Identifying email from your email server
Applies to: Exchange Online, Exchange Online Protection
Office 365 only accepts and processes emails for its own customers; email will be rejected unless it originates from or is addressed to Office 365 customers.
If you have mailboxes hosted on your own email servers (also called on-premises servers), you must set up a connector to allow Office 365 to identify and accept email sent from your organization’s own email servers. Office 365 will apply your transport and anti-spam rules, then deliver email to recipients in your organization, or relay email to the Internet.
For Office 365 to trust email coming from servers that belong to your organization, choose one of the following ways for Office 365 to identify your email server:
Use the digital certificate associated with your email server (recommended). Digital certificates enable secure communication between your email server (on-premises), and Office 365. A certificate from a third-party trusted certificate authority (CA) must be installed on your on-premises Client Access or Edge Transport server. We recommend that your certificate's common name or subject alternative name matches the primary SMTP domain for your organization. For help with certificates in Exchange Server 2013, see Configure Exchange Certificates.
Use the IP address of your email server. We recommend using a certificate. However, you can specify the IP address or IP address range of your Internet-facing email server instead.
Using the digital certificate associated with your email server (recommended)
To use digital certification, click By verifying that the subject name on the certificate that the sending server uses to authenticate with Office 365 matches this domain name. Then enter the certificate subject name that matches the domain name associated with your Internet-facing email server. For example, a certificate subject name in this context might be mail.Contoso.com. When you select this option, for Office 365 to accept mail sent from your own email server, the following conditions must be met:
Connections must have a matching certificate name.
At least one of the following domains must be a verified and accepted domain in Office 365:
Sender domain
Recipient domain
Domain name that matches the certificate's subject name.
At least one of these conditions must be met. Otherwise, email will be rejected by Office 365. For information about accepted domains, see, Manage accepted domains in Exchange Online.
Sending email to and from your organization subdomains
If you want to send email to or from subdomains, they must be defined as accepted domains, or included in the definition for an accepted parent domain . For details, see Enable mail flow for subdomains in Exchange Online.
Using the IP address of your email server
To use the IP address, click By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization. Then click the plus sign (+) to enter the IP address of your email server. Click the plus sign (+) again if you have additional IP addresses that Office 365 must identify as email servers from your organization.
When you select this option, for Office 365 to accept mail sent from your own email server, the following conditions must be met:
Your email server IP address must be within the IP address range that you specify for the connector.
Either the sender domain or all recipient domains must be defined as accepted domains in Office 365.
At least one of these conditions must be met. Otherwise, email will be rejected by Office 365. For information about Accepted domains, see, Manage accepted domains in Exchange Online.
Note
It's critical that you enter IP address ranges that belong exclusively to your organization so Office 365 can identify email from your own email server. For example, you can't add IP address ranges that Microsoft owns. Also, don't use an IP address that you share with any third party. For example, don't use an IP address that belongs to an external email filtering provider because they can share it with their other customers. For more information about setting up a connector to route mail between Office 365 and your own email servers, see Set up connectors to route mail between Office 365 and your own email servers.