Why should I ensure the domain in the RFC5321.mailfrom matches an accepted domain in my tenant?

Ensuring that the domain specified in the RFC5321.mailfrom (also known as the envelope sender) is an accepted domain in your tenant is crucial because if it isn’t, Microsoft will use Sender Rewriting Scheme (SRS) to rewrite the envelope sender to the primary domain of the tenant. This can cause issues with DMARC alignment and potentially lead to email delivery and authenticity problems.

What changes were made to the SMTP relay requirements through Exchange Online as of November 1, 2023?

The updated requirements, effective from November 1, 2023, for SMTP relay through Exchange Online include:

  • The SMTP certificate domain on the SMTP connection or the SMTP envelope sender domain in the MAIL FROM command (P1 sender domain) must be an accepted domain of your organization.
  • The sending host's IP address or the certificate domain on the SMTP connection must match your organization’s Inbound connector of OnPremises type.

Previously, the SMTP P2 sender domain was also considered, but this requirement has been removed.

How can the removal of the P2 sender domain requirement affect my organization?

The removal of the P2 sender domain requirement might affect scenarios where:

  • Your organization relays non-delivery reports (NDRs) generated by on-premises systems through Exchange Online.
  • Applications hosted on-premises send emails where the SMTP envelope sender (P1 sender domain) isn't an accepted domain in Exchange Online.
  • You use a third-party cloud service for email relay, and the SMTP envelope sender domain is different from your organization’s domain.

How can I check if these changes impact my organization?

You can use the Start-HistoricalSearch command in PowerShell to generate reports that help identify if your organization is impacted by these changes. You can specify criteria such as date ranges, sender or recipient domains to generate these reports. Here’s an example command:

Start-HistoricalSearch -EndDate "2023/09/22" -StartDate "2023/09/18" -ReportTitle "Report on emails using a specific sender domain" -ReportType "P2SenderAttribution" -NotifyAddress admin@mydomain.com

What should I do if my organization is affected by these changes?

If your organization is affected, you should:

  • Update your Inbound connector of OnPremises type to use a certificate domain, and add this domain as an accepted domain in your organization.
  • Ensure any third-party services used for email relay support a unique certificate for your organization, and that the certificate domain is an accepted domain.

For more detailed guidance on configuring your systems in line with the new requirements, refer to the official documentation.

These FAQs are designed to help organizations navigate changes in SMTP relay requirements through Exchange Online and ensure compliance with email authentication standards.