SMTP relay not sending to external addresses

Sending emails from a scanner or web application can always be challenging. You don’t want to use a mailbox (with username and password) for this, but preferable an SMTP server that sends the mail for you. This is where we can use SMTP Relay in Office 365.

The problem with SMTP Authentication these days is that we want to use MFA on all our Office 365 accounts. When we create a dedicated mailbox for sending emails, we still can’t authenticate (and secure) it properly. This is also the reason that Microsoft doesn’t support SMTH AUTH anymore for new tenants created after 2020.

SMTP Relay, on the other hand, allows applications and devices to send email through your Exchange Online mail server. Protection is done based on your public IP Address(es), allowing only applications and devices from your network to use the SMTP Relay connection.

In this article, I will explain how you can set up an SMTP Relay in Office 365 and the difference between Direct Send and SMTP Relay.

SMTP Relay vs Direct Send in Office 365

Before we take a look at how to set up SMTP Relay in Office 365, I first want to explain to you the difference between SMTP Relay and Direct Send. Because both use the MX endpoint as an SMTP server address, but they both have their own use case.

Direct Send in Office 365 is used to deliver email to only your internal mailboxes. This means that you can’t scan a document and email it directly from the scanner to an external email address. You will need to scan it to your own mailbox, and in Outlook forward it to the external contact.

But the advantage is Direct Send is that you can use it also for third-party applications and it doesn’t require a static IP address for authentication.

SMTP Relay on the other hand can be used to send emails directly to external contacts, but only from networks (public IP addresses) that you have defined.

FeaturesDirect SendSMTP Relay
Send to internal recipients Yes Yes
Send to external recipients No Yes
Support externally hosted applications Yes No
Required Network Port 25 25
Requires authentication None Based on Public
IP Address
Direct Send vs SMTP Relay

To set up an SMTP Relay we first need to know the public IP Address of the network where the device is located. If you want to use SMTP Relay for your local multifunctional (scanner), then just open the browser and visit myip.com. Note the IP Address, we will need that later.

  1. Open the Exchange Admin Center

    Log in add your Exchange Admin Center and navigate to:
    Mail flow > Connectors

    SMTP relay not sending to external addresses

  2. Create a new Connector

    Click on Add a connector to create a new connector
    and choose Your organization’s email server

    SMTP relay not sending to external addresses

  3. Connector name

    Give the connector a recognizable name and leave the selected options on.

    SMTP relay not sending to external addresses

  4. Configure authentication

    The next step is to configure the authentication that we want to use. It’s possible to use a certificate for authentication, but more common is to do the verification based on the public IP Address of the device.

    You can define multiple IP Addresses for the connection (useful if you have different offices)

    SMTP relay not sending to external addresses

  5. Review and create the connector

    The last step is to review your settings and create the connector. Double-check the IP Addresses and click on Create connector.

    SMTP relay not sending to external addresses

To use the connector we will need to look up the MX record for your Office 365 tenant. The value of the MX record is used as SMTP Server Address in your device.

  1. Open the Microsoft 365 Admin Center
  2. Expand Settings and click on Domains
  3. Select your domain
  4. Click on DNS records
  5. Open the MX record (by clicking on it)
  6. Note to Points to address or value field
SMTP relay not sending to external addresses

The format of the value is pretty standard:

# MX Record structure
-.mail.protection.outlook.com

# For example:
# lazyadmin-nl.mail.protection.outlook.com

Use this address in your scanner or application as SMTP Address.

Update your SPF Record

To prevent the mail from ending up in the spam folder, we will need to edit the SPF record. The SPF record identifies which endpoints (servers) are allowed to send emails on behalf of the domain.

By default your SPF Record looks like this:

v=spf1 include:spf.protection.outlook.com ~all

We are going to add our Public Ip Address to it:

v=spf1 ip4:10.11.12.13 include:spf.protection.outlook.com ~all

# or for mutliple IP Addresses:
v=spf1 ip4:10.11.12.13 ip4:20.21.22.23 include:spf.protection.outlook.com ~all

Keep in mind that DNS changes can take a couple of hours to apply. But after that, you should be able to send emails using your newly created SMTP Relay Connection.

Edit SMTP Relay Connection

You can use one SMTP Relay connection to send emails from multiple IP Addresses. So you don’t need to create a connection for each branch office that you have for example.

To add an IP Address to an existing connection, we can simply open an existing one:

  1. Click on the connection
  2. Click on Edit send email identity
  3. Add or remove IP Addresses from the connection
SMTP relay not sending to external addresses
Edit SMTP Relay connector

Using PowerShell to create SMTP Relay Connection

You can also use PowerShell to create an SMTP Relay connection in Office 365. This is especially useful when you need to create the same SMTP Relay connection in multiple tenants or if you just love to use PowerShell.

Make sure that you are connected to Exchange Online. You can read more about connecting to Exchange Online in this article.

There are a couple of parameters that we need to set:

ParameterDescription
Name The name of the connector
ConnectorType Partner: External partners or services.
OnPremises: Your on-premises email organization.
SenderDomains Use * to allow all domains in your tenant
SenderIPAddresses Your public IP Address(es)
RestrictDomainsToIPAddresses  Set to true to only allow connection from your sender IP addresses

You can find all parameters with their description in these Microsoft docs.

So to create the SMTP Relay connector in Office 365 with PowerShell we can use the following code:

New-InboundConnector -Name "SMTP Relay POSH" -ConnectorType = 'OnPremises' -SenderDomains * -SenderIPAddresses 10.11.12.13 -RestrictDomainsToIPAddresses $true

Or a bit more readable:

# Set the parameters
$parameters = @{
    Name = 'SMTP Relay POSH'
    ConnectorType = 'OnPremises'
    SenderDomains = '*'
    SenderIPAddresses = '10.11.12.13','20.21.22.23'
    RestrictDomainsToIPAddresses = $true

}

# Create the SMTP Relay connector
New-InboundConnector @parameters

Wrapping Up

Keep in mind that you can’t SMTP Relay or Direct send for bulk emails. Microsoft applies reasonable limits to the connection and throttling to protect Microsoft 365 services.

Make sure that you configure the SPF records correctly because this will prevent your emails from ending up in the spam folder.

I hope you were able to create your SMTP Relay connection in Office 365 with this guide. If you have any questions, just drop a comment below.

Can Office 365 SMTP relay work with external address?

To send email using Microsoft 365 or Office 365 SMTP relay, your device or application server must have a static IP address or address range. You can't use SMTP relay to send email directly to Microsoft 365 or Office 365 from a third-party hosted service, such as Microsoft Azure.

Why is my SMTP server not sending emails?

Check whether there is network access from CSO to the SMTP server. Check whether the firewall is blocking SMTP traffic to SMTP server or whether the ports are blocked. If the server settings and authentication settings are correct, check whether the firewall is blocking port 587 and 465 and SMTP traffic.

What is an external SMTP relay?

An SMTP relay is a mail server or “MTA” (Message Transfer Agent) that is directed to hand off your message to another mail server that can get your message closer to its intended recipient - the finish line. An SMTP relay service is simply an SMTP relay that is run “in the cloud” rather than your own data center.

Can a shared mailbox be used for SMTP relay?

For SMTP relay, we can use an unlicensed account such as shared mailbox.