and you will have to have one if you go down the internal relay domain path otherwise you'll get stuck in a mail loop as the MX record will point to the target Exchange organisation. Generally when we see organisations do this they are pretty quick to get the networks linked, so once that's done you can configure the connectors to route traffic that way. As you say SPF/DMARC have to be correct, be careful if you are using DKIM, and make sure whatever message hygiene service you are using is configured appropriately as well.

@Dan Snape 

Thanks Dan. Without that link in place would the connectors in theory work ok over the internet? Once we plug the two together we can then flip these to be private. 

I have been testing the forwarding scenarios and having mixed results depending on where the forward is set at gateway or exchange level. Have seen failures when forwarding from Exchange when the originating sending domain has a dmarc policy set to reject.

Appreciate the reply!

If the domains are set up as "internal relay" or "authoritative" (depending on the scenario) and the send connectors are in place, it should work OK. Are you able to provide more info on why the messages failed authentication?