Avatar of byt3
byt3
 asked on

On Premis server rejecting emails because emails relayed through Office 365

When Office 365 relays email to my On Premise server, the On Premise server rejects some email as spam, because the Office 365 server is not in the SPF record of the external organization that sent the record.

Background Info:
The organization I work for is about to move to Office 365 from our Exchange 2010 On Premise service. I am also moving mailboxes from one Exchange 2010 server to another as the previous server is currently running on is Server 2008R2 and on old hardware we want to retire. Because of this I have 2 Exchange 2010 servers with mailboxes split between the two as I move. All email originating from outside the organization's network comes through an Exchange 2010 Edge server.
All mail to and from external addresses goes through Office 365.

I need to know how to set up the connectors on my On Premise servers so that my On Premise server will only accept email from Office 365, so that I can turn of the spam filter that is rejecting valid emails.

Thanks.
Microsoft OfficeExchangeMicrosoft 365

Avatar of undefined
Last Comment
byt3

8/22/2022 - Mon
byt3

ASKER
I haven't setup Hybrid configuration yet and it just occurred to me that may fix the problem. Something to try on Monday.
timgreen7077

you can just whitelist the sending domain so that your server dont reject it.
timgreen7077

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Mahesh

When Office 365 relays email to my On Premise server, the On Premise server rejects some email as spam, because the Office 365 server is not in the SPF record of the external organization that sent the record.

This is not clear, where the spf record comes in picture or u r saying that external org don't have spf?

All you need is
Your mx need to point to O365, then only O365can take care of rest
Since your mailboxes remains onpremise, you should change O365 domain to "internal relay" from authoritative
Also setup one simple smtp connector from o365 to Onpremise network
Then when O365 receive email, 1st it will check if it have mailbox, if not forward it to On-Premise exchange through smtp connector
Also in order to Onpremise exchange to accept emails from O365, you must add O365 EOP ips to On-Premise default server receive connector

Now for outgoing mail flow, use on premise exchange to send email to external world

Optionally,
You could have email users (mail enabled users) with O365 synced through directory sync tool if you also want to move mailboxes to O365 through hybrid setup
Setup hybrid and it will take care of everything
Point your mx to O365
Finally you need to modify ur existing spf record to include o365 spf host
byt3

ASKER
My MX records point to office 365 and office 365 relays the messages to my on premise server.

Let's say contoso.com emails my organization of example.com. First the message from contoso goes to Office 365, then office 365 relays the message to my on premise server. My on premise server checks contoso.com's SPF record and doesn't find the IP or server name of Office 365 (the server that my on premise exchange received the email from), so my on premise server rejects it as spam.

I hope that clears it up.

Thanks for the suggestions and links. I will check them out on Monday.
Mahesh

Thanks for explanation
But spf is not issue, ur onpremise exchange server will look for O365 spf and not contoso.com spf, as long as you have set O365 domain (example.com) as internal relay and have included O365 SPF wirh example.com existing SPF record, SPF cannot be an issue
Also As i stated earlier,
In order to Onpremise exchange to accept emails from O365, you must add O365 EOP ips to On-Premise default server receive connector
U can google for for ip list

did you done these two things?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Mahesh

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
byt3

ASKER
I have not added the EOP addresses to the recieve connector. I will Google for the list and add them.
Mahesh

You must need to create new receive connector onpremise for this instead of modifying default receive connector
byt3

ASKER
I Googled the Office 365 IP list (here)

I added these IP ranges to the IPAllowList, but I haven't heard back about emails continuing to bounce yet.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Mahesh

byt3

ASKER
I didn't actually use the property to restrict by IP ranges and instead I added the IPs to the IPAllowList in the Content Filtering, which did the trick.

Though I will probably eventually add them to the restricted IP ranges.


Thank you for the help.