MFP SMTP setup with Office365

How to Allow a Multi-function Device or Application to Send E-mail through Office 365 Using SMTP

Applies to: Exchange Online

Topic Last Modified: 2015-05-04

SMTP (Simple Mail Transfer Protocol) is used when you set up an on-premises multi-function printer, scanner, fax, or line of business (LOB) application that needs to send email. If some or all of your mailboxes are in Office 365, there are a few options available: SMTP relay, client SMTP submission, or Direct Send

  • SMTP Relay An SMTP relay is used to send mail from your organization by authenticating the IP address or certificate of the sender. Any email address (including non-Office365 mailboxes) can send mail using an SMTP relay, as long as it uses a domain that’s set up as yours in Office 365.

  • Client SMTP Submission Client SMTP submission allows your device or LOB application to send emails using an email address associated with an Office 365 mailbox by authenticating itself using that account. Each device can have their own sender address or all devices can use one address such as

  • Direct Send Direct Send can be used if the device or LOB application has the ability to send mail by itself. If so, the device or LOB application does not use Office 365 to send the mail, but the mail is received by Office 365 for delivery to your Office 365 accounts.

If you have an on-premises SMTP server – for example if you’re operating in a Hybrid environment – then it’s recommended to use the on-premises server to handle email delivery for applications and devices. You won’t need to follow the guidance in this article as you’ll already have a connector configured.

The following table will help you decide which one of these options will meet your needs. Detailed information and setup steps follow each method.


OptionSMTP RelayClient SMTP SubmissionDirect Send

Send to recipients in our domain(s)




Relay to Internet via Office 365



No. Direct delivery only.

Configuration requirements

  • Port 25

  • TLS optional

  • One or more static IP addresses are required.

    This method cannot be used with Azure or addresses on a Policy Block List.
  • Port 587 or 25

  • TLS required

  • Dynamic IPs allowed

  • Port 25

  • TLS optional

Requires authentication

No. IP address provides authentication.

Yes. However if the device does not support this option, you can use on-premises Windows SMTP relay.


Bypasses anti-spam

No. Suspicious emails may be filtered. We recommend a custom SPF record.

Yes if the mail is destined for an Office 365 mailbox.

No. Suspicious emails may be filtered. We recommend a custom SPF record.

Throttling Limits

Reasonable limits are imposed. The service cannot be used to send spam.

10,000 recipients per day.


Licensing requirements

Requires Exchange Online Protection licenses for each sender. Office 365 mailboxes have this license.

Must use a licensed mailbox with credentials.

Email sender licensing not required.

FQDN of SMTP Endpoint

To obtain the string for your domain, go to Domains in the Office 365 Portal.

No endpoint required. This method uses DNS based routing.

This method of relaying messages allows Office 365 to handle email delivery on your behalf by authenticating using your public IP address or a certificate.  Your device or LOB application can send email as any email address within your owned and verified domains. The address does not have to resolve to an Office 365 mailbox. However, if the email address doesn’t exist, then recipients that reply to the emails will receive a Non-Delivery Report (NDR). If the device or application is used to send spam or bulk email against the Office 365 Terms of Service, the email address and/or IP may be blocked by Office 365. If your device or LOB application supports or requires authentication (for example, if your users need to send emails only as their own accounts), you may want to consider the Client SMTP Submission method instead.

If all of your users have Office 365 mailboxes, you don’t need any additional licensing to use this option. If you have senders using the device or LOB application who don’t have an Office 365 mailbox, then you should make sure that each non-Office 365 user has an Exchange Online Protection license to cover relaying through Office 365.

If you have already setup Exchange Hybrid or have connectors configured for Exchange Online Protection, use a connector that you have already configured to enable devices or applications to send mail via Office 365.
  1. Obtain the public IP address that the device or application with send from. A dynamic IP address isn’t supported or allowed. You can share the IP with other devices and users, but you shouldn’t be sharing the IP with anyone outside of your company. Make note of this IP address for later.

  2. Log on to the Office 365 Portal.

  3. Select Domains. Click Manage DNS and find the MX record. The MX record will have a POINTS TO ADDRESS value that looks similar to as depicted in the following screenshot. Make a note of the MX record POINTS TO ADDRESS value. You'll need this later.

    Make a note of the MX record Points to address value.
  4. Make certain that the domains that the application or device is sending to have been properly verified. If the domain is not verified, emails could be lost and you won’t be able to track them through Office 365 using Message Trace.

  5. In the upper right, select Admin and then select Exchange from the drop down. If you have Small Business, then see the instructions here.

  6. In the Exchange Admin Center, select Mail Flow > Connectors.

  7. Check the list of connectors set up for your organization. If there is no connector listed from your organization's email server to Office 365, create one.

    1. To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the following screenshot:

      Choose from your organization's email server to Office 365

      Click Next and give the connector a name.

    2. On the next screen, choose the option By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization, and add the IP address from Step 1.

    3. Leave all the other fields with their default values and select Save.

  8. Now that you are done with configuring your Office 365 settings, go to your Domain Registrar’s web site to update your DNS records. Edit your SPF (sender policy framework) record. The entry should include the IP address you noted in Step 1. The finished string should look similar to this: v=spf1 ip4: ~all where is your public IP address. Skipping this step could cause email to be sent to recipients’ junk mail folders.

  9. Finally, go back to the device and in the settings, under what would normally be called Server or Smart Host, enter the MX record POINTS TO ADDRESS value you recorded in Step 3.

If you’re not sure which method to use, choose this one.

This method uses Office 365 to send email via SMTP using an Office 365 mailbox account’s credentials. Each email needs to be sent by a valid email address associated with an Office 365 mailbox. Mailboxes that are outside of Office 365 aren’t supported. If the device or application is used to send spam or bulk email against the Office 365 Terms of Service, the email address and/or IP may be throttled or blocked by Office 365.

  1. Confirm that your device or application supports Transport Layer Security (TLS) for SMTP on either port 587 or port 25 (587 is recommended). You may want to verify with the device or application vendor if there are firmware or software updates, particularly if the device or application is more than a few months old. If TLS is not supported, you can use the SMTP Relay method or install and configure Windows SMTP on-premises to handle the communication to Office 365 as a last resort. TLS v1.1 or later is required, and a number of ciphers are supported. If your application or device is having trouble with the STARTTLS exchange, then you may want to make sure all patches are applied.

    If your device suggests using port 465, then TLS is probably not supported. Contact your vendor for an update.
  2. Decide if the device or application allows users to specify their own email address and credentials on a per-user basis, or if a single mailbox can be used to send all email as a single sender. If you’re sending as a single email address, for example, you’ll need to ensure that the following statements are true:

    1. The domain portion, for example, must be a verified and accepted domain for your Office 365 tenant.

    2. The full SMTP address must be added to either an existing Office 365 mailbox or a new Office 365 Mailbox.

  3. Exact configuration options will vary by device and application. For more information, see How to configure Internet Information Server (IIS) for relay with Office 365. At a minimum, the following must be configured on the device:

    • Smart host

    • Port 25 or 587. If your device or application doesn’t allow you to specify a port, then 25 will be used. However, 587 is highly recommended as many ISPs will block port 25. Port 465 is not supported. Contact your vendor for an update.

    • Use Transport Layer Security (TLS) Office 365 requires TLS to ensure that your credentials are passed securely. Use of SSL over port 465 is not supported.

    • Email address/credentials The credentials must be valid Office 365 credentials. Some devices or applications may also allow you to specify the email address. Although the email address and the username can be different, they must be associated with the same Office 365 account.

If your application is running on Windows 2003, there are two fixes that are required. See here and here for details.

Another option to consider when setting up devices and LOB applications to send email messages is to use direct SMTP send. In this case, the device or application will handle all email delivery directly, regardless of destination, and Office 365 is not used to send the messages. There are several scenarios where this can be the best choice:

  1. If the device or application is only sending email to your own Office 365 users, then this is the simplest method, as there is absolutely nothing to configure.

  2. If the device or application has a built-in SMTP server capability and you want to manage and control it separately. This may be particularly useful if you don’t want Office 365 to throttle or scan your outbound email for viruses and spam.

  3. If you’re sending bulk email or newsletters, as Office 365 does not support this. You may want to enlist the help of a bulk email service provider to assist you. There are best practices that should be followed and bulk email providers are well-suited to ensure that your domains and IP addresses are not blocked by others on the Internet.

Windows SMTP can provide this direct send routing capability if your device/application does not support it, however a more comprehensive solution is suggested.