Option 1 SMTP client submission:-
(recommended): Authenticate your device or application directly with a Microsoft 365 or Office 365 mailbox, and send mail using SMTP AUTH client submission
This option supports most usage scenarios and it's the easiest to set up. Choose this option when:
You want to send email from a third-party hosted application, service, or device.
You want to send email to people inside and outside your organization.
To configure your device or application, connect directly to Microsoft 365 or Office 365 using the SMTP AUTH client submission endpoint smtp.office365.com.
Each device or application must be able to authenticate with Microsoft 365 or Office 365. The email address of the account that's used to authenticate with Microsoft 365 or Office 365 will appear as the sender of messages from the device or application.
How to set up SMTP AUTH client submission
Enter the following settings directly on your device or in the application as their guide instructs (it might use different terminology than this article). As long as your scenario meets the requirements for SMTP AUTH client submission, the following settings will enable you to send email from your device or application.
How SMTP AUTH client submission works
The following diagram gives you a conceptual overview of what you're environment will look like.
Features of SMTP AUTH client submission
SMTP AUTH client submission allows you to send email to people in your organization as well as outside your company.
This method bypasses most spam checks for email sent to people in your organization. This can help protect your company IP addresses from being blocked by a spam list.
With this method, you can send email from any location or IP address, including your (on-premises) organization's network, or a third-party cloud hosting service, like Microsoft Azure.
Requirements for SMTP AUTH client submission
Authentication: You must be able to configure a user name and password to send email on the device. Note that you cannot use Microsoft Security Defaults or multi-factor authentication (MFA), which disable basic authentication and are designed to protect your users from compromise. If your environment uses Microsoft Security Defaults or MFA, we recommend using Option 2 or 3 below.
Mailbox: You must have a licensed Microsoft 365 or Office 365 mailbox to send email from.
Transport Layer Security (TLS): Your device must be able to use TLS version 1.2 and above.
Port: Port 587 (recommended) or port 25 is required and must be unblocked on your network. Some network firewalls or ISPs block ports, especially port 25.
DNS: You must use the DNS name smtp.office365.com. Do not use an IP address for the Microsoft 365 or Office 365 server, as IP Addresses are not supported.
Limitations of SMTP AUTH client submission
You can only send from one email address unless your device can store login credentials for multiple Microsoft 365 or Office 365 mailboxes. Microsoft 365 or Office 365 imposes a limit of 30 messages sent per minute, and a limit of 10,000 recipients per day.
Option 2: Direct send:-
Send mail directly from your printer or application to Microsoft 365 or Office 365 (direct send)
Choose this option when:
Your environment uses Microsoft Security Defaults or multi-factor authentication (MFA).
SMTP client submission (Option 1) is not compatible with your business needs or with your device.
You only need to send messages to recipients in your own organization who have mailboxes in Microsoft 365 or Office 365; you don't need to send email to people outside of your organization.
Settings for direct send
Enter the following settings on the device or in the application directly.
We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static IP address, add it to your SPF record in your domain registrar's DNS settings as follows:
SPFv=spf1 ip4:<Static IP Address> include:spf.protection.outlook.com ~all
How direct send works
In the following diagram, the application or device in your organization's network uses direct send and your Microsoft 365 or Office 365 mail exchange (MX) endpoint to email recipients in your organization. It's easy to find your MX endpoint in Microsoft 365 or Office 365 if you need to look it up.
Features of direct send
Uses Microsoft 365 or Office 365 to send emails, but does not require a dedicated Microsoft 365 or Office 365 mailbox.
Doesn't require your device or application to have a static IP address. However, this is recommended if possible.
Doesn't work with a connector; never configure a device to use a connector with direct send, this can cause problems.
Doesn't require your device to support TLS.
Direct send has higher sending limits than SMTP client submission. Senders are not bound by the 30 messages per minute or 10,000 recipients per day limit.
Requirements for direct send
Port: Port 25 is required and must be unblocked on your network.
Static IP address is recommended: A static IP address is recommended so that an SPF record can be created for your domain. This helps avoid your messages being flagged as spam.
Does not require a Microsoft 365 or Office 365 mailbox with a license.
Limitations of direct send
Direct send cannot be used to deliver email to external recipients, for example, recipients with Yahoo or Gmail addresses.
Your messages will be subject to antispam checks.
Sent mail might be disrupted if your IP addresses are blocked by a spam list.
Microsoft 365 and Office 365 use throttling policies to protect the performance of the service.
Option 3: SMTP Relay by using Send connector:-
This option is more difficult to implement than the others. Only choose this option when:
Your environment uses Microsoft Security Defaults or multi-factor authentication (MFA).
SMTP client submission (Option 1) is not compatible with your business needs or with your device
You can't use direct send (Option 2) because you must send email to external recipients.
SMTP relay lets Microsoft 365 or Office 365 relay emails on your behalf by using a connector that's configured with your public IP address or a TLS certificate. Setting up a connector makes this a more complicated option.
Settings for Microsoft 365 or Office 365 SMTP relay
We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static IP address, add it to your SPF record in your domain registrar's DNS settings as follows:
SPFv=spf1 ip4:<Static IP Address> include:spf.protection.outlook.com ~all
How Microsoft 365 or Office 365 SMTP relay works
In the following diagram, the application or device in your organization's network uses a connector for SMTP relay to email recipients in your organization.
Features of Microsoft 365 or Office 365 SMTP relay
Microsoft 365 or Office 365 SMTP relay does not require the use of a licensed Microsoft 365 or Office 365 mailbox to send emails.
Microsoft 365 or Office 365 SMTP relay has higher sending limits than SMTP client submission; senders are not bound by the 30 messages per minute or 10,000 recipients per day limits.
Requirements for Microsoft 365 or Office 365 SMTP relay
Static IP address or address range: Most devices or applications are unable to use a certificate for authentication. To authenticate your device or application, use one or more static IP addresses that are not shared with another organization.
Connector: You must set up a connector in Exchange Online for email sent from your device or application.
Port: Port 25 is required and must not be blocked on your network or by your ISP.
Licensing: SMTP relay doesn't use a specific Microsoft 365 or Office 365 mailbox to send email. This means that users must have their own licenses if they send email from devices or applications that are configured for SMTP relay. If you have senders who use a device or LOB application and those senders do not have Microsoft 365 or Office 365 mailbox licenses, obtain and assign an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that allows you to send email via Microsoft 365 or Office 365.
Limitations of Microsoft 365 or Office 365 SMTP relay
Sent mail can be disrupted if your IP addresses are blocked by a spam list.
Reasonable limits are imposed for sending. For more information, see High-risk delivery pool for outbound messages.
Requires static unshared IP addresses (unless a certificate is used).
Comments