Connectors are a collection of instructions that customize the way your email flows to and from your Microsoft 365 or Office 365 organization. Actually, most Microsoft 365 and Office 365 organizations don't need connectors for regular mail flow. This article describes the mail flow scenarios that require connectors.
Connectors are used in the following scenarios:
Enable mail flow between Microsoft 365 or Office 365 and email servers that you have in your on-premises environment (also known as on-premises email servers).
Apply security restrictions or controls to email that's sent between your Microsoft 365 or Office 365 organization and a business partner or service provider.
Relay mail from devices, applications, or other non-mailbox entities in your on-premises environment through Microsoft 365 or Office 365.
Avoid graylisting that would otherwise occur due to the large volume of mail that's regularly sent between your Microsoft 365 or Office 365 organization and your on-premises environment or partners.
Note
Graylisting is a delay tactic that protects email systems from spam. In Microsoft 365 and Office 365, graylisting slows down suspiciously large amounts of email by throttling the message sources based on their IP addresses. Microsoft 365 or Office 365 responds to these abnormal influxes of mail by returning a temporary non-delivery report error (also known as an NDR or bounce message) in the range 451 4.7.500-699 (ASxxx). For more details on these types of delivery issues, see Fix email delivery issues for error code 451 4.7.500-699 (ASxxx) in Exchange Online.
Nothing. We just don't call them "inbound" and "outbound" anymore (although the PowerShell cmdlet names still contains these terms). If you previously set up inbound and outbound connectors, they will still function in exactly the same way.
The process for setting up connectors has changed; instead of using the terms "inbound" and "outbound", we ask you to specify the start and end points that you want to use. The way connectors work in the background is the same as before (inbound means into Microsoft 365 or Office 365; outbound means from Microsoft 365 or Office 365).
Exchange Online is ready to send and receive email from the internet right away. You don't need to set up connectors unless you have standalone Exchange Online Protection (EOP) or other specific circumstances that are described in the following table:
Scenario Description Connector required? Connector settings You have a standalone EOP subscription. You have your own on-premises email servers, and you subscribe to EOP only for email protection services for your on-premises mailboxes (you have no mailboxes in Exchange Online).For more information about standalone EOP, see Standalone Exchange Online Protection and the How connectors work with my on-premises email servers section later in this article.
Yes Connector for incoming email:Connector for outgoing email:
For details, see the I have my own email servers section later in this article and Exchange Server Hybrid Deployments.
Yes Connector for incoming email:Connector for outgoing email:
For details, see Option 3: Configure a connector to send mail using Office 365 SMTP relay
Note: Instead of Office 365 SMTP relay, you can use direct send to send email from your apps or devices. But, direct send introduces other issues (for example, graylisting or throttling).
Optional Only one connector for incoming email:For details, see Set up connectors for secure mail flow with a partner organization.
Optional Connector for incoming email:Connector for outgoing email:
Note
If you don't have Exchange Online or EOP and are looking for information about Send connectors and Receive connectors in Exchange 2016 or Exchange 2019, see Connectors.
You can't have an "allow" by sender domain connector when there is a restrict by IP or certificate connector. The restrict connector will take precedence, as partner connectors are pulled up by IP or certificate lookup when restrictions and mail rejections are applied. You should not have IPs and certificates configured in the same partner connector. Instead, you should use separate connectors. Don't use associated accepted domains unless you're testing the connector for a subset of the accepted domains or recipient domains.
If you have Exchange Online or EOP and your own on-premises email servers, you definitely need connectors. This is more complicated and has more options as described in the following table:
Connectors enable mail flow in both directions (to and from Microsoft 365 or Office 365). You can enable mail flow with any SMTP server (for example, Microsoft Exchange or a third-party email server).
The diagram below shows how connectors in Exchange Online or EOP work with your own email servers.
In this example, John and Bob are both employees at your company. John has a mailbox on an email server that you manage, and Bob has a mailbox in Exchange Online. John and Bob both exchange mail with Sun, a customer with an internet email account:
Important
Always confirm that your internet-facing email servers aren't accidentally configured to allow open relay. An open relay allows mail from any source (spammers) to be transparently re-routed through the open relay server. This behavior masks the original source of the messages, and makes it look like the mail originated from the open relay server.
If you've already run the Hybrid Configuration wizard, the required connectors are already configured for you. You can view your hybrid connectors on the Connectors page in the EAC. You can view, troubleshoot, and update these connectors using the procedures described in Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers, or you can re-run the Hybrid Configuration wizard to make changes.
You can create connectors to add additional security restrictions for email sent between Microsoft 365 or Office 365 and a partner organization. A partner can be an organization you do business with, such as a bank. It can also be a cloud email service provider that provides services such as archiving, antispam, and so on. You can create a partner connector that defines boundaries and restrictions for email sent to or received from your partners, including scoping the connector to receive email from specific IP addresses, or requiring TLS encryption.
The diagram below shows an example where ContosoBank.com is a business partner that you share financial details with via email. Because you are sharing financial information, you want to protect the integrity of the mail flow between your businesses. Connectors with TLS encryption enable a secure and trusted channel for communicating with ContosoBank.com. In this example, two connectors are created in Microsoft 365 or Office 365. TLS is required for mail flow in both directions, so ContosoBank.com must have a valid encryption certificate. A certificate from a commercial certification authority (CA)that's automatically trusted by both parties is recommended.
When you create a connector, you can also specify the domain or IP address ranges that your partner sends mail from. If email messages don't meet the security conditions that you set on the connector, the message will be rejected. For more information about creating connectors to exchange secure email with a partner organization, see Set up connectors for secure mail flow with a partner organization.
This scenario applies only to organizations that have all their mailboxes in Exchange Online (no on-premises email servers) and allows an application or device to send mail (technically, relay mail) through Microsoft 365 or Office 365. For example, if you want a printer to send notifications when a print job is ready, or you want your scanner to email documents to recipients, you can use a connector to relay mail through Microsoft 365 or Office 365 on behalf of the application or device.
Keep in mind that there are other options that don't require connectors. For details about all of the available options, see How to set up a multifunction device or application to send email.
Before you set up a connector, you need to configure the accepted domains for Microsoft 365 or Office 365. For more information, see Manage accepted domains in Exchange Online.
Connector setup articles:
Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers
Mail flow best practices for Exchange Online and Microsoft 365 or Office 365 (overview)
Set up connectors for secure mail flow with a partner organization
What happens when I have multiple connectors for the same scenario?
For more information signal connector, please get in touch with us!