What are the SMTP settings for Microsoft Exchange?

Exchange Online (Microsoft 365): smtp.office365.com on port 587 with STARTTLS and OAuth or SMTP AUTH per mailbox. For on-prem Exchange Server: your internal hub transport server hostname on port 25 internally, plus a configured Send Connector for external relay. Outbound TLS should be enforced; basic authentication has been deprecated for most tenants.

What are the Exchange Office 365 server settings?

Incoming (IMAP): outlook.office365.com:993 with SSL. Incoming (POP): outlook.office365.com:995 with SSL. Outgoing (SMTP): smtp.office365.com:587 with STARTTLS. Authentication is OAuth 2.0 or, for legacy apps, SMTP AUTH (enabled per mailbox in Exchange admin).

How do I configure outbound mail flow in Exchange Server?

Create a Send Connector via the Exchange admin center or PowerShell (New-SendConnector). Configure the address space (* for all), source servers, smart host or DNS routing, and TLS requirements. For Exchange Online integration, route via a hybrid connector or accepted domain pointed at Exchange Online Protection.

Does Microsoft 365 sign DKIM automatically?

Microsoft 365 signs with a default DKIM key for the onmicrosoft.com domain but not for custom domains by default. Enable DKIM for your custom domain via Defender → Email & collaboration → Policies → Email authentication settings → DKIM, then publish the two CNAME records Microsoft generates.

What's the difference between Exchange Server and Exchange Online?

Exchange Server is the on-premises product (current versions: 2019, Subscription Edition). Exchange Online is Microsoft's cloud-hosted version included with Microsoft 365 business plans. They share most concepts (mailboxes, send connectors, transport rules) but differ in management surface, DKIM signing, and infrastructure responsibility.

Exchange Server Settings: Outbound Configuration

Exchange Server settings span on-prem (Exchange Server 2019, Subscription Edition) and cloud (Exchange Online via Microsoft 365). The settings overlap conceptually but differ in where you configure them and which features are automatic vs manual. This guide covers the outbound settings most senders need to get right.

The big picture

Exchange handles outbound mail through:

Accepted domains — which domains the server is authoritative for
Send connectors (on-prem) or outbound connectors (Exchange Online) — how mail leaves the organization
Transport rules — routing logic, footer addition, content filtering
Email address policies — default From: address formats
Authentication — SPF, DKIM, DMARC for the sending domain

The split between on-prem and cloud changes some of these, but the concepts are the same.

Exchange Online (Microsoft 365) outbound settings

For Microsoft 365 hosted mail:

Setting	Value
SMTP server	`smtp.office365.com`
Port	587
Encryption	STARTTLS (required)
Authentication	OAuth 2.0 or SMTP AUTH per mailbox
Send limit	30 messages/minute, 10,000 recipients/day per mailbox

For application sending where users aren't logging in, there are three patterns:

Pattern	Use when	Limits
SMTP AUTH (client submission)	Single mailbox, manageable volume	10,000 recipients/day per mailbox
Direct Send	Internal apps, no auth needed	Up to 10,000 messages/day from same IP
Microsoft 365 SMTP relay (high-volume)	Add-on license required	Higher quotas

SMTP AUTH must be enabled per mailbox by an admin in Set-CASMailbox -SmtpClientAuthenticationDisabled $false. Microsoft disabled it tenant-wide by default for new tenants.

On-prem Exchange Server outbound settings

For Exchange Server 2019 or Subscription Edition, outbound mail is routed via Send Connectors.

Create a Send Connector via Exchange admin center (Mail Flow → Send Connectors → +) or PowerShell:

New-SendConnector -Name "Outbound to Internet" `
    -Usage Internet `
    -AddressSpaces "*" `
    -DNSRoutingEnabled $true `
    -SourceTransportServers "EXCH01","EXCH02" `
    -TlsAuthLevel EncryptionOnly `
    -RequireTLS $true

Key parameters:

AddressSpaces "*" — handles all external recipients
DNSRoutingEnabled — Exchange looks up MX records itself (alternative: send via smart host)
SmartHosts — instead of DNS, route via a relay (often EOP or a security gateway)
RequireTLS — enforce TLS to receiving servers (recommended)

For hybrid Exchange (on-prem + Exchange Online), the connector typically routes through Exchange Online Protection rather than direct.

Accepted domains

Accepted domains define which email domains this Exchange organization is authoritative for. Three types:

Type	Meaning
Authoritative	Mail for this domain is delivered to mailboxes in this org
Internal Relay	Mail accepted then routed to another internal system
External Relay	Mail accepted then routed to an external system

New-AcceptedDomain -Name "Acme Marketing" -DomainName "marketing.acme.com" -DomainType Authoritative

For Exchange Online, accepted domains are managed in the Microsoft 365 admin center under Domains.

DKIM signing in Exchange

Exchange Online (Microsoft 365): Enable DKIM per custom domain in Defender → Email & collaboration → Policies → Email authentication settings → DKIM. Microsoft generates two CNAME records you publish in DNS, then click Enable. From that point, mail from your custom domain via Exchange Online signs automatically.

On-prem Exchange Server: No native DKIM signing. Use the open-source Exchange-DkimSigner transport agent, route outbound via EOP (which signs), or use a third-party security gateway that signs.

Transport rules

Transport rules (also called mail flow rules) are conditional actions on messages passing through the transport pipeline. Common uses:

Add a disclaimer footer to external recipients
Bcc compliance addresses on specific senders
Block messages matching specific patterns
Redirect mail to a security mailbox for review
Modify headers (add X-headers for downstream filtering)

Create via Exchange admin center (Mail Flow → Rules) or PowerShell:

New-TransportRule -Name "External Disclaimer" `
    -SentToScope NotInOrganization `
    -ApplyHtmlDisclaimerLocation Append `
    -ApplyHtmlDisclaimerText "<i>This email originated outside Acme...</i>"

Practitioner note: I've seen transport rules cause more deliverability problems than I'd expect — usually because someone added a disclaimer that includes a tracking link, which is then flagged by recipients' filters. Audit transport rules for outbound mail when troubleshooting unexplained spam placement.

Email address policies

Email address policies set default address formats for new mailboxes. Configure via Exchange admin center (Recipients → Email Address Policies) or PowerShell:

New-EmailAddressPolicy -Name "Marketing Domain" `
    -RecipientFilter "Department -eq 'Marketing'" `
    -EnabledEmailAddressTemplates "SMTP:%g.%[email protected]"

This applies the marketing.acme.com domain as the primary SMTP address for Marketing department mailboxes.

TLS settings

Modern Exchange should enforce TLS for outbound:

Set-SendConnector "Outbound to Internet" -RequireTLS $true -TlsAuthLevel EncryptionOnly

For inbound, configure Receive Connectors to require TLS:

Set-ReceiveConnector "Default Frontend EXCH01" -AuthMechanism Tls

For Exchange Online, TLS is enforced by default and configurable in Defender under TLS/SSL settings. Consider enabling MTA-STS for your sending domain — see MTA-STS setup.

SPF for Exchange

For Exchange Online, the standard SPF include:

example.com.    TXT    "v=spf1 include:spf.protection.outlook.com -all"

For on-prem Exchange routing direct to internet, include the egress IP(s):

example.com.    TXT    "v=spf1 ip4:203.0.113.0/24 -all"

For hybrid (on-prem + Exchange Online), include both:

example.com.    TXT    "v=spf1 ip4:203.0.113.0/24 include:spf.protection.outlook.com -all"

See SPF setup guide for the full mechanics.

DMARC for Exchange

DMARC is published the same way regardless of Exchange edition — a TXT record at _dmarc.yourdomain.com. See every DMARC tag explained for the record format and the DMARC none to reject guide for staged rollout.

Practitioner note: If you operate hybrid Exchange and DMARC fails periodically, the cause is almost always inconsistent DKIM signing between on-prem and Exchange Online. Make sure both paths sign with the same d= domain, or accept SPF alignment (via include:spf.protection.outlook.com plus on-prem IP) as the DMARC anchor.

Anti-spoofing and inbound settings

Exchange Online has built-in anti-spoofing via Defender. For on-prem Exchange, the standard pattern is to front the server with EOP, Mimecast, Proofpoint, or another security gateway and let that handle anti-spoofing.

For inbound, ensure:

Connection filtering enabled
Anti-spoof intelligence enabled (Exchange Online)
DMARC enforcement (drop or quarantine mail failing your domain's DMARC)
Sender reputation enabled

Common Exchange settings mistakes

SMTP AUTH still disabled when an app needs it. Run Get-CASMailbox <user> | FL Display*,Smtp* to verify.
Send Connector smart host pointing to a decommissioned relay. Test with Test-SmtpConnectivity.
Multiple Send Connectors with overlapping address spaces and different TLS requirements. Route order matters; verify with Get-SendConnector | FL Name,AddressSpaces,RequireTLS.
Hybrid mail flow blocked by EOP IP filtering. Add on-prem IPs to the connector's allowed senders.
Accepted Domain marked Authoritative when it should be Internal Relay. Mail for the domain gets bounced as "user unknown" instead of routed onward.

If you're configuring Exchange Server outbound flow, hybrid integration, or DMARC for Exchange Online and want a second set of eyes, book a consultation. Exchange-specific deliverability work is a recurring engagement type.

Sources

v1.0 · May 2026