By Ashutosh GawaliEOP stands for Exchange Online Protection, it is a service (feature) in EXO. The MX record for Microsoft 365 tenant by default points to EOP and it that receives the email for the mailbox, scans the email for various email threats such as spam, malware, phish, spoof and delivers the email to the mailbox (if no threats found in the email).
Inbound mail flow refers to how the email enters the Exchange Online environment. EOP will accept the email into the Exchange Online environment.
Before discussing the inbound email flow types in Microsoft 365, lets first understand 2 terminology which will help us understand the email flow better.
Table of contents
- What is MX record?
- Compliance and Archiving solution.
- Connectors in Exchange Online.
- MX record pointed to EOP.
- MX record pointed to EOP – EOP standalone (all mailboxes are in on premises Exchange).
- MX pointed to a 3rd party email filtering solution.
- MX pointed to a 3rd party Compliance and Archiving solution – SPAM filtering on EOP.
- MX record points to on-premises Exchange server.
- Conclusion.
What is MX record?
MX record stands for mail exchanger record, it is an entry in DNS server (Domain Registrar) which points to the email server responsible for accepting email messages on behalf of a domain name.
Usually, this server scans all emails for spam, phishing, and other email-related threats. (but this is not always the case, more clarification below)
Example: My domain is aashu.co.in and MX record entry for the domain aashu.co.in in DNS Registrar is (aashu-co-in.mail.protection.outlook.com).
If you discover the MX record as “aashu-co-in.mail.protection.outlook.com“, we can conclude that the MX record points to EOP. If any email server for any domain on the internet intends to send an email to user@aashu.co.in, they will connect to the server “aashu-co-in.mail.protection.outlook.com” and then deliver the email to EOP.
To check the MX Record for any domain use the website https://mxtoolbox.com/
If you check the MX record for Gmail.com in the above website, you will get the below results.
- Preference (Pref): This field indicates the priority of the MX record. The lower the number, the higher the priority. The sending email server would send the first connection request to the server listed with preference 5. If the two servers at preference 5 become unavailable, the system will connect to the servers at preference 10, and so on.
- Hostname: The connection request should send the hostname of the server.
- IP Address: refers to the IP Address of the hostname
- TTL (Time To Live): It refers to the time till the sending email server will cache the MX record entry in the local DNS server.
Compliance and Archiving solution.
The email Compliance and Archiving solution scans emails for any sensitive data for data breaches, it also makes sure that the email data which passes through the solution is following the industry data regulatory guidelines.
The solution also preserves email communications by archiving them in a format suitable for digital storage and subsequent search and retrieval for eDiscovery or audit and investigation purposes.
Example: The hospital is an organization, and Compliance and Archiving solution will take pre-configured action against emails containing patient personal records containing PII once they pass through.
You can place Compliance and Archiving solutions before the MX record server (they receive the email, check for compliance, archive the email, and then send the email to the MX record).
You can also place it after the MX record server (in this case, the server will scan the emails for spam and other threats first, then send them to the solution to archive the emails and check for email compliance).
Connectors in Exchange Online.
Connectors are the set of configurations allows the mail flow between EOP and On Premise Exchange Server (Hybrid), as well as another organization’s email server (business partner).
By using connectors between EOP and the other organization, we can receive a large volume of emails from the other organization as well as we can add security restrictions to the email.
An Inbound connector is to accept the incoming emails from On Premises Exchange server or from another partner organization email server.
Outbound connector is to route an email from EOP (Exchange online environment) to On Premises Exchange server or from another partner organization email server.
When executing the Hybrid Connection Wizard (HCW) and setting up hybrid between EXO and On Premises Exchange server, the system automatically creates both the Inbound connector and Outbound connector. Alternatively, you can manually create them using the Exchange Admin Center (EAC).
MX record pointed to EOP.
This is a simple mail flow configuration, where most of the times the organization is only using Microsoft 365 services. There is no involvement of third-party email filtering, archiving, and compliance solutions.
Microsoft 365 or Office 365 hosts all the mailboxes, and EOP filters the emails.
Another scenario when the organization chooses to use EOP is when the organization is in Exchange Hybrid and they want to try the services of EOP first before migrating all the mailboxes from on premises Exchange Server to Microsoft 365.
EOP will receive the email in a Cloud-only environment, scan it for spam and other email-related threats, and then send it to the mailbox.
In a Hybrid environment, EOP receives the emails, scans them, and then sends them to the on-premises mailbox if it is hosted on an on-premises Exchange server.
MX record pointed to EOP – EOP standalone (all mailboxes are in on premises Exchange).
If an organization is in Exchange hybrid but the on-premises Exchange server hosts all the mailboxes, and the organization cannot migrate the mailboxes to Exchange Online (due to organization data compliance policies),
If the on-premises Exchange server hosts all the mailboxes and points the MX record to EOP, then this configuration is referred to as EOP standalone.
In this setup, EOP will filter all the emails and then send them to the mailbox hosted on the on-premises Exchange server.
In EOP standalone few features of EOP are not available.
Example: ZAP is not available in EOP standalone, ZAP is the feature that detects and removes spam, malware and phishing messages that have already been delivered to Exchange Online mailboxes.
The feature availability across all plans is described in the Microsoft article Exchange Online Protection service description
MX pointed to a 3rd party email filtering solution.
If an organization is only using Microsoft 365 services and they do not want to use EOP as the primary email filtering solution, then they can point the MX record to the other email filtering solution whose services the organization wants to use.
Many third-party email filtering solutions, such as Barracuda and Proofpoint, will accept the email on behalf of your organization. They scan the email for various email-related threats and then send the emails to Exchange Online, where the mailboxes are hosted.
For this setup to work, the administrator in EXO has to create an inbound connector to receive emails from the 3rd party email filtering solution.
To bypass spam filtering in EOP (prevent double spam check of emails), either create a transport rule based on the IP address of the third-party email filtering solution or enable Enhanced Filtering for Connectors.
Once EXO receives the email, if it finds the mailbox in EXO, it will deliver the email to the mailbox. If not, it will send the email to the on-premises Exchange server using the Outbound connector.
MX pointed to a 3rd party Compliance and Archiving solution – SPAM filtering on EOP.
The organization can point the MX record to a third party Compliance and Archiving solution, that will process the email for compliance and archives the email, but there is no spam filtering done by the Compliance and Archiving solution.
The Compliance and Archiving solution will then send the email to EOP for spam and other checks, after which it will deliver the email to the mailbox.
This scenario requires you to use Enhanced Filtering for Connectors. Otherwise, email appears to originate from the 3rd party email filtering solution, and not from the true sources of the email.
MX record points to on-premises Exchange server.
Consider the scenario where the organization with Exchange Hybrid is migrating a few mailboxes to EXO, but retaining a few mailboxes on the on-premises Exchange server.
The organization already has MX record pointed to on premises Exchange server, also there is an inhouse Compliance and Archiving solution with on premises Exchange server.
Now, the on-premises Exchange server will first receive the email, the Compliance and Archiving solution will process it, and then send it to EXO for the delivery of emails to users whose mailboxes are in the cloud.
It is recommended to enable Enhanced Filtering for Connectors feature in EOP for this setup.
Conclusion.
This article discusses the different scenarios where the MX can be pointed, along with the Compliance and Archiving solution, and how these solutions work together with EOP to provide a seamless mail flow experience to the organization’s users.
The MX record is the first point of contact to which the system delivers the email. The system either processes the email for spam and other email checks or processes it for compliance and archiving.
For the best mail flow experience (especially for spam filtering) Microsoft recommend pointing the MX record for your organization’s domain to Microsoft 365 or Office 365.
If the domain’s MX record doesn’t point to Microsoft 365 or Office 365, the spam filters won’t be as effective, there will be some valid messages that the EOP misclassifies as spam and some spam messages that might be misclassified as legitimate email.
Reference Microsoft article How MX records affect spam filtering.