Sending as 3rd-party domain address with Office 365

I'm in the process of moving a customer from an on-site Exchange to Office 365, but I've hit a roadblock. One of the mailboxes needs to send from an external address, instead of an address on the domain they own. This works fine with their on-site Exchange, as I can just change their default SMTP address. A POP3 connector fetches mail from the external address, and any mail they send leaves their Exchange server as that address. They essentially have Exchange functionality for their external POP3 address.

Office 365 Exchange won't let me add the external address, as it's not an accepted domain. I can't add it as an accepted domain because I can't verify the domain (the domain is owned by the franchisor, not my customer the franchisee). I've added the external address, via OWA, as a Connected Account. I've changed the Default Reply Address to the external account. I've given it a few days to synchronise, but it still wants to send from their own domain via Outlook and OWA. The best I can do is to manually select the From address in OWA, and that works (except it sends it "On behalf of").

Has anybody come across this hurdle before and been able to solve it?

Some people have claimed that the Connected Account and Default Reply Address in OWA has worked for them, even when sending from Outlook, but it's not the case in my testing. I'd be happy with a result that sends directly from the O365 servers (there's no SPF record on the franchisor's domain), or even if there's a way to send via the franchisor's SMTP server. I'd really like to avoid the "on behalf of" scenario, but it's better than nothing.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
in summary, you need to grand send-as rights.
RussellAuthor Commented:
Unfortunately, this hasn't changed anything. I can still manually "Send as" from OWA (as before, with just the Connected Account configured), and it still says "on behalf" when received. I'm still unable to set the external domain as the default email address.

According to the Microsoft Support comment in that thread, it's not possible, at least as of a year ago. It's disappointing that there's no facility to spoof the sender (as with on-site Exchange), or send via an external SMTP server, as with GMail.

I'm hoping someone might have a trick up their sleeve, to save having to configure a Postfix relay server which could do the job that O365 can't.

The only other thing I can think of is to see if the franchisor would be willing to add a TXT record, allowing me to add their domain to the account. I'm not sure if O365 would only let one account do that and/or if it would confuse routing for the domain.
Jian An LimSolutions ArchitectCommented:
Office 365 will only let one account to do that, so if you have added them into your tenant, then this will prevent them from registering in Office 365. (unless you remove from them your list again).

I am trying to manually do it at my end to work out is there any other mechanism to do so.
and there are really no option to spoof sender address with authenticated user.
RussellAuthor Commented:
Thanks for your help. It would seem that O365 Exchange doesn't let you replicate the spoofing "feature" of on-site Exchange. I can only guess that the "default reply address" feature of connected accounts (as configured in OWA) was changed after people claimed it would override Outlook/Mobile reply address. I can't even get it to actually default from within OWA.

However, I did managed to get what I was after, but it required me to use a Postfix mail server, in addition to O365. I've configured a "partner organization" connector (Exchange admin -> mail flow -> connectors), with the "Only when email messages are sent to these domains" rule matching against everything (*). It sends the mail to my Postfix server, which uses the "generic" rewriting table to change the sender address and forward on the mail. I'm using a TLS connection with self-signed certificate, and it's all working perfectly.

The only downside to this configuration, apart from requiring a separate service (I already had a Linode doing other non-mail things, so I just used that server) is that the server is technically open-relay if someone were to specify the customer's email address as the sender (the server rejects everything that doesn't match via check_sender_access, but that's the only restriction it uses). The chances of someone knowing which server and which address are extremely slim, but as O365 doesn't support authentication, and their outbound IP addresses can change weekly, I'll just have to ignore it for now.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RussellAuthor Commented:
The solution works, but it's not ideal. Until Microsoft change the behaviour of O365, using a 3rd-party mail server is the only way. Ideally, you should restrict the SMTP port on the 3rd-party server to only accept connections from O365 servers. There is an XML list of current IP addresses O365 use, but it would require scripting a daily cron job to check and update the firewall rules. I'll add it to my To Do list :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.