Exchange Hybrid - All on-prem mail to route via EOP - SPF RRS feed

  • Question

  • Hi all,

    If you have Exchange Hybrid configured, and the on-prem to Cloud send connector has been updated to route not just 'org' emails between the two - so in other words all on-prem email will go out of the 'hybrid' SMTP connector to the EOP Tenant and then onwards to the final MX destination. In that deployment type, would you need to add your on-prem Public IP into the SPF for the organisation? If the EOP receive connector was basically already restricting the flow of SMTP either by source IP (on-prem) and/or Certificate Authentication?

    Thank you for any input.



    Tuesday, October 27, 2020 8:45 AM

All replies

  • Phil,

    Send a test mail to a public mailbox you have access to and check the meta headers of the received mail.
    There you can read what server makes first contact with the MX record of your receiver. That's the IP you need in your SPF record!

    If you use a relay server, the source IP will always be the relay server's IP from receivers point of view. Your routing between Exchange servers should have the same effect. It's the cloud server who's talking to the MX record, not your on-prem. So It's the cloud server's IP who's checked.

    Tuesday, October 27, 2020 11:07 AM
  • Thank you for this. I will check this out now. 



    Tuesday, October 27, 2020 11:17 AM
  • Okay, yes, so when I look at the header I see:

    For our example we have added the public IP into the SPF record, and that does look like it is used at the point the mail to 'delivered' from on-prem to EOP? Thats the thing Im trying to get clarity on, does the EOP receive connector need the on-prem sending Public IP (or IP's) added to the SPF to allow this to work. I know I can probably play around with the setup to test this, but that doesnt mean its future proof if there is an underlying requirement to have this, but it isnt enforced at the moment by MS? Hope that makes sense. Thank you.


    • Edited by Philip Luke Tuesday, October 27, 2020 11:34 AM
    Tuesday, October 27, 2020 11:33 AM
  • Actually, ive just tried it. I removed the sending IP from the SPF record. The result was interesting. Sending the same email to both M365 Tenant and GMail. The email DIDNT arrive on the M365 mailbox, even though it is going via the EOP, but it DID arrive in the GMail mailbox, even though Gmail noted the sending IP wasnt in the SPF. So, that pretty much confirms it then, we do need to add all Public IP's into the SPF even though on-prem isnt sending directly (via MX lookup).

    Thanks for the steer Dimitri.


    Tuesday, October 27, 2020 11:57 AM
  • Hi,

    Please note: Exchange Server Development forum mainly discuss issues about Exchange development, and it's not monitored. Other TechNet Exchange sub-forums are migrated to Microsoft Q&A. We invite you to post new questions with related tags in the new forum.

    For your issue about the mail flow from on-premises to Exchange Online, we helped to create a new thread and provided suggestions in Microsoft Q&A. Please go to [Migrated from MSDN Exchange Dev] Exchange Hybrid - All on-prem mail to route via EOP - SPF to continue the discussion. Thanks for your understanding.


    Lydia Zhou

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, October 28, 2020 7:26 AM