SMTP Relay Office 365 is one of the most critical yet misunderstood components of Microsoft 365 email architecture. Whether you’re managing printers, enterprise applications, IoT devices, or legacy systems, understanding SMTP relay Office 365 properly can make the difference between seamless email delivery and constant failures.
In this expert-level guide, I’ll walk you through everything—from fundamentals to advanced architecture—based on real-world engineering scenarios used by L1 to L3 Microsoft 365 professionals.
How to Become a Microsoft 365 Support Engineer: Step-by-Step Career Guide
Table of Contents
What is SMTP Relay Office 365?
At its core, SMTP Relay Office 365 refers to sending email messages through Microsoft Exchange Online instead of sending them directly to recipients.
SMTP (Simple Mail Transfer Protocol) is the standard protocol used for sending emails between servers. In relay scenarios, devices or applications pass messages to Exchange Online, which then handles routing and delivery.
Think of it like a courier hub:
- Your app/device = sender
- Exchange Online = sorting facility
- Recipient mailbox = final destination
This centralized approach improves:
- Security
- Deliverability
- Tracking and compliance
Why SMTP Relay Office 365 is Essential
Organizations rely on SMTP Relay Office 365 for multiple critical use cases:
- Sending alerts from monitoring tools
- Printer scan-to-email functionality
- ERP/CRM automated notifications
- IoT device reporting
- Application-generated emails
Many of these systems cannot support modern authentication, making SMTP relay the only viable solution.
How SMTP Relay Works — Step by Step
- Device/app generates email
- Connects to Exchange Online (port 25/587)
- Authentication happens (IP, OAuth, or none)
- Exchange accepts and processes mail
- Email delivered to recipient
During processing:
- SPF validation
- DKIM signing
- DMARC enforcement
All are applied centrally for security and compliance.
| Step | Component | What Happens |
|---|---|---|
| 1 | Device / App | A printer or application generates an email and connects to the relay server on port 25 or 587. |
| 2 | Authentication | Exchange Online verifies the sender by matching the public IP against an inbound connector or checking a TLS certificate. |
| 3 | Acceptance | If authentication passes, Exchange Online accepts the message and queues it for delivery. |
| 4 | Routing | Exchange Online routes the message to the recipient (internal mailbox or external domain). |
| 5 | Delivery | Recipient receives the email. SPF, DKIM, and DMARC checks are applied. |
The 3 SMTP Relay Methods in Office 365
Microsoft Exchange Online supports three distinct methods for devices and applications to send email. Each has its own use case, security model, and limitations.Understanding the three supported methods is crucial for choosing the right architecture.
| Feature | Direct Send | SMTP Client Submission (AUTH) | SMTP Relay (Connector) |
|---|---|---|---|
| Authentication | None (unauthenticated) | OAuth 2.0 / Modern Auth | IP Address or TLS Certificate |
| Port Used | 25 (MX endpoint) | 587 (smtp.office365.com) | 25 (MX endpoint) |
| Internal Recipients | ✔ Yes | ✔ Yes | ✔ Yes |
| External Recipients | ✖ No | ✔ Yes | ✔ Yes |
| Mailbox Required | ✖ No | ✔ Yes (licensed) | ✖ No |
| Connector Required | ✖ No | ✖ No | ✔ Yes |
| DKIM Signing | ⚠ Limited | ✔ Full | ✔ Full |
| Sending Limits | Standard M365 limits | Per-mailbox: 10K recipients/day | Higher; not tied to mailbox |
| Spoofing Risk | 🔴 HIGH | 🟢 Low | 🟢 Low |
| Audit Trail | Minimal | Full (Entra ID + Message Trace) | Full (Connector + Message Trace) |
| Best For | Printers — internal only | Apps with dedicated mailbox | Devices needing external send |
1. Direct Send
- Port: 25
- Authentication: None
- Use Case: Internal emails only
Pros:
- Simple setup
- No authentication required
Cons:
- Cannot send external emails
- High spoofing risk
- Limited auditing
Direct Send works because Exchange Online accepts inbound mail for hosted domains without authentication.
2. SMTP Client Submission (SMTP AUTH)
- Server: smtp.office365.com
- Port: 587
- Authentication: OAuth 2.0
Pros:
- Supports internal + external emails
- Strong authentication (OAuth)
- Full audit trail
Cons:
- Requires licensed mailbox
- Sending limits per mailbox
Important:
As of April 30, 2026, Basic Authentication is permanently disabled. Only OAuth 2.0 is supported.
3. SMTP Relay with Connector (Recommended)
- Port: 25
- Auth: IP address or TLS certificate
- Mailbox required: No
Pros:
- Supports external recipients
- No mailbox/license required
- Higher sending limits
Cons:
- Requires static public IP
- Needs configuration via connector
This is the most powerful and scalable option.
Prerequisites for SMTP Relay Office 365
Before setup, ensure:
- Verified domain in Microsoft 365
- Correct MX record
- Open ports (25 or 587)
- TLS 1.2+ supported
- Proper SPF, DKIM, DMARC configuration
For connector relay specifically:
- Static public IP required
- Inbound connector configured
- IP not blacklisted
Skipping prerequisites is the #1 reason SMTP relay fails.
Universal Prerequisites — All Three Methods
| ✔ | Prerequisite | Why It Matters / How to Check |
|---|---|---|
| ✔ | M365 / Exchange Online Subscription | Any M365 plan including Exchange Online (E1, E3, E5, Business Basic, etc.). EOP alone is sufficient. |
| ✔ | Accepted Domain Verified | The sender domain must be an accepted verified domain in your tenant. Check: EAC → Mail flow → Accepted domains. |
| ✔ | Port Unblocked on Firewall & ISP | Port 25 (relay / Direct Send) or 587 (SMTP AUTH) must be open outbound. Test: Test-NetConnection -ComputerName <MX record> -Port 25 |
| ✔ | TLS 1.2 or Higher on Device / App | Exchange Online dropped support for TLS 1.0 and 1.1. Devices must support TLS 1.2 or higher. |
| ✔ | DNS — MX Record Correct | For Direct Send and Connector Relay, the SMTP host must be your tenant MX record (e.g., contoso-com.mail.protection.outlook.com), NOT smtp.office365.com. |
| ✔ | SPF Record Updated | Your domain SPF record must include the sending IP or Microsoft SPF include. Otherwise, emails may be rejected or go to Junk. |
| ✔ | DKIM Configured (Recommended) | Enable DKIM signing in EAC → Email authentication to ensure message integrity and better deliverability. |
| ✔ | DMARC Record Published | Publish DMARC record: _dmarc.domain.com → v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.com |
Additional Prerequisites — SMTP Relay with Connector
| ✔ | Prerequisite | Detail |
|---|---|---|
| ✔ | Static Public IP Address | IP must be static — NOT DHCP/dynamic. Dynamic IPs are not supported for IP-based connectors. |
| ✔ | Inbound Connector Created (OnPremises type) | An Inbound Connector of type OnPremises must exist in Exchange Admin Center with the sending IP or TLS certificate name. |
| ✔ | IP Not on Spam Blocklists | Check your public IP using tools like MXToolbox Blacklist Checker. Listed IPs may be routed to a high-risk delivery pool. |
| ✔ | Sender Address Uses Accepted Domain | The From/Envelope address must use your Microsoft 365 accepted domain. Mailbox is not required — only the domain. |
| ✔ | Do NOT Share the Relay IP | The connector IP acts as a trust token. Never share it externally as others could misuse it to relay emails through your tenant. |
Additional Prerequisites — SMTP AUTH / Client Submission
| ✔ | Prerequisite | Detail |
|---|---|---|
| ✔ | Licensed Exchange Online Mailbox | The sending account must have an Exchange Online license (minimum Plan 1 / Kiosk). Unlicensed accounts cannot use SMTP AUTH. |
| ✔ | SMTP AUTH Enabled on Mailbox | In tenants created after January 2020, SMTP AUTH is disabled by default. Enable per mailbox using PowerShell:
Set-CASMailbox -Identity user@domain.com -SmtpClientAuthenticationDisabled $false
|
| ✔ | Security Defaults Status Understood | If Security Defaults are enabled in Entra ID, Basic Authentication is blocked for all legacy protocols including SMTP AUTH. |
| ✔ | OAuth 2.0 App Registration (Modern Auth) | Register an application in Microsoft Entra ID to obtain Client ID, Tenant ID, and Client Secret. Grant SMTP.Send permission. |
| ✔ | Port 587 Open Outbound | SMTP AUTH uses smtp.office365.com over port 587. Port 25 is not used for SMTP AUTH. |
| ✔ | SMTP AUTH Not Blocked at Tenant Level | Check using PowerShell:
Get-TransportConfig | Select SmtpClientAuthenticationDisabledIf True, all mailboxes are blocked. |
Security Defaults — The Hidden Blocker
Security Defaults is a basic security setting in Microsoft Entra ID that:
- Automatically enables Multi-Factor Authentication (MFA) for all users
- Blocks all legacy authentication methods, including Basic Authentication used in SMTP AUTH
This setting is enabled by default for all new Microsoft 365 tenants created after October 2019.
| With Security Defaults ENABLED | With Security Defaults DISABLED |
|---|---|
| SMTP AUTH Basic Auth → ❌ ALWAYS FAILS | SMTP AUTH Basic Auth → ⚠ Deprecated (see Section 5.2) |
| OAuth 2.0 SMTP AUTH → ✔ Works | OAuth 2.0 SMTP AUTH → ✔ Works |
| Connector Relay (IP-based) → ✔ Works | Connector Relay (IP-based) → ✔ Works |
| Direct Send → ✔ Works | Direct Send → ✔ Works |
How to Check Security Defaults Status
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select IsEnabledDisabling Security Defaults turns off MFA for all users, which reduces security. It is recommended to keep Security Defaults enabled and:
- Use OAuth 2.0 for SMTP AUTH
- Or use Connector-based relay for devices that do not support OAuth
Basic Authentication Deprecation Timeline (SMTP AUTH)
| Date | Event |
|---|---|
| Jan 2020 | New Microsoft 365 tenants: SMTP AUTH disabled organization-wide by default. |
| Late 2022 | Microsoft disabled Basic Authentication for all legacy protocols except SMTP AUTH Client Submission. |
| Sept 2024 | Exchange Admin Center (EAC) updated SMTP AUTH Clients report to show Basic vs OAuth usage. |
| Jan 2025 | Microsoft sent alerts to tenants still using Basic Authentication for SMTP AUTH. |
| March 2026 | Microsoft started gradual rejection of Basic Authentication SMTP AUTH connections. |
| April 30, 2026 | ⚠ FINAL: Basic Authentication permanently disabled for all SMTP AUTH Client Submission (Error: 550 5.7.30). |
| Post April 2026 | Supported methods: OAuth 2.0 SMTP AUTH, Connector Relay, Direct Send, Azure Communication Services, High Volume Email. |
What Is Direct Send? Deep Dive
Direct Send is a method where a device or application sends emails directly to Microsoft 365 using your domain’s MX record (mail server) on port 25, without using any username or password.
In simple words:
- No login required
- No authentication needed
- Just send email directly to Exchange Online
Exchange Online accepts these emails because they are sent to a mailbox inside your Microsoft 365 tenant, just like normal internet email delivery works.
Easy Example (Real-Life Analogy)
Think of your MX record like a mailbox outside your office building.
- Anyone who knows your address can drop a letter into it
- No identity check is required
- The mail still gets delivered inside
Direct Send works the same way — the device sends email as if it were an external mail server.
Why Direct Send Exists (Design Purpose)
Direct Send was created to support older devices and simple systems.
Key Reasons:
- Many older devices (like printers, scanners, network tools) do not support modern authentication
- These devices need a simple way to send emails without configuring usernames or passwords
- Email systems are designed to accept messages sent to their mailboxes from anywhere
- Direct Send uses this standard email behavior, so no extra setup is required
Direct Send — Complete Workflow
| Stage | Icon | Technical Detail |
|---|---|---|
| Device / Printer | 🖨️ | Generates an email. From address is set (for example: printer@contoso.com). No actual mailbox is required. |
| DNS MX Lookup | 🔍 | The device looks up the MX record of the domain. Example result: contoso-com.mail.protection.outlook.com |
| TCP Connection | 🌐 | The device connects to the MX endpoint on port 25. TLS is optional (STARTTLS if supported). |
| SMTP Handshake | 🤝 | The device sends EHLO. Exchange Online responds. No authentication is required. |
| MAIL FROM / RCPT TO | 📧 | The device sends sender and recipient addresses. Exchange checks if the recipient mailbox exists. |
| DATA Accepted | 📨 | The message body is sent and accepted. No connector or IP validation is performed. |
| EOP Filtering | 🛡️ | Exchange Online Protection scans the email for spam, malware, and policy compliance. |
| Delivered to Mailbox | 📬 | The email is delivered to the inbox (or Junk folder if SPF/DMARC fails). |
| External Rejected | ❌ | If the recipient is external, the email is rejected with error: 550 5.7.64 Relay Access Denied. |
Direct Send — Technical Reference
| Property | Value / Detail |
|---|---|
| SMTP Host to Configure | Your tenant’s MX record (e.g., contoso-com.mail.protection.outlook.com) — NOT smtp.office365.com |
| Port | 25 (TCP) |
| Authentication | None — completely unauthenticated |
| TLS | Optional — STARTTLS may be used if the device supports it |
| Internal Recipients | ✅ Yes — any mailbox within your Microsoft 365 domain |
| External Recipients | ❌ No — emails are rejected with error: 550 5.7.64 Relay Access Denied |
| Mailbox Required | ❌ No — the sender address only needs to belong to an accepted domain |
| License Required | ❌ No |
| Connector Required | ❌ No |
| Sending Limits | Standard Exchange Online limits apply (e.g., 50 MB per message) |
| DKIM Signing | ⚠ Limited — messages may not be DKIM signed |
| Spoofing Risk | 🔴 HIGH — anyone with your MX record can send emails using your domain |
Direct Send — Printer Setup (Step by Step)
| Step | Action | Details |
|---|---|---|
| 1 | Find your Exchange Online MX Record |
Go to Microsoft 365 Admin Center → Settings → Domains → select your domain →
copy the MX record (example: contoso-com.mail.protection.outlook.com).
|
| 2 | Configure Printer SMTP Settings |
SMTP Server: contoso-com.mail.protection.outlook.comPort: 25 Authentication: None / Anonymous From Address: printer@contoso.com (accepted domain — mailbox not required)
|
| 3 | Verify Port 25 Outbound |
Ensure port 25 is open on your network. Test using: Test-NetConnection -ComputerName contoso-com.mail.protection.outlook.com -Port 25
|
| 4 | Update SPF Record |
Add the device public IP to your SPF record:v=spf1 ip4:203.0.113.10 include:spf.protection.outlook.com ~all
|
| 5 | Test |
Send a test email (for example scan a document). Verify delivery and check Message Trace in Exchange Admin Center. |
Direct Send — Security Risks & Mitigations
Direct Send is actively exploited by attackers to deliver spoofed emails into Microsoft 365 inboxes. Because no authentication is required, anyone who finds your MX record can send email claiming to be from ceo@yourcompany.com to your internal staff.
| Risk | Mitigation |
|---|---|
| Spoofed internal email (CEO/Finance fraud – BEC attack) |
Enable DMARC with p=quarantine or p=reject.Configure SPF with -all (hard fail).
|
| Spam or malware delivery bypassing filters | Enable the “Reject Send” feature (April 2025) to block all unauthenticated Direct Send messages. |
| Anyone with MX record can spoof internal addresses |
Create transport rules to reject emails claiming @yourdomain.com from external IPs.Whitelist trusted device IPs (e.g., printers). |
| No accountability / no audit trail | Switch to Connector-based SMTP relay (IP-authenticated) for full message tracking with connector name and source IP logging. |
The ‘Reject Send’ feature (introduced April 2025) allows tenants to disable Direct Send entirely. Enable it in: Exchange Admin Center → Settings → Mail flow → Reject unauthenticated messages. Tenants that do not need Direct Send should enable this as a security hardening measure.
What Is SMTP AUTH? Deep Dive & OAuth 2.0 Workflow
SMTP AUTH (Authenticated SMTP), also called Client Submission, allows a device or application to send emails through Exchange Online by logging in using a valid mailbox (user identity).
It connects to smtp.office365.com and uses authentication (OAuth 2.0).
Unlike Direct Send or Connector Relay — which verify the device based on its network (IP or location) — SMTP AUTH confirms the sender using a user account (identity-based authentication).
SMTP AUTH is the equivalent of logging in to an email account to send mail — just like Outlook or a mobile app does. The device uses a mailbox identity and authenticates via OAuth 2.0 token. Exchange Online verifies the identity and permits sending.
Historical Context & Basic Auth Deprecation
| Era | How SMTP AUTH Worked |
|---|---|
| Pre-2020 |
Used Basic Authentication where devices sent username and password (base64 encoded) in every SMTP session. Simple but insecure. |
| 2020–2023 |
Microsoft started deprecating Basic Authentication. SMTP AUTH remained the last supported legacy protocol. |
| 2023–2026 |
Basic Auth was still available, but OAuth 2.0 support was introduced. New tenants had SMTP AUTH disabled by default. |
| April 30, 2026 |
⚠ Final: Basic Authentication permanently removed for SMTP AUTH. Only OAuth 2.0 is supported going forward. |
| Post-2026 |
Supported methods include: • OAuth 2.0 SMTP AUTH • Connector Relay • Direct Send • Azure Communication Services • High Volume Email (HVE) |
SMTP AUTH — OAuth 2.0 Workflow Steps by Steps
| Stage | Icon | Technical Detail |
|---|---|---|
| App Registration | 🏢 |
Register app in Microsoft Entra ID with SMTP.Send permission. Get Client ID, Tenant ID, and Client Secret. |
| OAuth Token Request | 🎟️ |
Send HTTP POST request to: login.microsoftonline.com/{TenantID}/oauth2/v2.0/token Returns access token (JWT). |
| TCP Connection | 🔌 |
Connect to smtp.office365.com using port 587.
|
| EHLO Handshake | 🤝 |
Send EHLO command. Server responds with supported features including AUTH XOAUTH2. |
| STARTTLS | 🔐 | Start TLS encryption (TLS 1.2/1.3). All communication becomes secure. |
| XOAUTH2 Authentication | 🎫 |
Send AUTH XOAUTH2 with access token. Exchange validates token and identity. |
| 235 Authenticated | ✅ |
Server returns: 235 Authentication successful.Session is authenticated as the mailbox user. |
| MAIL FROM / RCPT TO | 📧 |
Send sender and recipient addresses. Supports both internal and external recipients. |
| DATA & Delivery | 📨 |
Email content is submitted. Exchange applies filtering, DKIM signing, and delivers message. |
| Audit Logging | 📊 |
Entra ID logs authentication. Message Trace shows mailbox as authenticated sender. |
SMTP AUTH — Technical Reference
| Property | Value / Detail |
|---|---|
| SMTP Host | smtp.office365.com (NOT the MX record) |
| Port |
587 (STARTTLS) — preferred 465 (Implicit TLS) — for legacy clients |
| Authentication | OAuth 2.0 (XOAUTH2) — mandatory after April 30, 2026 |
| TLS Required | ✅ Yes — minimum TLS 1.2 (TLS 1.0 and 1.1 not supported) |
| Internal Recipients | ✅ Yes |
| External Recipients | ✅ Yes |
| Mailbox Required | ✅ Yes — licensed Exchange Online mailbox required |
| License Required | ✅ Yes — minimum Exchange Online Plan 1 (Kiosk) |
| MFA Compatibility | ✅ Fully compatible with MFA and Conditional Access (using OAuth 2.0) |
| Sending Limits |
10,000 recipients per day per mailbox Maximum 500 recipients per message Throttle: 30 messages per minute |
| DKIM Signing | ✅ Yes — full DKIM signing on outbound emails |
| Connector Required | ❌ No |
Enable SMTP AUTH — Step by Step
Step 1: Check Organisation-Level Status
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com Get-TransportConfig | Select SmtpClientAuthenticationDisabled
True = SMTP AUTH blocked for all mailboxes | False = allowed
Step 2: Enable at Organisation Level (if needed)
Set-TransportConfig -SmtpClientAuthenticationDisabled $false
Step 3: Enable per Mailbox
Set-CASMailbox -Identity sender@contoso.com -SmtpClientAuthenticationDisabled $falseStep 4: Verify the Setting
Get-CASMailbox -Identity sender@contoso.com | Select SmtpClientAuthenticationDisabled
Should return: False (meaning SMTP AUTH is enabled for this mailbox)
Step 5: Verify Security Defaults (for context)
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select IsEnabledSMTP Relay Office 365 Setup (Connector Method)
What Is Connector-Based SMTP Relay
SMTP Relay with Connector is the most flexible way to send emails.
In this method, an admin creates an Inbound Connector in Exchange Online that trusts a device based on:
- Its public IP address, or
- A TLS certificate
The device does not need any mailbox or login.
It can send emails to both internal and external recipients.
Think of Connector Relay like a recognised courier company delivering parcels to your office. Security lets them in because they are on the approved vendor list — no individual ID check is needed.
IP-Based vs Certificate-Based Authentication
| Property | IP-Based Authentication | Certificate-Based Authentication |
|---|---|---|
| Authentication Method | Static public IP address | TLS client certificate (CN or SAN matching) |
| Requirement | Static / fixed public IP | Certificate issued by a trusted CA |
| When to Choose | On-premises devices with fixed IPs | Cloud apps, dynamic IPs, or compliance requirements |
| Change Sensitivity | Fails if IP address changes | Works as long as the certificate is valid |
| Security Level | Good (network-based security) | Strong (identity-based with encryption) |
Create a Connector — Step by Step (IP-Based)
| Step | Action | Details |
|---|---|---|
| 1 | Identify the Static Public IP | Find the public IP address from which the device/server will connect to Exchange Online. Confirm with your ISP that it is a static IP. |
| 2 | Log in to Exchange Admin Center |
Go to https://admin.cloud.microsoft/exchange# → Mail flow → Connectors → + Add connector.
|
| 3 | Configure Connection Direction |
Set: Connection from: Your organization’s email server Connection to: Office 365 |
| 4 | Name and Authenticate |
Give a name to the connector (example: SMTP-Relay-Printers).Select authentication method: Verify by IP address and enter the static public IP. |
| 5 | Set Security Restrictions |
Enable: Reject messages if not sent over TLS. Set sender domains to * to allow any accepted domain as From address.
|
| 6 | Save and Test |
Save the connector. Configure your device to use the MX endpoint on port 25 with no authentication. Test by sending an email to an external recipient. |
Connector — Technical Reference
| Property | Value / Detail |
|---|---|
| SMTP Host to Configure | Your tenant MX record (e.g., contoso-com.mail.protection.outlook.com) |
| Port | 25 (TCP) |
| Authentication | None at SMTP level — authentication is handled by the connector (IP or TLS certificate) |
| TLS | Recommended — enable TLS using RequireTls $true on the connector |
| Internal Recipients | ✅ Yes |
| External Recipients | ✅ Yes |
| Mailbox Required | ❌ No — any accepted domain address can be used as sender |
| License Required | ❌ No |
| Sending Limits | Higher than SMTP AUTH; not limited to a mailbox |
| DKIM Signing | ✅ Yes — if sender domain is configured with DKIM |
| Audit Trail | ✅ Full — connector name appears in Message Trace |
Submission vs Connector-Based Relay
This is one of the most frequently misunderstood topics in Exchange Online mail flow. Understanding the difference between these two architectures is critical for L2 and L3 engineers
Submission (SMTP AUTH / Client Submission)
In Submission-based relay, the device or application acts like an email client — it logs in to Exchange Online using a mailbox identity and submits the message on behalf of that mailbox.
| Characteristic | Detail |
|---|---|
| Protocol | SMTP AUTH with OAuth 2.0 |
| Port | 587 (STARTTLS) |
| Authentication Method | App registration (Microsoft Entra ID) or per-user credentials |
| Mailbox Required | ✅ Yes — licensed Exchange Online mailbox |
| Sending Scope | ✅ Internal and external recipients |
| Sending Limits | 10,000 recipients per day per mailbox |
| DKIM / SPF | Applied using the authenticated mailbox’s domain |
| Message Tracking | ✅ Full message trace available in Exchange Admin Center |
| When to Use | Applications that need to send email on behalf of a user or shared mailbox |
Submission is like handing a parcel to a postal worker at the counter and giving your ID. The parcel is accepted in your name and tracked under your account.
Connector-Based Relay
In Connector-based relay, the device connects to Exchange Online as if it were another email server (not a client). It does not authenticate with a username/password. Exchange Online recognises the device by its IP address or TLS certificate via an Inbound Connector.
| Characteristic | Detail |
|---|---|
| Protocol | Anonymous SMTP (no user authentication) |
| Port | 25 (MX endpoint) |
| Authentication Method | Static public IP address or TLS certificate |
| Mailbox Required | ❌ No — any accepted domain address can be used as sender |
| Sending Scope | ✅ Internal and external recipients |
| Sending Limits | Higher than SMTP AUTH — not tied to a mailbox |
| DKIM / SPF | Applied if sender domain matches an accepted domain |
| Message Tracking | ✅ Full trace available — connector name appears in message trace |
| When to Use | Printers, scanners, IoT devices, and legacy applications without modern authentication support |
Connector relay is like a recognised courier company delivering parcels to your office. Security lets them in because they are on the approved vendor list — no individual ID check needed.
Key Audit & Compliance Differences
- Both methods provide message tracking via Get-MessageTrace. However:
- Connector relay messages show the connector name and ‘Receive type: Connector’ in the trace — easy to identify device-originated mail.
- SMTP AUTH messages appear as sent from the authenticated mailbox, with OAuth app details in enhanced trace data.
- Connector relay creates inbound connector activity entries reviewable in Purview Audit logs.
- SMTP AUTH via OAuth creates Entra ID sign-in logs for the app identity — a richer audit trail for SOX or HIPAA compliance.
SMTP Relay vs SMTP AUTH – Key Differences
| Feature | SMTP AUTH | Connector Relay |
|---|---|---|
| Auth Type | OAuth 2.0 | IP / TLS |
| Mailbox Required | Yes | No |
| Port | 587 | 25 |
| External Email | Yes | Yes |
| Limits | Per mailbox | Higher |
| Best For | Apps with auth | Devices/legacy system |
Real-World Use Case
Printers sending to external users
→ Use Connector Relay
Monitoring tools (internal only)
→ Use Direct Send
Cloud apps (OAuth capable)
→ Use SMTP AUTH
Legacy apps (no OAuth support)
→ Migrate to Connector Relay
Troubleshooting SMTP Relay Office 365
Common Errors
| Error | Meaning | Fix |
|---|---|---|
| 550 5.7.54 | Relay denied | Check connector IP |
| 535 5.7.3 | Auth failed | Fix OAuth config |
| 550 5.7.30 | Basic Auth blocked | Use OAuth |
| Timeout | Port blocked | Open firewall |
Quick Troubleshooting Steps
- Test connectivity (port 25/587)
- Validate configuration
- Check message trace
- Verify connector settings
- Confirm SPF/DKIM
Best Practices for SMTP Relay Office 365
- Always use Connector Relay for devices
- Use OAuth for applications
- Avoid Direct Send where possible
- Implement SPF, DKIM, DMARC
- Monitor logs using Message Trace
- Never expose relay IP publicly
Future of SMTP Relay in Office 365
Key trends:
- Basic Auth permanently removed (2026)
- OAuth-first authentication
- Increased security enforcement
- Growth of API-based email services
Organizations must modernize SMTP architecture to stay compliant and secure.
SMTP Relay Interview Questions with Answers
L2 (Intermediate)
1. What are the three methods to send email from a device or application in Exchange Online?
Answer:
- Direct Send – No authentication, only internal recipients, uses MX endpoint on port 25
- SMTP Client Submission (SMTP AUTH) – Uses OAuth 2.0, requires licensed mailbox, supports internal & external recipients, port 587
- SMTP Relay with Connector – Authenticated using IP or TLS certificate, no mailbox required, supports internal & external recipients.
2. What is the difference between port 25 and port 587?
Answer:
- Port 25: Used for server-to-server communication (Direct Send / Connector Relay), no user authentication.
- Port 587: Used for SMTP AUTH (Client Submission), requires OAuth authentication and STARTTLS.
3. A printer sends emails internally but not externally — why?
Answer:
- Cause: It is configured with Direct Send
- Fix:
- Use SMTP Relay with connector (if no auth support)
- Or use SMTP AUTH (if OAuth supported)
4. What is an Inbound Connector?
Answer:
An Inbound Connector is a configuration in Exchange Online that allows trusted sources (based on IP or certificate) to relay email. Without it, external relay is not allowed.
5. What happened to Basic Authentication for SMTP AUTH?
Answer:
Basic Authentication was permanently disabled on April 30, 2026. Only OAuth 2.0 is supported now.
Deprecation of Basic authentication in Exchange Online
6. How do you enable SMTP AUTH for a mailbox?
Answer:
Set-CASMailbox -Identity user@domain.com -SmtpClientAuthenticationDisabled $false
This enables SMTP AUTH at mailbox level.
7. What is error 550 5.7.54 in connector relay?
Answer:
- Meaning: Unable to relay → IP not matching connector
- Fix: Add/update correct public IP in Inbound Connector
8. What is Direct Send and its risk?
Answer:
- Direct Send = unauthenticated email via MX record
- Risk: High spoofing, attackers can send fake internal emails
- Fix: Use DMARC, SPF, or disable Direct Send
9. How do you perform a message trace?
Answer:
- Go to: Exchange Admin Center → Mail flow → Message trace
- Or use PowerShell:
Get-MessageTraceV2
Shows delivery status, connector info, errors
10. What is STARTTLS vs Implicit TLS?
Answer:
- STARTTLS: Starts unencrypted then upgrades to TLS (port 587)
- Implicit TLS: Encrypted from start (port 465)
11. What prerequisites are required for SMTP Relay?
Answer:
12. What does RestrictDomainsToIPAddresses $true do?
Answer:
Ensures only allowed IP addresses can send mail for specified domains. Prevents spoofing from unauthorized sources.
🔹 L3 (Advanced)
13. How do you design SMTP relay for dynamic IP devices?
Answer:
- Use certificate-based relay, OR
- Use SMTP AUTH (OAuth), OR
- Deploy local SMTP relay server (e.g., Postfix) with static IP
14. How do SPF, DKIM, and DMARC work with connector relay?
Answer:
- SPF checks sending IP
- DKIM signs outgoing mail
- DMARC checks alignment
Failure occurs if SPF/DKIM misconfigured or not aligned
15. Difference between SMTP AUTH and Connector Relay (audit)?
Answer:
- SMTP AUTH: Logged under mailbox + Entra ID sign-in
- Connector Relay: Shows connector name in message trace
Both support auditing, but SMTP AUTH has richer identity tracking
16. Users receiving spoofed emails — cause and fix?
Answer:
- Cause: Direct Send abuse
- Fix:
- Enable DMARC (reject/quarantine)
- Add transport rules
- Disable Direct Send
- Move to connector relay
17. IP-based vs Certificate-based relay?
Answer:
- IP-based: Uses static IP, simpler
- Certificate-based: Uses TLS certificate, more secure
- Choose cert when IP is dynamic or for compliance needs
18. Explain full mail flow via connector relay
Answer:
- Device connects to MX (port 25)
- Connector validates IP
- Exchange accepts message
- Applies spam filtering + DKIM
- Routes to external recipient server
- Delivered successfully
19. How to design high availability for SMTP relay?
Answer:
- Use multiple relay servers
- Load balancing (DNS/VIP)
- Configure redundancy (Exchange connectors)
- Monitor queues
- Exchange Online handles cloud HA automatically
20. How to migrate from Basic Auth to OAuth?
Answer:
- Identify apps using Basic Auth
- Categorize support for OAuth
- Migrate supported apps to OAuth
- Move others to connector relay
- Disable Basic Auth globally
- Monitor and validate logs
FAQ – SMTP Relay Office 365
1. What is SMTP Relay Office 365 used for?
It is used to send emails from devices or applications through Microsoft 365 instead of sending directly.
2. Which SMTP relay method is best?
Connector-based SMTP relay is best for most enterprise scenarios due to flexibility and security.
3. Can SMTP Relay Office 365 send external emails?
Yes—only SMTP AUTH and Connector Relay support external email delivery.
4. Is SMTP AUTH still supported?
Yes, but only with OAuth 2.0. Basic Authentication is permanently disabled after April 2026.
Deprecation of Basic authentication in Exchange Online
5. Why does my SMTP relay fail?
Common causes:
- Incorrect IP in connector
- Port blocked
- SMTP AUTH disabled
- SPF misconfiguration
6. Is Direct Send safe in SMTP Relay Office 365 ?
No. It has a high risk of spoofing and should be avoided unless necessary.
7. Does SMTP Relay Office 365 require a license?
- SMTP AUTH → Yes
- Connector Relay → No
- Direct Send → No
Final Thoughts
SMTP Relay Office 365 is not just a configuration—it’s a core part of enterprise email infrastructure. Choosing the right method impacts security, scalability, and deliverability.
If you’re designing a modern architecture in 2026:
- Use OAuth wherever possible
- Use connectors for legacy systems
- Eliminate Direct Send risk
Mastering SMTP relay puts you in the top tier of Microsoft 365 engineers.
DMARC Record Guide: A Positive Masterclass for Ultimate Email Protection
Powerful SPF Record Guide: A Positive Masterclass for Email Deliverability Success
Powerful DKIM Record Masterclass: Blueprint for Rock‑Solid Email Integrity
