Microsoft 365 SMTP Relay Configuration — Enabling IP-Based SMTP Sending for On-Premises Devices via Exchange Online Connector
On-premises devices (printers, scanners, applications) fail to relay outbound email through Exchange Online when no inbound connector exists to authenticate by IP address. Without proper configuration, SMTP submissions to smtp.office365.com are rejected because the device lacks a licensed mailbox credential. Resolution requires creating an inbound connector in Exchange Admin Center that allows relay from specific static public IP addresses, eliminating the need for per-device credentials.
Indicators
- On-premises application, printer, or scanner fails to send email through Microsoft 365
- SMTP connections to Exchange Online are rejected when device lacks a licensed M365 mailbox account
- Outbound email from on-premises devices silently drops or returns an SMTP relay denial error
- Devices configured with smtp.office365.com fail to authenticate when no per-device M365 account exists
- SMTP relay attempts return '550 5.7.1 Service unavailable' or similar rejection messages
Likely causes
- No inbound connector configured in Exchange Online to accept SMTP relay from the device's public IP address
- Device or application attempting to relay through Microsoft 365 without a licensed mailbox credential and no IP-based relay exception in place
- Public IP of the sending device is dynamic or has changed, causing the relay connector's IP allow-list to no longer match
- SMTP AUTH is disabled at the tenant or mailbox level in Exchange Online, blocking authenticated submission from devices
- From address domain used by device is not an accepted domain in the Microsoft 365 tenant
Diagnostic steps
-
Identify the public IP address of the on-premises device, application, or server that needs to relay email. Confirm it is static and will not change. Use whatismyip.com from the device network or check with ISP.The Exchange Online inbound connector uses IP address matching to authorize relay; a dynamic IP will break the connector.
-
Log in to the Microsoft 365 admin portal and navigate to the Exchange Admin Center (EAC) at admin.exchange.microsoft.com.Confirms administrative access and provides the interface to create the required inbound SMTP relay connector.
-
In the Exchange Admin Center, navigate to Mail Flow > Connectors and review any existing connectors to determine if an inbound relay connector is already present for the device's IP.Avoids creating duplicate connectors and identifies whether the issue is a missing connector or a misconfigured existing one.
-
Test SMTP connectivity from the device network to the tenant MX endpoint on port 25: Test-NetConnection -ComputerName tenant-com.mail.protection.outlook.com -Port 25Determines whether the failure is network connectivity, port blocking by ISP, or an Exchange Online policy rejection.
-
Verify the sender domain used by the device matches an accepted domain configured in the Microsoft 365 tenant under Settings > Domains in admin.microsoft.com.Exchange Online will reject relay if the From address domain is not an accepted domain in the tenant, even with a valid IP connector.
-
Review Mail Flow > Message Trace in EAC for any recent failed delivery attempts from the device's IP to identify specific rejection reasons.Message trace provides the exact Exchange Online rejection response and identifies which policy or connector rule blocked the message.
Resolution path
- Step 1 — Log in to the Exchange Admin Center (admin.exchange.microsoft.com) with Global Admin or Exchange Admin credentials.
- Step 2 — Navigate to Mail Flow > Connectors and click '+ Add a connector'. Set the connection type: From = 'Your organization's email server', To = 'Office 365'.
- Step 3 — Name the connector descriptively (e.g., 'On-Premises Device SMTP Relay') and configure authentication method: select 'By verifying that the IP address of the sending server matches one of these IP addresses'.
- Step 4 — Enter the static public IP address(es) of the on-premises device, server, or NAT gateway. Use CIDR notation if a range is required (e.g., 203.0.113.0/24).
- Step 5 — Enable 'Reject email messages if they aren't sent over TLS' for transport encryption security.
- Step 6 — Configure the on-premises device SMTP settings: Server = tenant-com.mail.protection.outlook.com (your tenant MX endpoint), Port = 25, Authentication = None (IP-based relay does not use SMTP AUTH), TLS = Opportunistic or Required.
- Step 7 — Set the device From address to use a verified domain in the Microsoft 365 tenant (e.g., scanner@contoso.com where contoso.com is an accepted domain).
- Step 8 — Send a test email from the device and monitor Mail Flow > Message Trace in EAC for successful delivery.
Prevention
- Use static public IP addresses for all devices and servers that relay through the Exchange Online connector; document these IPs in a configuration register to prevent connector breakage from IP changes.
- Enforce TLS on the inbound connector so that all SMTP relay traffic between on-premises devices and Exchange Online is encrypted in transit.
- Periodically audit Mail Flow > Connectors in EAC to remove stale or overly permissive connectors that may allow unintended relay sources.
- Prefer IP-based SMTP relay over storing Microsoft 365 credentials in device firmware (printers, scanners) to reduce credential exposure risk.
- Document the connector configuration and associated device IPs in operational runbooks for rapid troubleshooting when IP addresses change.
Tools
- Exchange Admin Center / EAC (admin.exchange.microsoft.com) — connector creation and message tracing
- Mail Flow > Message Trace in EAC — confirms relay connector matching and delivery status
- PowerShell Test-NetConnection — verifies TCP port 25 reachability to M365 MX endpoint
- Telnet client — manual SMTP conversation testing to observe rejection messages