Microsoft 365 Outbound Email Relaypool
This is an update regarding the configuration for relaying or forwarding email through Office 365. Please note that while this change was originally implemented in April 2022, we will now be implementing a further enhancement to improve security and reliability of our email services.
When this will happen:
Starting May 30, 2023 we will be updating special relay pools used for relayed messages via connectors. This change will impact only the messages sent from domains not registered as accepted domains in your tenant.
To avoid any service disruptions or issues, we strongly recommend you review and complete the suggested actions outlined below.
How this will affect your organization:
When this change is implemented, emails sent through an outbound connector will also use the relay pool if messages do not meet any one of the below criteria and the messages may potentially end up in the junk folder of recipients.
What you need to do to prepare:
Messages that do not meet any one of the criteria below will be routed through the Relay Pool.
- Outbound sender domain is an Accepted Domain of the tenant.
- SPF passes when the message comes to Microsoft 365.
- DKIM on the sender domain passes when the message comes to Microsoft 365.
For relayed messages, we will skip Sender Rewriting Scheme (SRS) rewrite only when incoming email does not pass SPF.
When this change takes effect, you can identify a message was sent via the relay pool by looking at the outbound server IP as seen from the message header from the receiving side by looking at the outbound server name. It will have “rly” in the name.
For the messages to go through the regular pool, you will need to make sure the sender domain of the outbound message matches an Accepted Domain of your tenant when a message arrives to Microsoft Office 365, SPF or DKIM.
For DKIM, make sure you enable DKIM for the sending domain. For example, fabrikam.com is part of contoso.com Accepted Domains, if the sending address is firstname.lastname@example.org, DKIM needs to be enabled for fabrikam.com. Read how to enable DKIM for Microsoft 365 outbound emails.
To add an accepted custom domain, follow the steps in the article Add a domain to Microsoft 365. If an MX record for your domain is pointed to a 3rd party or on-premises server, you should utilize Enhanced Filtering for Connectors to ensure the SPF validation is correct for inbound email to avoid sending email through relay pool.
You can monitor messages routed through the Relay Pool by using the outbound page in the Top Domain Mailflow Status report within Exchange online. For more information, visit Top domain mailflow status report in the new Exchange admin center in Exchange Online. The report includes information on domains and corresponding email volume routed through the relay pool. The report in combination with message trace will help you troubleshoot and rectify any misconfigurations.
To do this you need to copy the domains routed through relay pool from the top domain mailflow report and paste the domains in the message trace report to identify the list of emails.
Message ID: MC559257
No comments yet