Configuring SMTP relay settings for Office 365 is a critical task for organizations that rely on Microsoft’s cloud platform for email while maintaining custom on-premises applications or third-party services that require direct email submission. Unlike simple client-to-server email transmission, relay scenarios involve an intermediary system handing off email to Office 365 for delivery to the internet, which demands precise authentication and connector configuration to prevent failures or security blocks.
Understanding the Core Concept of SMTP Relay
A relay occurs when one server accepts email destined for a domain not served by that server and forwards it to another server that does. In the Office 365 context, this typically involves an internal Exchange server, a cloud application, or a security device submitting messages to Microsoft’s servers for final delivery to recipients outside your organization. The primary challenge lies in convincing Office 365 that the relaying server is authorized to submit mail on behalf of your domain, a trust relationship established through specific authentication and configuration steps.
Prerequisites and Initial Preparation
Before adjusting any settings, ensure your Office 365 tenant is ready for relay traffic. This involves verifying domain ownership, which confirms your right to send email using addresses in that domain. You must also identify the exact IP address or range of the server that will perform the relay, as this address will be added to a trusted list. Gathering details such as the server’s static IP, the sending application’s identity, and the intended recipients helps streamline the subsequent configuration and troubleshooting processes.
Required Permissions and Licensing
Global Administrator or Exchange Administrator role in the Office 365 Security & Compliance Center.
Valid licensing for the sending application or device, if applicable.
Network access to allow outbound SMTP traffic on port 587 (TLS) to the Office 365 endpoints.
Configuring Connectors in the Microsoft 365 Admin Center
The cornerstone of allowing external systems to relay through Office 365 is the outbound connector, which defines how and to where mail is sent. You will create a custom connector that permits the specified relay server to submit messages securely. This configuration ensures that email flows correctly from your internal systems into the Microsoft cloud without being rejected as spam or unauthorized.
Step-by-Step Connector Creation
Log in to the Microsoft 365 admin center and navigate to the Admin menu, then select Exchange .
In the Exchange admin center, go to Mail flow and click Connectors .
Click + to create a new connector, selecting From Office 365 and To Partner organization .
Name the connector descriptively, such as "Relay Server to Office 365," and specify the remote IP address of your relay server.
Configure the connector to use Transport Layer Security (TLS) and select the appropriate authentication method, typically Only accept messages from senders who meet the following requirements , followed by specifying the IP address of the relay server.
Configuring the Relay Server Itself
On the server or device responsible for relaying, you must update its SMTP settings to point to Office 365 as the smart host. This step instructs the server to forward all outbound email through Microsoft’s servers using the authenticated connection established earlier. Incorrect settings here are a common source of connection failures, so verifying the port, encryption method, and credentials is essential.
