Connectors
Configure mail flow connectors to control how email is routed to and from Exchange Online. Connectors enable secure mail flow with on-premises servers, partner organizations, and third-party services.
Connector Types
Inbound Connector
Receives email FROM external sources. Configure when you need to accept mail from specific IP addresses or require specific security settings.
Use cases: From Partner, From On-Premises
Outbound Connector
Sends email TO external destinations. Configure when you need to route mail through specific servers or enforce encryption to certain domains.
Use cases: To Partner, To On-Premises
Connector List
| Column | Description |
|---|---|
| Name | Connector display name |
| Direction | Inbound or Outbound |
| Scenario | Partner, On-premises, or Internet |
| Status | Enabled or Disabled |
| Sender Domain/IP | Source identification |
| TLS | Encryption requirements |
Common Scenarios
Hybrid Mail Flow
Route mail between Exchange Online and on-premises Exchange. Created automatically by Hybrid Configuration Wizard.
- Inbound: From on-premises to Office 365
- Outbound: From Office 365 to on-premises
- Security: TLS with certificate validation
Partner Organization
Secure mail flow with business partner. Enforce TLS encryption and validate partner’s identity via certificate.
- Use when: Exchange sensitive data with specific partner
- Security: Opportunistic or forced TLS
Email Security Gateway
Route outbound mail through third-party security service (Proofpoint, Mimecast, etc.) for additional filtering.
- Outbound: Route all mail through gateway first
- Inbound: Accept mail only from gateway IPs
Smart Host Relay
Route outbound mail through specific server (e.g., on-premises for compliance scanning or archival).
Inbound Connector Settings
Sender Identification
- Sender IP address — Accept from specific IPs only
- Sender domain — Accept from specific domains
- Certificate — Validate sender’s TLS certificate
Security Settings
- Require TLS encryption
- Require certificate from specific issuer
- Require certificate subject name match
Enhanced Filtering
Skip spam filtering for mail from this connector (use when third-party gateway already filtered). Enable enhanced filtering to preserve original sender IP for better detection.
Outbound Connector Settings
When to Use
- Mail sent to specific domains
- All mail (for smart host routing)
Routing
- MX record — Use recipient domain’s MX (default)
- Smart host — Route through specific server(s)
TLS Settings
- Opportunistic — Use TLS if available
- Always use TLS — Require encryption (reject if unavailable)
- Certificate validation — Verify destination certificate
Connector Validation
Test connectors before relying on them for production mail flow:
Validate Connector
Send test email through the connector and verify delivery. Check TLS negotiation and certificate validation.
Message Trace
After testing, use message trace to confirm mail used the expected connector and routing path.
Troubleshooting
Warning: Mail Not Using Connector — Verify connector scope matches mail flow. Check if transport rules are overriding connector routing. Confirm connector is enabled.
Warning: TLS Negotiation Failed — Check that destination server supports required TLS version. Verify certificate is valid and trusted. Check certificate subject matches.
Warning: Mail Rejected by Partner — Verify your sending IP is in partner’s allowed list. Check SPF/DKIM/DMARC alignment. Confirm certificate is expected.
API Reference
GET /api/exchange/connectors
List all connectors
POST /api/exchange/connectors
Create connector
PUT /api/exchange/connectors/:id
Update connector
POST /api/exchange/connectors/:id/validate
Test connector
PUT /api/exchange/connectors/:id/status
Enable/disable connector