There are three main relay methods in Microsoft 365:
1. SMTP Client Submission (Preferred if possible)
- Uses port 587 with TLS and authentication (username + password).
- Works best for apps/devices that support modern authentication.
- Each device must be configured with a licensed mailbox account.
- Settings:
- SMTP server:
smtp.office365.com - Port:
587 - Encryption: TLS
- Username: mailbox email address (e.g.
scanner@yourdomain.com) - Password: mailbox password / app password (if MFA enabled).
- SMTP server:
2. Direct Send
- Sends mail directly to Office 365 without authentication.
- Only works when sending to internal recipients (inside your domain).
- Useful for devices that cannot authenticate.
- Requirements:
- Device must be on your public IP that’s allowed in Exchange Online.
- Use your Microsoft 365 MX endpoint as the SMTP server (e.g.
yourdomain-com.mail.protection.outlook.com). - Port: 25
- TLS: optional, but recommended.
3. Office 365 SMTP Relay (Connector-based)
- More flexible: allows sending to internal and external recipients.
- You create a mail flow connector in Exchange Online that authorises by public IP address.
- Steps:
- Log into Microsoft 365 Admin Center → Exchange Admin Center.
- Go to Mail flow → Connectors → Add new.
- Choose:
- From: Your organisation’s email server
- To: Office 365
- Give it a name (e.g. “Office devices relay”).
- Specify the public IPs of your devices/apps that will send mail.
- Save connector.
- Configure devices/apps with:
- SMTP server:
yourdomain-com.mail.protection.outlook.com - Port:
25 - No authentication needed.
- TLS if supported.
- SMTP server:
✅ Which option should you choose?
- If device supports authentication → use SMTP client submission.
- If only internal mail → direct send.
- If external mail needed & no authentication support → connector-based relay.