After building a hybrid Exchange environment as outlined in a couple of previous blog posts we have an Exchange 2013/2016 environment where some Mailboxes exist on-premises and some Mailboxes exist in Exchange Online. Autodiscover is still pointing to the on-premises environment, and so are the MX records. Inbound SMTP mail flow from the Internet is still accessing the on-premises Exchange 2016 Edge Transport servers before being delivered to the intended recipients.
Figure 1. The Exchange hybrid environment with Mailboxes on-premises and in Exchange online.
When a Mailbox is in Exchange Online, inbound SMTP messages are delivered to the on-premises Exchange 2016 Edge Transport servers to an internal Exchange 2016 Mailbox server. This server detects that the recipient is actually a Mail-Enabled User (MEU) with a target address in Exchange Online (i.e. email@example.com) and forwards the email via the hybrid Exchange 2016 server to Exchange Online where it is delivered to the intended Mailbox.
Note. Outbound mail from a Mailbox in Exchange Online is sent from the Microsoft platform directly to the Internet, so this is not flowing through the on-premises Exchange environment.
The question that is raised is “When is a good time to change the inbound mail flow from Exchange on-premises to Exchange Online?”
That’s a good question, and like any consultant would say “It depends.”
I have customers that keep mail flow on-premises as long as possible, at the same time I have customers that change mail flow on day one of the project.
The advantage of changing it is the use of Exchange Online Protection for message hygiene purposes. And to be honest, you will never get your Exchange 2016 Edge Transport servers on-premises as good as Exchange Online Protection.
Another advantage is that Exchange Online Protection is almost free. All inbound messages will be scanned and regular messages will be forwarded to the intended recipients, whether their Mailbox is located on-premises or online.
And when the mail flow is changed to Exchange Online Protection you can remove the Exchange 2016 Edge Transport servers from your DMZ, but take care about outbound SMTP messages from Mailboxes that still exist in your Exchange on-premises environment.
Changing the mail flow is just a matter of changing the MX records from the on-premises Exchange 2016 Edge Transport servers (i.e. smtphost.exchangelabs.nl in our environment) to the Office 365 environment (i.e. exchangelabs-nl.mail.protection.outlook.com). Don’t forget to change the corresponding SPF record as well. This should be “v=spf1 include:spf.protection.outlook.com –all” for your SMTP domain.
When changed you can easily check if the mail flow has changed by sending an email from an external messaging system to a Mailbox in Exchange Online. When you check the message header you will see see something like this:
As an interesting side note, you can also use the Remote Connectivity Analyzer (www.testexchangeconnectivity.com) to analyze the message headers:
Besides this information there’s a lot more to check in the Remote Connectivity Analyzer.
But the most important part, we’ve changed the mail flow from the on-premises Exchange 2016 Edge Transport server to Exchange Online Protection.