SMTP Relay options in Office 365

In Office 365, you can use SMTP submission, direct send, or SMTP relay to allow a multifunction device, printer, or application to send email using Office 365 and Exchange Online.

This could be a necessary to use in many cases, for example, you have a multi-functional printer, scanner, LOB Application like SAP, ERP, HR Management System or literally any line of business application which needs to send email notifications out to your recipients - inside or outside of your domains.

There are three main methods of sending an email, and 4th one which includes setting up IIS server which can be configured to use any of the three options. Here is what they are and what are the limits for each of the method.

1. Client Submission method
2. Direct Send
3. Office 365 SMTP Relay
4. Indirect Client Submission Method (IIS based Relay)

Method	What it means	Prerequisite	Features	Limitation
SMTP Client Submission	Authenticate your device or application directly with an Office 365 mailbox. The device or application uses an email account to send email to recipients just like an email client. IMPORTANT: Use one service account for not more than 3 applications/devices in SMTP Client Submission Method.	Sender must have a licensed mailbox in O365. SMTP and TLS capabilities for the application. Port 587 (or 25 on alternate configuration) unlocked on network.	Send email anywhere – inside or outside of the organization. Bypass most spam checks for ‘your’ users. Send from any location or IP. Send from third-party cloud hosting service, like Microsoft Azure	Device or application server must support TLS 30 messages sent per minute throttle. 10,000 recipients per day limit.
Direct Send	Send mail directly from your printer or application.	Port 25 must be unlocked. Static IP is recommended SPF record should be configured for domain	No user credential to be configured. No TLS support required for device. Senders are not bound by the 30 messages per minute or 10,000 recipients per day limit.	No mail delivery to external recipients.
Office 365 SMTP Relay	Send email by relaying them through SMTP relay. Office 365 authenticates the emails you submit by originating IP address you configure when creating a connector for the purpose.	Port 25 must be unlocked. Office 365 Connector Static IP or IP range is necessary (when not using certificate). SPF record should be configured for domain	No user credential to be configured. Can be used to send email to anybody, in	Mail transfer will disturb if IP gets black-listed in spam list. Reasonable Sending limits are imposed.
IIS based Relay	When you need client submission but it not supported by device	Same as Client submission, AND IIS Server to host SMTP relay service	Can be used in almost all scenarios	Same as client submission method.

SMTP Client Submission Method (Recommended)

In this scenario, the device or application uses an email account to send email to recipients just like an email client. Configure your device or application to authenticate with an Office 365 mailbox, and use SMTP client submission.

IMPORTANT: Use one service account for not more than 3 applications/devices in SMTP Client Submission Method.

If your device or application can authenticate and send email using an Office 365 mailbox account, this is the recommended method.

Each device or application can have its own sender address, or all devices can use one address, such as printer@contoso.com. If you want to send email from a third-party hosted application or service, you must use SMTP client submission. In this scenario, the device or application connects directly to Office 365 using the SMTP client submission endpoint smtp.office365.com.

Prerequisites of Client Submission method

• Sender must have a licensed mailbox in O365.
• SMTP and TLS capabilities for the application.
• Port 587 (or 25 on alternate configuration) unlocked on network.

Limits for Client Submission method

• Device or application server must support TLS
• 30 messages sent per minute throttle.
• 10,000 recipients per day limit

How to configure SMTP client submission

Devices and applications vary in functionality and terminology use. However, these configuration settings will help you set up SMTP client submission.

• Authentication: You must be able to configure a user name and password to send email on the device.
• Mailbox: You must have a licensed Office 365 mailbox to send email from.
• Transport Layer Security (TLS): Your device must be able to use TLS version 1.0 and above.
• Port: Port 587 (recommended) or port 25 is required and must be unblocked on your network.

Enter the settings directly on the device or in the application as the device guide or manual instructs.

Device or Application setting	Value
Server/smart host	smtp.office365.com
Port	Port 587 (recommended) or port 25
TLS/ StartTLS	Enabled
Username/email address and password	Login credentials of hosted mailbox being used

Direct Send

If the device or application is only sending email to your own Office 365 users and SMTP client submission is not an option, this is the simplest method. There is no Office 365 configuration needed. However, in this case, Office 365 does not relay messages for external recipients and will only deliver to your hosted mailboxes. If your device sends an email to Office 365 that is for a recipient outside your organization, the email will be rejected.

In the following diagram, the application or device in your organization’s network uses direct send and your Office 365 mail exchange (MX) endpoint to email recipients in your organization. It's easy to find your MX endpoint in Office 365 if you need to look it up.

Prerequisites for Direct Send

• Port: Port 25 is required and must be unblocked on your network.
• Static IP address is recommended: A static IP address is recommended so that an SPF record can be created for your domain. This helps avoid your messages being flagged as spam.

Limits of Direct Send

• Direct send cannot be used to deliver email to external recipients, for example, recipients with Yahoo or Gmail addresses.
• Your messages will be subject to antispam checks.
• Sent mail might be disrupted if your IP addresses are blocked by a spam list.
• Office 365 uses throttling policies to protect the performance of the service.

How to configure Direct Send

Simply, configure the device to send email to the MX record for one of your domains on port 25. The emails send to office 365 hosted mailboxes of your organization will be delivered. Any email send to an outsider will be rejected.

Office 365 SMTP Relay

Office 365 SMTP relay is very similar to direct send except that it can send mail to external recipients. 

You configure a connector so your device or application can send email to Office 365. Office 365 can then relay email to your organization mailboxes and to external recipients.

In the following diagram, the application or device in your organization’s network uses a connector for SMTP relay to email recipients in your organization.

Important: The Office 365 connector that you configure authenticates your device or application with Office 365 using an IP address. Your device or application can send email using any address (including ones that can't receive mail), as long as the address uses one of your Office 365 domains. The email address doesn’t need to be associated with an actual mailbox. For example, if your domain is contoso.com, you could send from an address like do_not_reply@contoso.com.

Requirements for Office 365 SMTP relay

• Static IP address or address range: Most devices or applications are unable to use a certificate for authentication. To authenticate your device or application, use one or more static IP addresses that are not shared with another organization.
• Connector: You must set up a connector in Exchange Online for email sent from your device or application.
• Port: Port 25 is required and must not be blocked on your network or by your ISP.
• Licensing: SMTP relay doesn’t use a specific Office 365 mailbox to send email. This is why it’s important that only licensed users send email from devices or applications configured for SMTP relay. If you have senders using devices or LOB applications who don’t have an Office 365 mailbox license, obtain and assign an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that allows you to send email via Office 365.

Limitations of Office 365 SMTP Relay

• Sent mail can be disrupted if your IP addresses are blocked by a spam list.
• Reasonable limits are imposed for sending. For more information, see Higher Risk Delivery Pool for Outbound Messages.
• Requires static unshared IP addresses (unless a certificate is used).

How to Configure SMTP Relay

This method allows Office 365 to relay emails on your behalf by authenticating using your public IP address (or a certificate). This requires a connector to be set up for your Office 365 account. 

Device or application setting	Value
Server/smart host	Your MX endpoint, e.g. yourcontosodomain-com.mail.protection.outlook.com
Port	Port 25
TLS/StartTLS	Enabled
Email address	Any email address for one of your Office 365 verified domains. This email address does not need a mailbox.

We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static IP address, add it to your SPF record in your domain registrar’s DNS settings as follows:

DNS entry	Value
SPF	v=spf1 ip4: include:spf.protection.outlook.com ~all

Indirect Client Submission Method

If it is essential to use SMTP client submission and your printer only supports SSL 3.0, you can set up an alternative configuration called Indirect SMTP client submission. This uses a local SMTP relay server to connect to Office 365. This is a much more complex setup.

Instructions can be found here-  How to configure Internet Information Server (IIS) for relay with Office 365.

More info about any or all of these relay options can be found here:  https://technet.microsoft.com/en-us/library/dn554323(v=exchg.150).aspx#configconnector