Posted inUS_1

Setting up Your Office 365 SMTP Server for Devices and Applications

No Comments

This guide is designed to help you configure devices and business applications to send emails when your mailboxes are hosted on Microsoft 365 or Office 365. Whether you have a multifunction scanner needing to email documents or a line-of-business (LOB) application that sends appointment reminders, understanding your Office 365 Smtp Server options is crucial. This article will explore the methods available to ensure your devices and applications can reliably send emails through Microsoft 365.

Option 1: Direct Authentication with Office 365 Mailbox using SMTP AUTH

This method, known as SMTP AUTH client submission, is often the simplest way to set up email sending from devices and applications. It involves directly authenticating your device or application with a Microsoft 365 or Office 365 mailbox to send emails.

Note: Be aware that SMTP AUTH client submission is not compatible with Security defaults in Microsoft Entra ID. Modern Authentication is recommended for enhanced security. For more on OAuth, refer to Microsoft’s documentation on Authenticating IMAP, POP or SMTP connections using OAuth.

Also, ensure SMTP AUTH is enabled for the mailbox you intend to use. For organizations created after January 2020, SMTP AUTH is disabled by default but can be enabled per mailbox. See Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online for instructions.

While currently available, Microsoft has announced the eventual retirement of Basic authentication with Client Submission (SMTP AUTH) in Exchange Online, set for September 2025. Transitioning away from Basic authentication with SMTP AUTH is strongly advised. More details on alternative options can be found in Exchange Online to Retire Basic Auth for Client Submission SMTP.

Choose SMTP AUTH client submission if:

  • You are sending emails from a third-party hosted application, service, or device.
  • You need to send emails both internally within your organization and externally to recipients outside your organization.

To configure SMTP AUTH, you will need to input specific settings into your device or application. These settings allow direct connection to Microsoft 365 or Office 365 using the SMTP AUTH client submission endpoint: smtp.office365.com.

Each device or application must authenticate using Microsoft 365 or Office 365 credentials. The email address of the authenticating account will be displayed as the sender of all messages originating from that device or application.

Configuring SMTP AUTH Client Submission

Enter these settings into your device or application’s configuration panel, referring to its specific guide for terminology, which may vary. As long as your scenario aligns with SMTP AUTH client submission requirements, these settings will enable email sending:

Setting Value
Server/Smart Host smtp.office365.com
Port Port 587 (Recommended) or Port 25
TLS/StartTLS Enabled
Username/Email Address & Password Credentials of the hosted mailbox

TLS and Encryption Options

Determine the Transport Layer Security (TLS) version supported by your device. Consult the device manual or vendor for this information. If your device does not support TLS 1.2 or higher, consider these alternatives:

  • Opt-in to Legacy TLS Endpoint: If suitable for your security requirements, you can opt in to the Exchange Online endpoint for legacy TLS clients using SMTP AUTH as described in Opt in to the Exchange Online endpoint for legacy TLS clients using SMTP AUTH.
  • On-Premises Email Server Relay: Utilize an on-premises email server (like Exchange Server or another SMTP server) to relay emails if TLS 1.2+ cannot be supported. This can simplify management, particularly with numerous devices and applications.

For details on setting up your own email server to send mail to Microsoft 365 or Office 365, see Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers.

Note: Port 465 is not supported for SMTP AUTH client submission. If your device defaults to or recommends port 465, it is not compatible with this option.

Advantages of SMTP AUTH Client Submission

  • Send emails to both internal and external recipients.
  • Emails to internal recipients often bypass spam checks, potentially safeguarding your company IP addresses from being mistakenly listed as spam sources.
  • Send emails from any location or IP address, including your on-premises network or a third-party cloud service like Microsoft Azure.

Prerequisites for SMTP AUTH Client Submission

  • Authentication: Modern Authentication (OAuth) is preferred for enhanced security. If OAuth is not feasible, Basic Authentication (username and password) can be used. If SMTP AUTH is disabled at the organizational or mailbox level, Options 2 or 3 are necessary.
  • Mailbox: A licensed Microsoft 365 or Office 365 mailbox is required.
  • Transport Layer Security (TLS): TLS version 1.2 or higher is mandatory.
  • Port: Port 587 (recommended) or Port 25 must be open and unblocked on your network. Some firewalls or ISPs may block these ports, especially port 25.
  • DNS: Use the DNS name smtp.office365.com. IP addresses are not supported for the Microsoft 365 or Office 365 server.

Note: For more information on TLS, see How Exchange Online uses TLS to secure email connections and TLS cipher suites supported by Office 365.

Limitations of SMTP AUTH Client Submission

  • To send emails from a different account than the authenticated mailbox, the sign-in account needs “Send As” permission for that other account. Without this, you may encounter an error like: 5.7.60 SMTP; Client does not have permissions to send as this sender.
  • Microsoft 365 or Office 365 imposes sending limits. Refer to Exchange Online limits – Receiving and sending limits for details.

Option 2: SMTP Relay via Office 365 Connector

Opt for SMTP relay when:

  • SMTP AUTH is disabled in your environment.
  • SMTP client submission (Option 1) does not meet your business needs or device capabilities.
  • You need to send a high volume of emails, exceeding mailbox sending limits.

SMTP relay allows Microsoft 365 or Office 365 to send emails on your behalf through a configured connector. This connector uses either a TLS certificate (recommended) or your public IP address for authentication. Setting up a connector makes this option more complex than SMTP AUTH.

Configuration is necessary only if either of these conditions is met:

  • Sender Domain Verification: The sender domain must belong to your organization and be registered in Microsoft 365. See Add a domain to Microsoft 365 for domain registration.
  • Certificate-Based Connector Configuration: Your on-premises email server must use a certificate to send emails to Microsoft 365. The certificate’s Common-Name (CN) or Subject Alternate Name (SAN) must contain a domain name registered in your Microsoft 365 tenant. A corresponding certificate-based connector must be created in Microsoft 365.

If neither condition is fulfilled, Microsoft 365 cannot validate if the email originates from your organization. Ensuring at least one of these conditions is met is essential.

Configuring a TLS Certificate-Based Connector for SMTP Relay

First, configure your device or application with these settings:

Setting Value
Server/Smart Host Your MX endpoint (e.g., yourdomain-com.mail.protection.outlook.com)
Port Port 25
TLS/StartTLS Enabled, TLS 1.2 only supported
TLS Certificate CN or SAN Certificate with CN or SAN containing your Microsoft 365 registered domain
Email Address Any email address

If you already have a connector configured for hybrid environments, you might not need a new one for SMTP relay. To create or modify a certificate-based connector:

  1. Go to the Exchange admin center.
  2. Navigate to Mail flow > Connectors.
  3. To add a new connector, click + Add a connector. To edit an existing one, select the connector and click the edit icon.
  4. In Select your mail flow scenario, choose Your organization’s email server under Connection from. Office 365 will auto-select under Connection to.
  5. Enter a connector name and other details, then click Next.
  6. In Authenticating sent email, select the option to use the subject name on the certificate of the sending server. The domain name should match the CN or SAN in your certificate and be registered with Microsoft 365. For example, use *.contoso.com if your certificate covers mail1.contoso.com, mail2.contoso.com, etc.

For improved email deliverability, add an SPF record for your domain in your DNS settings. If sending from a static IP, include it in your SPF record.

For more information, see Important notice for email customers who have configured connectors.

Configuring an IP Address-Based Connector for SMTP Relay

Configure your device or application with these settings:

Setting Value
Server/Smart Host Your MX endpoint (e.g., yourdomain-com.mail.protection.outlook.com)
Port Port 25
TLS/StartTLS Enabled
Email Address Any email address in your Microsoft 365 verified domain

To create an IP Address-based connector:

Connector Setting Value
From Your organization’s email server
To Microsoft 365 or Office 365
Domain Restrictions: IP range Your static public IP address range used by the device or application

To prevent emails from being marked as spam, add an SPF record. Include your static IP address as follows: v=spf1 ip4:Static IP Address include:spf.protection.outlook.com ~all.

Creating and Configuring an Inbound Connector in Microsoft 365

  1. Obtain the static public IP address of your sending device or application. Dynamic IP addresses are not supported.
  2. Sign in to the Microsoft 365 admin center.
  3. Go to Settings > Domains, select your domain, and find the MX record. Note the POINTS TO ADDRESS value, your MX endpoint (e.g., contoso-com.mail.protection.outlook.com).
  4. Verify that the domains you are sending to are verified in Microsoft 365.
  5. Go to Admin > Exchange to access the Exchange admin center.
  6. Navigate to Mail flow > Connectors.
  7. If no connector exists for your organization’s email server to Microsoft 365 or Office 365, create one by clicking +Add a connector.
  8. In the wizard, select Your organization’s email server as the connection origin and Office 365 as the destination.
  9. Provide a connector name and click Next.
  10. Choose By verifying that the IP address of the sending server matches one of these IP addresses which belong exclusively to your organization and add your static IP address from step 1.
  11. Click Save.
  12. Update your SPF record at your domain registrar to include your static IP address.
  13. In your device or application settings, enter your MX endpoint as the Server or Smart Host.
  14. Send a test email to confirm successful configuration.

Step-by-step Configuration Instructions for SMTP Relay

  1. Get the static public IP address of your device/application.

  2. Sign in to the Microsoft 365 admin center.

  3. Go to Settings > Domains and find your MX record.

  4. Note the Points to address or value of your MX record.

  5. Verify your sending domains are verified in Microsoft 365.

  6. Go to Admin > Exchange to open the Exchange admin center (EAC).

  7. In the EAC, go to Mail flow > Connectors.

  8. Check for existing connectors.

  9. If none exists, create a new connector by clicking +Add a connector.

  10. In the wizard, choose Your organization’s email server to Office 365.

  11. Name the connector and click Next.

  12. Select By verifying that the IP address of the sending server matches one of these IP addresses which belong exclusively to your organization and add your static IP.

  13. Click Save.

  14. Update your SPF record to include your static IP.

  15. Set your device/application’s Server or Smart Host to your MX endpoint.

  16. Test by sending an email.

How Office 365 SMTP Relay Works

SMTP relay uses a connector to authenticate devices and applications within your network via IP address. It allows sending emails using any address from your domains, without needing a mailbox associated with the sender address. For example, you can use [email protected] for the sender address.

This method authenticates emails from your devices/applications, allowing Microsoft 365 to relay them to internal and external recipients.

SMTP relay requires your device or application server to have a static IP address. It is not for sending directly from third-party hosted services like Azure. See Troubleshoot outbound SMTP connectivity issues in Azure for Azure-specific issues.

Advantages of Office 365 SMTP Relay

  • Does not require a licensed Microsoft 365 or Office 365 mailbox.
  • Higher sending limits than SMTP client submission.

Requirements for Office 365 SMTP Relay

  • Static IP Address: Static, non-shared IP address(es) for authentication (or certificate).
  • Connector: A configured connector in Exchange Online.
  • Port: Port 25 must be open.

Limitations of Office 365 SMTP Relay

  • IP addresses can be blocked by spam lists, disrupting mail flow.
  • Sending limits are in place to prevent abuse. See High-risk delivery pool for outbound messages.
  • Requires static, unshared IP addresses (unless using a certificate).
  • Clients should retry sending on transient failures and maintain SMTP logs for troubleshooting.

Note: SMTP RFC suggests SMTP AUTH client submission (Option 1) may be more suitable for SMTP clients/applications that are not full mail servers.

Option 3: Direct Send to Office 365

Direct Send is an advanced option to be used only when legacy devices or applications cannot support authentication and you need to send only to recipients within your Exchange Online tenant.

Direct Send entails:

  • Emails treated as anonymous internet emails, subject to all standard Exchange Online scanning and protections.
  • Only works for internal recipients; external relaying is rejected.
  • Requires sending from an accepted domain and correct SPF/DKIM/DMARC configuration, which can be complex and lead to security vulnerabilities if misconfigured.

Direct Send is for advanced users comfortable with email server administration and best practices for internet email sending. While viable and secure when correctly set up, its complexity introduces risks of misconfiguration, potentially disrupting mail flow or compromising security. Microsoft treats these messages as anonymous internet emails.

Microsoft is aware of misconfiguration risks and is planning to provide an option to disable Direct Send by default for better customer protection. An announcement is expected on the Exchange EHLO blog by June.

Limitations of Direct Send

  • Cannot send emails to external recipients (e.g., Gmail, Yahoo).
  • Messages are subject to antispam checks.
  • IP addresses may be blocked by spam lists.
  • Subject to Microsoft 365 and Office 365 throttling policies.

Requirements for Direct Send

  • Port: Port 25 must be open.
  • Static IP Recommended: Static IP recommended for SPF record configuration to reduce spam flagging.
  • No licensed Microsoft 365 or Office 365 mailbox needed, but must use an address associated with an accepted domain.

Settings for Direct Send

Setting Value
Server/Smart Host Your MX endpoint (e.g., contoso-com.mail.protection.outlook.com)
Port Port 25
TLS/StartTLS Optional
Email Address Any email address from your Microsoft 365 accepted domains

Note: If your device/application can act as an email server for Microsoft 365 and other providers, no specific Microsoft 365 settings are needed. Refer to device/application instructions.

Direct Send has higher sending limits than SMTP AUTH client submission.

Comparing the Options

Features SMTP client submission Direct Send SMTP relay
Send to recipients in your domain(s) Yes Yes Yes
Relay to internet via Microsoft 365 or Office 365 Yes No Yes
Bypasses antispam Yes (internal emails) No No
Supports third-party hosted applications Yes Yes No
Saves to Sent Items folder Yes No No
Requirements
Open network port Port 587 or 25 Port 25 Port 25
Device/application TLS support Required Optional Optional
Authentication Microsoft 365 mailbox None Static IP(s)
Limitations
Throttling limits 10,000 recipients/day Standard Reasonable limits

Diagnostic Tool for Setting up Email Sending

Note: Requires a Microsoft 365 administrator account.

For further assistance in setting up or troubleshooting email sending from devices and applications, use the automated diagnostic tool:

Run Tests: Send emails using Microsoft 365

This tool, accessible via the Microsoft 365 admin center, offers options for new setups and troubleshooting.

Using Your Own Email Server

Consider using an on-premises email server for SMTP relay if you have one. It can be simpler to configure for devices and applications on your local network.

Note: IIS SMTP Virtual Server is not supported due to its outdated components. Use a supported Exchange Server version or Azure Communication Service for email relaying to Office 365.

For Exchange Server configuration, see the following articles:

Related Articles

Fix issues with printers, scanners, and LOB applications that send emails using Microsoft 365 or Office 365

Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *