Sending emails from devices and applications using Microsoft 365 or Office 365 can enhance business operations, from automated scan-to-email functionalities to application-driven notifications. This guide provides a detailed walkthrough of setting up your devices or applications to seamlessly send emails when your mailboxes are hosted on Microsoft 365 or Office 365.
For instance, consider these common scenarios:
- You need to configure a scanner to email digitized documents to users, either internal or external.
- Your business application, designed for appointment scheduling, requires sending automated reminders to clients about their upcoming appointments.
To address these needs, Microsoft 365 and Office 365 offer several options for configuring an Smtp Server For Office 365, each tailored to different requirements and security considerations. Let’s explore these methods in detail.
Option 1: Direct Authentication with SMTP AUTH Client Submission
This method involves directly authenticating your device or application with a Microsoft 365 or Office 365 mailbox to send emails using SMTP AUTH client submission. It’s generally the easiest to set up and suitable for most scenarios.
Note: Be aware that this option is not compatible with Security defaults in Microsoft Entra ID and relies on Basic Authentication, which Microsoft plans to retire for Client Submission (SMTP AUTH) in September 2025. Modern Authentication via OAuth is recommended for enhanced security. Ensure SMTP AUTH is enabled for the mailbox you intend to use, as it might be disabled by default for organizations created post-January 2020.
Choose this option if:
- You are sending emails from a third-party hosted application, service, or device.
- Your recipients include both internal and external users.
To configure SMTP AUTH client submission, you need to connect your device or application directly to Microsoft 365 or Office 365 using the endpoint smtp.office365.com. Each device or application must authenticate with Microsoft 365 or Office 365, and the authenticating account’s email address will be displayed as the sender of the emails.
Setting up SMTP AUTH Client Submission
Input the following settings into your device or application’s configuration interface. The terminology might vary based on the device or application’s guide, but the core settings remain consistent:
| Setting | Value |
|---|---|
| Server/Smart Host | smtp.office365.com |
| Port | Port 587 (Recommended) or 25 |
| TLS/StartTLS | Enabled |
| Username/Email & Password | Credentials of the Hosted Mailbox |
TLS and Encryption
It’s critical to determine the Transport Layer Security (TLS) version supported by your device. Refer to the device manual or vendor for this information. If TLS 1.2 or higher is not supported, consider these alternatives:
- Opt-in to the legacy TLS clients endpoint for Exchange Online SMTP AUTH if suitable for your security requirements.
- Utilize an on-premises email server (like Exchange Server) to relay emails if the device cannot meet TLS requirements. This can simplify management, especially with numerous devices.
For setting up an on-premises server for relaying, refer to Microsoft’s guide on configuring connectors for mail flow between Microsoft 365/Office 365 and your email servers.
Important: Port 465 is not compatible with SMTP AUTH client submission. If your device defaults to port 465, it indicates a lack of SMTP AUTH client submission support.
Features of SMTP AUTH Client Submission
- Versatile sending to both internal and external recipients.
- Bypasses most spam checks for internal emails, potentially safeguarding your company IP from being added to spam lists.
- Enables sending from any location or IP address, including on-premises networks or cloud services like Microsoft Azure.
Requirements for SMTP AUTH Client Submission
- Authentication: Modern Authentication (OAuth) is preferred for enhanced security. Otherwise, Basic Authentication (username/password) is necessary. SMTP AUTH must be enabled for both the organization and the mailbox.
- Mailbox: A licensed Microsoft 365 or Office 365 mailbox is required for sending.
- TLS: Device must support TLS 1.2 or above.
- Port: Port 587 (recommended) or 25 must be open and unblocked on your network.
- DNS: Use
smtp.office365.comas the DNS name. IP addresses are not supported.
Limitations of SMTP AUTH Client Submission
- To send emails from a different account, the sign-in account needs “Send As” permission for that account. Without it, you may encounter a “5.7.60 SMTP; Client does not have permissions to send as this sender” error.
- Microsoft 365 and Office 365 impose sending limits. Review Exchange Online limits for sending and receiving for detailed information.
Option 2: SMTP Relay via Microsoft 365 or Office 365 Connector
Choose SMTP relay when SMTP AUTH is disabled, incompatible with your needs, or when you need to send a high volume of emails exceeding mailbox limits. SMTP relay allows Microsoft 365 or Office 365 to relay emails on your behalf through a connector secured either with a TLS certificate (recommended) or your public IP address. This method is more complex to configure.
Set up SMTP relay if you meet either of these conditions:
- Sender Domain Verification: Your sender domain is registered in Microsoft 365.
- Certificate-Based Connector: Your on-premises server uses a certificate for sending emails to Microsoft 365. The certificate’s Common Name (CN) or Subject Alternate Name (SAN) must contain a domain registered in your Microsoft 365 setup. A corresponding certificate-based connector needs to be configured in Microsoft 365.
Without meeting these conditions, Microsoft 365 cannot verify if the email originates from your organization.
Configuring a TLS Certificate-Based Connector
First, configure your device or application with these settings:
| Setting | Value |
|---|---|
| Server/Smart Host | Your MX endpoint (e.g., yourdomain.mail.protection.outlook.com) |
| Port | Port 25 |
| TLS/StartTLS | Enabled, TLS 1.2 only |
| TLS Certificate CN or SAN | Certificate with CN or SAN containing your registered domain |
| Email Address | Any email address |
If you already have a connector for hybrid setups, you might not need a new one. To create or modify a certificate-based connector:
- Go to the Exchange Admin Center.
- Navigate to Mail flow > Connectors.
- Add a new connector (+) or edit an existing one.
- Select Your organization’s email server for Connection from and Office 365 for Connection to.
- Name the connector and proceed.
- Choose to authenticate using the subject name on the certificate, ensuring the domain matches your registered domain in Microsoft 365.
For optimal email deliverability, add an SPF record for your domain in your DNS settings. If using a static IP, include it in the SPF record.
Configuring an IP Address-Based Connector
Alternatively, you can set up an IP Address-based connector with these device/application settings:
| Setting | Value |
|---|---|
| Server/Smart Host | Your MX endpoint (e.g., yourdomain.mail.protection.outlook.com) |
| Port | Port 25 |
| TLS/StartTLS | Enabled |
| Email Address | Any email address from your verified Microsoft 365 domains |
For connector settings:
| Connector Setting | Value |
|---|---|
| From | Your organization’s email server |
| To | Microsoft 365 or Office 365 |
| Domain Restrictions: IP address/range | Static IP address range of your device or application connecting to Microsoft 365 |
Include an SPF record to prevent emails from being marked as spam. For a static IP address, your SPF record should look like: v=spf1 ip4:Static IP Address include:spf.protection.outlook.com ~all.
Creating and Configuring an Inbound Connector
- Obtain a static public IP address for your device or application.
- Sign in to the Microsoft 365 admin center.
- Find your domain’s MX record under Settings > Domains. Note the POINTS TO ADDRESS value (your MX endpoint).
- Verify the recipient domains are verified in Microsoft 365.
- Go to Admin > Exchange to access the Exchange admin center.
- Navigate to Mail flow > Connectors.
- If no connector exists for your organization to Microsoft 365, create one:
- Select + Add a connector.
- Choose Your organization’s email server to Office 365.
- Name the connector.
- Select By verifying that the IP address of the sending server matches one of these IP addresses which belong exclusively to your organization and add your static IP address.
- Save the connector.
- Update your DNS records at your domain registrar by adding the static IP to your SPF record.
- Configure your device to use the MX endpoint as the Server/Smart Host.
- Test by sending a test email.
Step-by-Step SMTP Relay Configuration
Follow these steps for SMTP relay setup:
- Obtain a static public IP address for your sending device.
- Sign in to the Microsoft 365 admin center.
- Go to Settings > Domains and find your MX record.
- Note the Points to address or value of your MX record (your MX endpoint).
- Ensure recipient domains are verified.
- Go to Admin > Exchange to access the Exchange admin center (EAC).
- Navigate to Mail flow > Connectors in the EAC.
- Check for existing connectors. If none, create a new one:
- Select +Add a connector.
- Choose Your organization’s email server to Microsoft 365 or Office 365.
- Click Next to Connector name page.
- Provide a name and click Next to Authenticating sent email page.
- Select By verifying that the IP address of the sending server matches one of these IP addresses which belong exclusively to your organization.
- Add the static IP address from step 1.
- Click Save.
- Update your DNS records at your domain registrar to include your static IP in your SPF record.
- Configure your device with the MX endpoint as the Server/Smart Host.
- Test the setup by sending a test email.
How Microsoft 365 SMTP Relay Works
SMTP relay uses a connector to authenticate devices or applications via IP address. This allows sending emails to both internal and external recipients, using any address from your domain, without requiring a mailbox for the sending address.
Features of Microsoft 365 SMTP Relay
- No licensed Microsoft 365 mailbox needed for sending.
- Higher sending limits compared to SMTP client submission.
Requirements for Microsoft 365 SMTP Relay
- Static IP: Requires a static, non-shared IP address.
- Connector: A configured connector in Exchange Online.
- Port: Port 25 must be open.
Limitations of Microsoft 365 SMTP Relay
- Potential disruptions if IP addresses are spam-listed.
- Reasonable sending limits apply to prevent abuse.
- Requires static, unshared IP addresses (unless using a certificate).
- Clients should implement retry mechanisms and maintain SMTP logs for transient failures.
Option 3: Direct Send to Microsoft 365 or Office 365 (Advanced)
Direct Send is for legacy devices or applications lacking authentication capabilities and only needing to send to internal Exchange Online recipients. Emails are treated as anonymous internet emails, subject to standard spam and protection measures. It only works for internal recipients and requires correct SPF/DKIM/DMARC configuration, making it complex and prone to misconfiguration.
Direct Send is recommended for advanced users who understand email server administration and security best practices.
Limitations of Direct Send
- Cannot send to external recipients.
- Subject to anti-spam checks.
- Messages can be disrupted by spam list blocks.
- Subject to Microsoft 365 throttling policies.
Requirements for Direct Send
- Port: Port 25 must be open.
- Static IP Recommended: For SPF record creation to reduce spam flagging.
- No licensed mailbox needed, but sender address must be from an accepted domain.
Settings for Direct Send
| Setting | Value |
|---|---|
| Server/Smart Host | Your MX endpoint (e.g., yourdomain.mail.protection.outlook.com) |
| Port | Port 25 |
| TLS/StartTLS | Optional |
| Email Address | Any email address from your accepted Microsoft 365 domains |
Direct Send offers higher sending limits than SMTP AUTH client submission.
Option Comparison
| Features | SMTP Client Submission | Direct Send | SMTP Relay |
|---|---|---|---|
| Send to recipients in your domain(s) | Yes | Yes | Yes |
| Relay to internet via Microsoft 365 or Office 365 | Yes | No | Yes |
| Bypasses antispam | Yes (internal) | No | No |
| Supports mail from third-party hosted applications | Yes | Yes | No |
| Saves to Sent Items folder | Yes | No | No |
| Requirements | |||
| Open network port | Port 587 or 25 | Port 25 | Port 25 |
| Device/application TLS support | Required | Optional | Optional |
| Authentication | Microsoft 365 Auth | None | Static IPs |
| Limitations | |||
| Throttling limits | 10,000/day, 30/minute | Standard | Reasonable |
Diagnostic Tool
For assistance in setting up or troubleshooting email sending from applications or devices, use the Microsoft 365 automated diagnostic tool.
Run Tests: Send emails using Microsoft 365
This tool in the Microsoft 365 admin center can guide you through setup or issue resolution.
Using Your Own Email Server
If you maintain an on-premises email server, consider using it for SMTP relay. It offers easier configuration for devices on your local network. For Exchange Server, consult Microsoft’s documentation.
Note: IIS SMTP Virtual Server is not supported due to outdated components. Use supported versions of Exchange Server or Azure Communication Service for email relaying to Office 365.
Related Resources
Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers
