Sending Mail Via A Microsoft Office 365 Connector

Overview

Microsoft Office 365 has daily maximum sending limits (total per day) and message send rate limits (how quickly you send) around authenticated SMTP mail delivery, which you can read about in the Related Article named Connecting an SMTP Server for Email Delivery, Send Limits section. Exceeding either of these limits causes mail to fall back to the TeamDynamix default delivery system, which may causes issues with receiving mail, mail being marked as spam, or mail blocked by antivirus/spam system solutions.

For organizations with higher mail volumes, it may become necessary to create a Microsoft Office 365 Connector to allow for higher mail sending limits. Microsoft does not explicitly publish how much higher the send limits are with a connector, but has assured TeamDynamix that it is "very high" and "unlikely that a single tenant will hit it."

1. Configure a Connector

The first thing needed is to configure the actual Microsoft Office 365 connector. This can be done using the guides in the following Microsoft KB articles and strategies. Before you start, know which type of mail scenario you have.

Mail Scenarios

Typically clients fall into one of two mail delivery scenarios. Which type of connector setup to use will be dependent upon your scenario.

Scenario 1: Internal and External Mail

You send mail both to your Office 365 subscription users and to external addresses/off domain users, such as user@hotmail.com / user@gmail.com / user@someotherexternaldomain.com. In this case, you should use a From My Own Email Servers connector.

While this might seem a little confusing, as mail is technically not coming from your (client) mail server that you own/host, Microsoft has verified that this is the correct setup. TeamDynamix is acting as "your" mail server, so you are telling Microsoft to trust it as a verified sender who can relay to both inside and outside of your subscription.

To set up a from my own email servers connector, use the following instructions:

  1. How to configure mail flow using a connector: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow
    1. Use the strategy for mail flow from my own email servers.
  2. Using a connector from my own email servers: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail
    1. Start at the Part 2: Configure mail to flow from your email server to Microsoft 365 or Office 365 section of the above Microsoft KB, and complete the 1. Set up a connector from your email server to Microsoft 365 or Office 365 subsection.
    2. When using this option, use the options/guides around allowing mail by the sender's IP address.
    3. Do use TLS verification.
    4. Do not use domain or certificate-based verification.
    5. Reference the TeamDynamix IP Addresses article in the Related Articles section to get the list of IP addresses to use. You must allow all IP addresses from this KB. Be sure to use the list for the appropriate region, US or Canada.
  3. Be sure to turn on the connector after creating it.

Scenario 2: Internal Mail Only

You only ever send mail to your Office 365 subscription users. You never send mail to external addresses/off domain addresses, such as user@hotmail.com / user@gmail.com / user@someotherexternaldomain.com. In this case, you could safely use the Partner Organization connector.

Be aware that if you ever do attempt to send mail outside of your Office 365 subscription, it will never deliver and it will never show in your mail flow logs. Microsoft simply does not allow mail from a Partner Organization connector to relay out to the Internet. To switch to Scenario 1, you would need to disable your Partner Organization-based connector and create a new From My Own Email Servers connector.

To set up a partner organization connector, use the following instructions:

  1. How to configure mail flow using a connector: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow
    1. Use the strategy for mail flow with a secure partner organization.
  2. Using a connector with a partner organization: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner
    1. When using this option, use the guides around allowing mail by the sender's IP address.
    2. Do use TLS verification.
    3. Do not use domain or certificate-based verification.
    4. Reference the TeamDynamix IP Addresses article in the Related Articles section to get the list of IP addresses to use. You must allow all IP addresses from this KB. Be sure to use the list for the appropriate region, US or Canada.
  3. Be sure to turn on the connector after creating it.

DNS SPF Record

An SPF record is a Sender Policy Framework record. It’s used to indicate to mail exchanges which hosts are authorized to send mail for a domain. Use the related article named Including TeamDynamix IP Addresses in Your SPF Records to ensure that your connector will not run into SPF check failures after creation.

Warm-Up Period

Even though Microsoft's knowledge articles do not state this, it may take up to 24 hours before a new connector is working properly after configuration. This was disclosed by Microsoft support in direct support cases opened with them. This may present as:
  • Mail is not being delivered to any recipients when going through the connector.
  • Mail is not being delivered to external, off-domain recipients when going through the connector.
If the TeamDynamix Admin application lets your connector settings save in the custom email server page and did not present errors when testing emails, you may need to wait the full 24 hour period before testing again. If mail is still not delivering properly after 24 hours, please contact TeamDynamix support who can help verify your settings. At that point, if your settings look correct, they may advise contacting Microsoft for further support.

2. Find Your Microsoft Office 365 Default SMTP Server Name

Next, you need to find the default, client-specific domain to send mail through the connector with. This is going to be something in the format of tenantsubdomain.mail.protection.outlook.com.

  1. Navigate to the Microsoft 365 admin center.
  2. Choose Show All ... in the left navigation to see all Microsoft 365 admin settings if need be.
  3. Choose Settings > Domains.
  4. Click the domain name listed as (default) in the domain list.
    Theoretically this could work with the non-default domain as well. You might legitimately have other domains in Microsoft Office 365 with MX records and want to use one of those to send as instead. In that case, just pick the domain you desire to send mail from, making sure it has an MX record value to pull from.
  5. In the domain details page, choose the DNS Records tab from the tabs across the top.
  6. In the list of DNS records list, find the MX record. It should have a Value like 0 tenantsubdomain.mail.protection.outlook.com.
  7. Copy the Value of the MX record, removing the leading 0 and any leading spaces. This is the domain you will use to plug into the TeamDynamix mail server field in the next section.

3. Configure TeamDynamix to Use the Connector for Sending Email

Finally, you need to configure TeamDynamix to actually send mail through your Microsoft Office 365 connector. This section needs to be completed by a full organizational admin in TeamDynamix.

  1. Navigate to the TeamDynamix Admin app (from the main Users app, use the apps  menu and choose Admin).
  2. Navigate to Email > Outbound Email Auth Accounts in the left navigation menu of the Admin app.
  3. Click +New to create a new Outbound Email Auth account.
  4. Enter a name for the account.
  5. Choose Basic (SMTP) for Account Type.
  6. Enter a description, if desired, and mark the account as active.
  7. Use the following settings to point TeamDynamix mail at your Microsoft Office 365 connector:
    1. Server
      1. Address: The default SMTP server name from 2. Find Your Microsoft Office 365 Default SMTP Server Name, Step 7.
      2. SMTP Port: 25
      3. Security Mode: Explicit
        Explicit equates to Microsoft's Opportunistic TLS with Exchange Online, also known as STARTTLS. TeamDynamix does not support Implicit or Forced TLS on connectors with certificates. Microsoft Exchange Online absolutely supports opportunistically encrypted connections however, so all communication will happen over TLS after the initial connection is (immediately) upgraded.
      4. Certificate Validation Disabled.
    2. Authentication
      1. Domain: The same domain of your intended SMTP FROM address (the part after the @ symbol, like mycustomdomain.edu).
        This value must be a domain that is listed as an Accepted Domain in Microsoft Office 365 > Admin > Show all ... > Admin centers > Exchange > Mail flow > Accepted Domains. If you attempt to send mail as a domain not listed as an Accepted Domain, Microsoft will either outright reject it, or only deliver mail to accounts within your subscription. In the latter case, external recipients (think Outlook.com, GMail.com, etc. accounts) will never receive this mail. This is considered an invalid setup and is not supported in any way by Microsoft.
      2. SMTP Username: Leave blank
      3. Use SMTP Authentication: Unchecked
        This is very important! Checking this setting will bypass the connector and use authenticated SMTP delivery with its much lower associated daily sending limit.
  8. Save the outbound email auth account, taking note of its name.
  9. Navigate to the Outbound Email Settings page in same level of the left navigation menu of the Admin app.
  10. Ensure that the Use a custom SMTP server to send email option is selected.
  11. Select the outbound email auth account you created in Step 8. in the Outbound Email Auth Account dropdown.
  12. From Address
    1. Email Address: Your desired SMTP FROM address.
      The domain in the FROM email address must be a domain that is listed as an Accepted Domain in Microsoft Office 365 > Admin > Show all ... > Admin centers > Exchange > Mail flow > Accepted Domains. If you attempt to send mail as a domain not listed as an Accepted Domain, Microsoft will either outright reject it, or only deliver mail to accounts within your subscription. In the latter case, external recipients (think Outlook.com, GMail.com, etc. accounts) will never receive this mail. This is considered an invalid setup and is not supported in any way by Microsoft.
    2. Display Name: The desired SMTP FROM display name. This field is optional. Please refer to the in-page help to decide if you want to set this value.
       
  13. At this point you can save and test your SMTP setup. If you received mail, it will be coming from your Microsoft Office 365 connector as opposed to an authenticated SMTP account, thus bypassing daily authenticated SMTP sending limits.
Print Article

Related Articles (1)

How to include TeamDynamix cloud system IP addresses in your SPF records.