Set up connectors for secure mail flow with a partner organization in Exchange Online

by | Oct 23, 2021 | Uncategorized

You can create connectors to apply security restrictions to mail exchanges with a partner organization or service provider. A partner can be an organization you do business with, such as a bank. It can also be a third-party cloud service that provides services such as archiving, anti-spam, and filtering.

You can create a connector to enforce encryption via transport layer security (TLS). You can also apply other security restrictions such as specifying domain names or IP address ranges that your partner organization sends mail from.

 Note

Setting up a connector to exchange mail with a partner organization is optional; mail flows to and from your partner organization occur without connectors.

If you use a third-party cloud service for email filtering and need instructions for making this work with Microsoft 365 or Office 365, see Mail flow best practices for Exchange Online and Microsoft 365 or Office 365 (overview).

Using connectors to exchange email with a partner organization

By default, Microsoft 365 or Office 365 sends mails using TLS encryption, provided that the destination server also supports TLS. If your partner organization supports TLS, you only need to create a connector if you want to enforce certain security restrictions – for example, you always want TLS applied, or you require certificate verification whenever mail is sent from your partner to your organization.

 Note

For information about TLS, see How Exchange Online uses TLS to secure email connections and for detailed technical information about how Exchange Online uses TLS with cipher suite ordering, see Enhancing mail flow security for Exchange Online.

When you set up a connector, email messages are checked to ensure they meet the security restrictions that you specify. If email messages don’t meet the security restrictions that you specify, the connector rejects them, and those messages will not be delivered. This behavior of the connector makes it possible to set up a secure communication channel with a partner organization.

You can set up one or both of the following, depending on your requirements:

Also in this article:

Review this section to help you determine the specific settings you need for your business.

Set up a connector to apply security restrictions to mail sent from Microsoft 365 or Office 365 to your partner organization

This section describes the process of setting up a connector in both the New Exchange admin center (EAC) and the Classic EAC. Before you set up a new connector, do the following:

  • Check for any connectors that are already listed here for your organization. For example, if you already have a connector set up for a partner organization, you’ll see it listed. Ensure you don’t create duplicate connectors for a single organizational partner; when this happens, it can cause errors, and your mail might not be delivered.

If any connectors already exist for your organization, you can see them listed here, as shown in the below screenshots for New EAC and Classic EAC, respectively.

Existing list of connectors.
Microsoft 365 and Office 365 connectors partner organization examples.
  • Navigate to the new EAC from the Microsoft 365 admin center by clicking Exchange under the Admin centers pane.

Below are the procedures to set up a new connector.

For New EAC

  1. Navigate to Mail flow > Connectors. The Connectors screen appears.
  2. Click +Add a connector. The New connector screen appears.
  3. Under Connection from, choose Office 365.
  4. Under Connection to, choose Partner Organization.
The screen on which a connector for Office 365 is added.
  1. Click Next. The Connector name screen appears.
  2. Provide a name for the connector and click Next. The Use of connector screen appears.
  3. Choose any one of the two options between Only when i have a transport rule set up that redirects messages to this connector and Only when email messages are sent to these domains.

 Note

If you choose the second option, provide the name of any one of the domains that are part of your organization. If there is only one domain for your organization, enter its name.

  1. Click + (after entering the domain name, if you have chosen Only when email messages are sent to these domains)

The domain name is displayed under the text box.

  1. Click Next. The Routing screen appears.
  2. Choose any of the two options between Use the MX record associated with the partner’s domain and Route email through these smart hosts.
  3. Click Next. The Security restrictions screen appears.

 Note

If you choose the first option, you need not mention the details of smart host. If you choose second option, enter the domain name of the smart host in the text box.

  1. Check the check box for Always use Transport Layer Security (TLS) to secure the connection (recommended).

 Note

It is not mandatory to configure the Transport Layer Security (TLS) settings on the Security restrictions page. You can navigate to the next screen without choosing anything on this screen. The need to define TLS settings on this page depends on whether the destination server supports TLS or not.

  1. Choose one of the options under Connect only if the recipient’s email server certificate matches this criteria.

 Note

If you are choosing the Issue by a trusted certificate authority (CA) option, the Add the subject name or subject alternative name (SAN) matches this domain name option is activated.

It is optional to choose the Add the subject name or subject alternative name (SAN) matches this domain name option. However, if you choose it, you must enter the domain name to which the certificate name matches.

  1. Click Next. The Validation email screen appears.
  2. Enter an email address that is part of the mailbox in your organization’s email server.
  3. Click +.
  4. Click Validate. The validation process starts.
  5. Once the validation process is completed, click Next. The Review connector screen appears.
  6. Review the settings you have configured, and click Create connector.

The connector is created.

 Note

If you need more information about the setup, click the Help or Learn More links.

  1. At the end, ensure your connector validates. If the connector does not validate, see Validate connectors for help resolving issues.

For Classic EAC

Navigate to the Classic EAC portal by clicking Classic Exchange admin center. Select mail flow and then connectors.

To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the following screenshot:

Microsoft 365 and Office 365 to partner organization connector options.

Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more information. The wizard will guide you through setup. At the end, ensure your connector validates. If the connector does not validate, see Validate connectors for help resolving issues.

If you want to create a secure channel with your partner organization in both directions, set up a connector that restricts mail flow from your partner organization to Microsoft 365 or Office 365.

Set up a connector to apply security restrictions to mail sent from your partner organization to Microsoft 365 or Office 365

You can set up a connector to apply security restrictions to email that your partner organization sends to you. The procedure to set up a connector is described below.

For New EAC

  1. Navigate to Mail flow > Connectors. The Connectors screen appears.
  2. Click +Add a connector. The New connector screen appears.
The screen on which the process to create a connector begins.
  1. Under Connection from, choose Partner organization.

 Note

Once you select the Partner organization radio button under Connection from, the option under Connection to is greyed out, implying that Office 365 is chosen by default.

The screen on which a connector is set up to apply security restrictions.
  1. Click Next. The Connector name screen appears.
  2. Provide a name for the connector and click Next. The Authenticating sent email screen appears.
  3. Choose one of the two options between By verifying that the sender domain matches one of the following domains and By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization.

 Note

If you choose By verifying that the sender domain matches one of the following domains, you can provide the name of any one domain from the list of domains for your organization. If you have only one domain for your organization, enter its name. If you choose By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization, provide an IP address of any of the recipients who are part of your organization’s mailbox.

  1. Click Next. The Security restrictions screen appears.
  2. Check the check box for Reject email messages if they aren’t sent over TLS.

 Note

It is optional to choose the option of And require that the subject name of the certificate that the partner uses to authenticate with Office 365 matches this domain name. If you choose this option, enter the domain name of the partner organization.

  1. Check the check box for Reject email messages if they aren’t sent from within this IP address range, and provide the IP address range.

 Important

You can choose this option in addition to the option specified in Step 5; Else, you can choose either this option or the one in Step 5. Choosing at least one of these options is mandatory.

  1. Click Next. The Review connector screen appears.
  2. Review the settings you have configured, and click Create connector.

The connector is created.

 Note

If you need more information, you can click the Help or Learn More links. In particular, see Identifying email from your email server for help in configuring certificate or IP address settings for this connector. The wizard will guide you through the setup.

For Classic EAC

To start the wizard, click the plus symbol +. On the first screen, choose the following options:

Connector from partner organization to Microsoft 365 or Office 365.

Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more information. The wizard will guide you through setup. At the end, save your connector.

Ask your partner organization to send a test email. Ensure the email your partner organization sends will cause the connector to be applied. For example, if you specified security restrictions for mail sent from a specific partner domain, ensure they send test mail from that domain. Check that the test email is delivered to confirm that the connector works correctly.

Change a connector that Microsoft 365 or Office 365 is using for mail flow

To change settings for a connector, perform the procedures specified below.

Select the connector you want to edit and then click the Edit icon, as shown in the following two screens for New EAC and Classis EAC, respectively.

The screen on which the connector settings can be edited.
Shows a screen shot with a connector selected and the edit (pencil) icon highlighted.

The connector wizard opens, and you can make changes to the existing connector settings. While you change the connector settings, Microsoft 365 or Office 365 continues to use the existing connector settings for mail flow. When you save changes to the connector, Microsoft 365 or Office 365 starts using the new settings.

Example security restrictions you can apply to email sent from a partner organization

Review these connector examples to help you decide whether you want to apply security restrictions to emails sent by a partner organization, and understand what settings will meet your business needs:

Create a partner organization connector

For New EAC

For details on this procedure, see the For New EAC subsection in the Set up a connector to apply security restrictions to mail sent from your partner organization to Microsoft 365 or Office 365 section in this topic.

For Classic EAC

From the new EAC portal, navigate to the Classic EAC portal by clicking Classic Exchange admin center. Select mail flow and then connectors.

To start the wizard, click the plus symbol +. To create a connector for email you receive from a partner organization, use the options depicted in the following screenshot:

Connector from partner organization to Microsoft 365 or Office 365.

Once you choose this mail flow scenario, you can set up a connector that will apply security restrictions to emails that your partner organization sends to you. For some security restrictions, you might need to talk to your partner organization to obtain information to complete some settings. Look for the examples that best meet your needs to help you set up your partner connector.

 Note

Any email sent from your partner organization which does not meet security restrictions that you specify will not be delivered.

Example 1: Require that email sent from your partner organization domain contosobank.com is encrypted using transport layer security (TLS)

To do this, specify your partner organization domain name to identify mail from that partner, and then choose transport layer security (TLS) encryption when you create the connector for mail flow from your partner to Microsoft 365 or Office 365.

During setup of the connector in the New EAC, use the options as shown in the following screenshots:

The screen on which TLS encryption is done.

Use this screen to enter your partner organization’s domain name(s) so the connector can identify mail sent by your partner:

The screen on which the domain name is set.

Choose this setting to require encryption for all email from ContosoBank.com using TLS:

YThe screen on which the mandatory TLS encryption is configured.

During setup of the connector in the Classic EAC, use the options as shown in the following screenshots:

Choose to use the sender's domain name.

Use this screen to enter your partner organization’s domain name(s) so the connector can identify mail sent by your partner:

Add partner organization domain name.

Choose this setting to require encryption for all email from ContosoBank.com using TLS:

Choose TLS to encrypt email from partner organization.

When you choose these settings, all emails from your partner organization’s domain, ContosoBank.com, must be encrypted using TLS. Any mail that is not encrypted will be rejected.

Example 2: Require that email sent from your partner organization domain ContosoBank.com is encrypted and uses their domain certificate

To do this in the New EAC, perform the following steps:

  1. Use all the settings shown in Example 1 above.
  2. Add the certificate domain name that your partner organization uses to connect with Microsoft 365 or Office 365.
The screen on which encryption is done using the domain certificate name.

To do this in the Classic EAC

  1. Use all the settings shown in Example 1 above.
  2. Add the certificate domain name that your partner organization uses to connect with Microsoft 365 or Office 365.
Enter your partner organization certificate name.

When you set these restrictions, all mail from your partner organization domain must be encrypted using TLS, and sent from a server with the certificate name you specify. Any email that does not meet these conditions will be rejected.

Example 3: Require that all emails are sent from a specific IP address range

This email could be from a partner organization, such as ContosoBank.com, or from your on-premises environment. For instance, the MX record for your domain, contoso.com, points to on-premises, and you want all emails being sent to contoso.com to come from your on-premises IP addresses only. This helps prevent spoofing and ensures your compliance policies can be enforced for all messages.

To do this, specify your partner organization domain name to identify mail from that partner, and then restrict the IP addresses that you accept mail from. Using an IP address makes the connector more specific because it identifies a single address or an address range that your partner organization sends mails from.

In the New EAC, the procedure is as described below:

  1. Enter your partner domain as described in Example 1 above.
  2. Use the options as shown in the screenshot below.
The screen on which email source IP address is set.

In the Classic EAC, the procedure is as described below:

  1. Enter your partner domain as described in Example 1 above.
  2. Use the options as shown in the screenshot below.
Enter your partner organization's IP address range.

When you set these restrictions, all emails that are sent from your partner organization domain, ContosoBank.com, or from your on-premises environment will be from the IP address or an address range you specify. Any mail that does not meet these conditions will be rejected.

Example 4: Require that all email sent to your organization from the internet is sent from a specific IP address (third-party email service scenario)

Mail flow from a third-party email service to Microsoft 365 or Office 365 works without a connector. However, in this scenario, you can optionally use a connector to restrict all mail delivery to your organization. If you use the settings described in this example, they will apply to all email sent to your organization. When all emails sent to your organization comes from a single third-party email service, you can optionally use a connector to restrict all mail delivery; only mail sent from a single IP address or address range will be delivered.

 Note

Ensure you identify the full range of IP addresses that your third-party email service sends mail from. If you miss an IP address, or if one gets added without your knowledge, some mails will not be delivered to your organization.

In the New EAC, to restrict all mails sent to your organization from a specific IP address or address range, use the options during setup as shown in the following screenshots:

The screen on which there is a configuration to apply the settings globally.
The screen on which the your partner organization's IP address range is defined

In the Classic EAC, to restrict all mails sent to your organization from a specific IP address or address range, use the options during setup as shown in the following screenshots:

Choose to use the sender's domain name.
Enter "*" to apply settings to all sender domains.
Enter your partner organization's IP address range.

When you set these restrictions, all mails sent to your organization will be from a specific IP address range. Any internet email that does not originate from this IP address range will be rejected.

Example 5: Require that all mail sent from your partner organization IP address or address range is encrypted using TLS

To identify your partner organization by IP address, in the New EAC, use the options during setup as shown in the screenshot below:

The screen on which the mails by partner organization are identified by IP address of the sender.

Add the requirement for TLS encryption by using this setting:

The screen on which IP addresses by which Partner organization will be identified is set.

To identify your partner organization by IP address, in the Classic EAC, use the options during setup, as shown in the screenshots below:

Choose the IP address to identify your partner organization.
Enter your partner organization's IP address.

Add the requirement for TLS encryption by using this setting:

Choose TLS to encrypt email from partner organization.

When you set these restrictions, all mail from your partner organization sent from the IP address or address range you specify must be sent using TLS. Any mail that does not meet this restriction will be rejected.

See also

Configure mail flow using connectors in Microsoft 365 or Office 365

Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

Validate connectors

What happens when I have multiple connectors for the same scenario?

Recommended content

Show more