Configuring Office 365 SMTP relay settings correctly is essential for any organization that relies on hybrid environments or legacy applications to send email. While Microsoft 365 handles modern email delivery natively through Exchange Online, there are scenarios where a direct SMTP connection is necessary. This often occurs with older business systems, custom-built software, or third-party devices that cannot authenticate using modern API protocols.
Understanding the Core Concept
Many IT professionals assume that because they use Office 365, they can simply point any mail client to smtp.office365.com on port 587. While the server address is correct, the devil is in the authentication details. Unlike on-premises Exchange servers where you might allow anonymous relay from a specific IP, Office 365 requires strict adherence to authenticated submission. This means the account used to send must be a licensed user in Azure Active Directory, and the application or device must support modern authentication protocols.
Port and Encryption Standards
To maintain security and compliance, Microsoft enforces strict encryption policies for all SMTP traffic. Port 25 is generally blocked for external relay to prevent spam. The recommended ports are 587 for message submission with TLS encryption enforced. Port 465 is also available for SMTPS, though it is less commonly used in modern configurations. Failing to enable TLS on these ports will result in immediate connection rejection by the server.
Authentication Methods That Work
When configuring the settings, you must decide between two primary authentication models. The first is Basic Authentication with a full SMTP credential, where the username is the complete email address and the password is the account sign-in password. The second method involves using OAuth 2.0, which is more secure and often required for multi-factor authenticated accounts. Most modern devices now support OAuth, but if yours does not, you may need to create an app password specifically for the relay service.
Configuring Legacy Devices and Applications
For devices that do not support OAuth, administrators often resort to using SMTP authentication with a dedicated service account. This involves creating a mailbox in Office 365 solely for the purpose of relay. You must then configure the connector or application to use this account credentials exactly as entered. It is critical to disable any option that attempts to "mail from" a different address unless you have configured SPF records to explicitly allow that action to avoid hard bounces.
Connector Configuration in Exchange Admin Center
If you are bridging between an on-premises server and Office 365, you cannot simply rely on the client settings alone. You must establish a send connector in the Exchange Admin Center (EAC). This connector acts as a secure tunnel that accepts email from your internal server and forwards it to the internet via the Microsoft cloud. When setting the network address, you should specify the static public IP address of your on-premises firewall. This allows you to create a receive connector that accepts mail only from trusted sources, adding a layer of security to the otherwise open internet relay.
