Browse all topics
All guidesGlossary

Exchange Online mail flow and connectors

How mail moves into and out of Exchange Online — connectors, transport rules, and hybrid routing.

Exchange Online's mail flow is mostly invisible — messages just arrive — but understanding how mail moves makes troubleshooting and design dramatically easier.

The default flow

For a typical cloud-only tenant:

  1. Sender's mail server queries DNS for your domain's MX record.
  2. The MX record points to your-domain-com.mail.protection.outlook.com (Exchange Online Protection).
  3. EOP runs anti-spam, anti-malware, and anti-phishing on the incoming message.
  4. If accepted, the message hands off to Exchange Online and lands in the recipient's mailbox.

Outbound mail does the same in reverse: Outlook (or any client) hands off to Exchange Online, which signs the message, applies any transport rules, and delivers via EOP to the recipient's MX.

Connectors

Connectors are explicit routing rules into or out of Exchange Online for non-default flows.

  • Inbound connectors receive mail from a partner organisation, an on-prem Exchange server (hybrid), or a third-party service like a security gateway.
  • Outbound connectors send mail to a partner organisation, an on-prem server, or a third-party gateway (for example, a smart host for compliance archiving).

Each connector has matching criteria, TLS requirements, and IP/certificate restrictions. Configuring them wrong is a top cause of mail delivery problems.

Transport rules

Transport rules (also called mail flow rules) act on every message that passes through Exchange Online — incoming, outgoing, or internal. They can:

  • Add disclaimers and footers.
  • Redirect, copy, or block messages by sender/recipient/content.
  • Append warnings to external senders.
  • Apply encryption (Office 365 Message Encryption) automatically.
  • Hand off to compliance journaling.

The classic Exchange admin center exposes the full rule editor.

DNS records for senders

For deliverability and anti-spoofing, three DNS records matter:

  • SPFv=spf1 include:spf.protection.outlook.com -all (or ~all).
  • DKIM — signing keys published as CNAMEs, enabled in Defender for Office 365.
  • DMARC — policy record telling recipients what to do when SPF/DKIM fail.

Every Microsoft 365 tenant should publish all three.

Hybrid flow

In a hybrid Exchange deployment, on-prem and cloud mailboxes coexist. Mail between them flows through send connectors wired both ways, often via a smart host or TLS-only direct delivery. Hybrid is a transition state — Microsoft's recommended end state is cloud-only.

Troubleshooting

The Message Trace tool in the Exchange admin center tracks any individual message through every hop. The Mail Flow Insights dashboard surfaces patterns. For deeper traces, the Microsoft Remote Connectivity Analyzer tests authentication, autodiscover, and connector configuration end-to-end.