Mail Flow Best Practices for Exchange Online —Microsoft 365 and Office 365

Mail flow refers to the path an email takes from the internet to reach the destination mailbox and vice-versa. Most organizations choose Office 365, Exchange Online, or Microsoft 365 to manage their mailboxes and filtering. However, some organizations require more complex mail flow to meet regulatory compliance and business requirements and ensure a more secure flow with third-party integrations.

In this article, we’ll be sharing some best practices that you can follow to configure and customize the Exchange Online, Office 365, or Microsoft 365 mail flow.

Best Practices for Exchange Online, Office 365, or Microsoft 365 Mail Flow

Below we have discussed four different scenarios and best practices for mail flow.

1. Hosted Mail Flow with Office 365

Hosted mail flow is the simplest configuration recommended for most organizations. Microsoft 365 or Office 365 manages all mailboxes and filtering in this configuration.

If you are new to O365 or Microsoft 365 (Exchange Online) with all mailboxes in Office 365/Microsoft 365 or have an existing email service and planning to move mailboxes to Exchange Online, you can set up the hosted mail flow by following these steps:

• Access Office 365 or Microsoft 365 Admin Center and click Setup.

• Add your Custom Domain and update the DNS records, such as TXT records, to verify the domain and MX records pointing to Office 365 or Microsoft 365. For instance, YourDomainName.com.mail.protection.outlook.com.

• Also, update the Sender Policy Framework (SPF) record, essentially a TXT DNS record. It identifies as a valid sender (Office 365 or Microsoft 365 in this case) and validates outbound emails from your custom domain. To add an SPF TXT record for your domain, use the following format:

v=spf1 include:spf.protection.outlook.com -all        

• Use this only when hosted in Office 365/Microsoft 365 and have no on-premises mailbox servers.

2. Hosted Office 365 with Third-Party Cloud Service

If your organization uses a third-party cloud solution with or without spam filtering, you may point the MX records to the service for spam, malware, and phish filtering. Below are the best practices for mail flow configuration when using a third-party cloud service solution with Office 365 or Microsoft 365.

Third-Party Solution with Spam/Malware Filtering

The best practices for Microsoft 365 or Office 365 with cloud spam/malware filtering service are as follows:

• Add your custom domain in Microsoft 365 or Office 365 and verify the domain.
• Create mailboxes or move mailboxes from your on-premises to Office 365.
• Add MX records and SPF records.

a - Point the MX Records to the third-party spam filtering cloud service. You should refer to your third-party spam/malware filtering service provider for more details on setting up MX records.

b - Since emails are sent from your domain directly to the internet, the SPF record will remain the same as hosted Office 365.

v=spf1 include:spf.protection.outlook.com -all        

• If your organization also wants to use the third-party service for outbound messages, you must include the service providers' IP or domain in your SPF record.

v=spf1 ip4:121.117.23.221 include:spf.protection.outlook.com        

Third-party Solution without Spam/Malware Filtering

In this configuration, organizations use third-party cloud services for archiving and auditing emails. The outbound emails also flow through the third-party service without spam filtering.

According to Microsoft, the best practice in such a case would be to use Office 365 or Microsoft 365 archiving and auditing solutions.

3. Mailboxes on Exchange Online and On-Premises Exchange (Hybrid Setup)

In this configuration, some mailboxes are stored on the on-premises organization, while some are moved to Office 365 or Microsoft 365. Also, emails are sent from on-premises and Exchange Online organizations via Office 365 or Microsoft 365. Besides, Office 365 or Microsoft 365 spam filtering is used to filter spam or malware.

Best practices to setup mail flow in hybrid environment are as follows:

• Add domain to Microsoft 365 or Office 365 and verify.
• Create mailboxes or move mailboxes from your current mail server to Office 365.
• Point the MX records to Office 365 or Microsoft 365 to ensure emails are filtered and routed through Office 365 or Microsoft 365. The format is as follows:

YourDomainName.com.mail.protection.outlook.com        

• Update SPF record. You need to include the on-premises email server IP address in the following format:

v=spf1 ip4:121.117.23.221 include:spf.protection.outlook.com -all        

• To include a domain from a third party, use the following format.

v=spf1 include:spf.protection.outlook.com include:EnterThirdPartyCloudService.com -all        

• Also, configure the mail flow connectors in Office 365 or Microsoft 365 using the Connector wizard in the Exchange Admin Center (EAC) to ensure mail flow from on-premises to Office 365 or Microsoft 365 and vice-versa.

If you want to keep using the spam and filtering solutions at your on-premises Exchange organization rather than Office 365 or Microsoft 365, enable Centralized Mail Transport (CMT). SPF records will remain the same.

You may also point the MX records to your on-premises Exchange in a hybrid setup. In this configuration, the emails flow to the mailboxes on Office 365 or Microsoft 365 via on-premises Exchange Servers. SPF records will remain the same.

Further, you may also choose to relay the messages through your on-premises Exchange Servers while using your on-premises server's filtering and compliance solutions. For this, you need to point the MX records to an on-premises server. You must also configure the mail flow connectors using the Connector wizard in the Exchange Admin Center.?

4. Hybrid Mail Flow with Third-Party Filtering

In this hybrid configuration, some mailboxes remain on the on-premises Exchange server while others are migrated to Exchange Online with a third-party cloud service for spam filtering. The messages are routed through Office 365 or Microsoft 365 to prevent on-premises servers' IP being added to blocklists. Following is an illustration of how the mail flow works in this hybrid setup with a cloud-based spam filtering service.

In such a configuration, you need to point the MX records to the third-party cloud service provider. Get in touch with your cloud service provider to set up the MX records correctly. The SPF records also need to be updated. You must include the third-party cloud service IP in the SPF record by following the service providers' guidelines. For instance,

v=spf1 ip4:101.101.101.11 ip4:121.117.23.221 include:spf.protection.outlook.com -all        

The highlighted IP belongs to the third-party cloud spam filtering service provider. You may also include the third-party service providers' domain instead of IP in the SPF record.

v=spf1 ip4:121.117.23.221? include:spf.protection.outlook.com include: EnterThirdPartyCloudService.com –all        

For more details on mail flow configuration, you may refer to this Microsoft documentation.?

To Wrap Up

This article explains the best practices to setup up mail flow in Exchange Online, Office 365, or Microsoft 365 based on your organization's needs and various scenarios. If your organization is migrating to Exchange Online, Office 365, or Microsoft 365, consider using an EDB to PST converter tool, such as Stellar Converter for EDB to easily move mailboxes from the on-premises to Exchange Online. After configuring and testing the mail flow, you may use the software to directly export the mailboxes from an offline Exchange database file (.edb) to Office 365 tenant. The software auto-maps the source with destination mailboxes with an option to manually edit or map the mailboxes, saving you tons of time required if you follow the manual way.