How to Allow a Multi-function Device or Application to Send E-mail through Office 365 Using SMTP

The following table will help you decide which one of these options will meet your needs. Detailed information and setup steps follow each method.

Tip:
If you’re not sure which method to use, choose this one. It will work best in the largest number of scenarios.

This method of relaying messages allows Office 365 to handle email delivery on your behalf by authenticating using your public IP address or a certificate.  Your device or LOB application can send email as any email address within your owned and verified domains. The address does not have to resolve to an Office 365 mailbox. However, if the email address doesn’t exist, then recipients that reply to the emails will receive a Non-Delivery Report (NDR). If the device or application is used to send spam or bulk email against the Office 365 Terms of Service, the email address and/or IP may be blocked by Office 365. If your device or LOB application supports or requires authentication (for example, if your users need to send emails only as their own accounts), you may want to consider the Client SMTP Submission method instead.

If all of your users have Office 365 mailboxes, you don’t need any additional licensing to use this option. If you have senders using the device or LOB application who don’t have an Office 365 mailbox, then you should make sure that each non-Office 365 user has an Exchange Online Protection license to cover outbound and/or inbound relay.

If you have already setup Exchange Hybrid or have an Exchange Online Protection Inbound On-premises Connector configured, then it is likely that no additional setup will be required for Office 365.

1. Obtain the public IP address you’re using. A dynamic IP address isn’t supported or allowed. You can share the IP with other devices and users, but you shouldn’t be sharing the IP with anyone outside of your company. Make note of this IP address for later.
2. Log on to the Office 365 Portal.
3. Select Domains. Highlight one of your domains and use the wizard to obtain your MX record. The MX record will look similar to contoso.com.mail.protection.outlook.com. Make a note of the MX record for later.
4. Make certain that the domains that the application or device is sending as have been properly verified. If the domain is not verified, emails could be lost and you won’t be able to track them through Office 365 using Message Trace.
5. In the upper right, select Admin and then select Exchange from the drop down. If you have Small Business, then see the instructions here.
6. In the Exchange Admin Center, select Mail Flow > Connectors.
7. If no inbound connector exists, create one.
   1. Give the connector a name.
   2. Select On-Premises for the Connector Type.
   3. Under Sender Domains, add a single asterisk (*). This will allow sending to any domain. Other values in this field will limit the domains that you can send mail to.
   4. In the Sender IP Addresses section, add the IP address from Step 1.
   5. In the Associated accepted domains section, add the domain from your accepted domains in which the messages will be coming from. For example, if mail will be relayed as user@contoso.com, add contoso.com to the list.
   6. Leave all the other fields with their default values and select Save.
8. In the DNS for your domain, we suggest that you modify your SPF record to include the IP address from Step 1. The finished string should look similar to this: v=spf1 ip4:10.1.2.3 include:spf.protection.outlook.com ~all where 10.1.2.3 is your public IP address. Skipping this step could cause email to be sent to recipients’ junk mail folders.
9. In the device’s settings, specify a Smart Host value equal to the MX record value you recorded in Step 3.

This method uses Office 365 to send email via SMTP using an Office 365 mailbox account’s credentials. Each email needs to be sent by a valid email address associated with an Office 365 mailbox. Mailboxes that are outside of Office 365 aren’t supported. If the device or application is used to send spam or bulk email against the Office 365 Terms of Service, the email address and/or IP may be throttled or blocked by Office 365.

1. Confirm that your device or application supports Transport Layer Security (TLS) for SMTP on either port 587 or port 25 (587 is recommended). You may want to verify with the device or application vendor if there are firmware or software updates, particularly if the device or application is more than a few months old. If TLS is not supported, you can use the SMTP Relay method or install and configure Windows SMTP on-premises to handle the communication to Office 365 as a last resort. TLS v1.1 or later is required, and a number of ciphers are supported. If your application or device is having trouble with the STARTTLS exchange, then you may want to make sure all patches are applied.

   Tip:
   If your device suggests using port 465, then TLS is probably not supported. Contact your vendor for an update.

2. Decide if the device or application allows users to specify their own email address and credentials on a per-user basis, or if a single mailbox can be used to send all email as a single sender. If you’re sending as a single email address, for example printer@contoso.com, you’ll need to ensure that the following statements are true:
   1. The domain portion, for example contoso.com, must be a verified and accepted domain for your Office 365 tenant.
   2. The full SMTP address must be added to either an existing Office 365 mailbox or a new Office 365 Mailbox.
3. Exact configuration options will vary by device and application. For more information, see How to configure Internet Information Server (IIS) for relay with Office 365. At a minimum, the following must be configured on the device:
   • Smart host smtp.office365.com
   • Port 25 or 587. If your device or application doesn’t allow you to specify a port, then 25 will be used. However, 587 is highly recommended as many ISPs will block port 25. Port 465 is not supported. Contact your vendor for an update.
   • Use Transport Layer Security (TLS) Office 365 requires TLS to ensure that your credentials are passed securely. Use of SSL over port 465 is not supported.
   • Email address/credentials The credentials must be valid Office 365 credentials. Some devices or applications may also allow you to specify the email address. Although the email address and the username can be different, they must be associated with the same Office 365 account.

Warning:
If your application is running on Windows 2003, there are two fixes that are required. See hereand herefor details.

Another option to consider when setting up devices and LOB applications to send email messages is to use direct SMTP send. In this case, the device or application will handle all email delivery directly, regardless of destination, and Office 365 is not used to send the messages. There are several scenarios where this can be the best choice:

1. If the device or application is only sending email to your own Office 365 users, then this is the simplest method, as there is absolutely nothing to configure.
2. If the device or application has a built-in SMTP server capability and you want to manage and control it separately. This may be particularly useful if you don’t want Office 365 to throttle or scan your outbound email for viruses and spam.
3. If you’re sending bulk email or newsletters, as Office 365 does not support this. You may want to enlist the help of a bulk email service provider to assist you. There are best practices that should be followed and bulk email providers are well-suited to ensure that your domains and IP addresses are not blocked by others on the Internet.

Windows SMTP can provide this direct send routing capability if your device/application does not support it, however a more comprehensive solution is suggested.

© 2015 Microsoft