This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 38%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Hi
We have received the below Microsoft message alert. I don't think it is very well worded and Microsoft don't see to be able to explain it either.
Does anyone on here have knowledge of this?
My questions re the alert is as follows
New outbound relay pool
We're making some changes to harden the configuration for relaying or forwarding email through Office 365.
Starting July 27, 2021, we are updating special relay pools, a separate IP address pool that is used for relayed or forwarded mails that are sent from domains that are not a part of accepted domains in your tenant. Only messages that are sent from domains that are not accepted domains in your tenant are impacted by this change.
How this will affect your organization:
When this change is implemented, messages that do not meet the below criteria will route through the Relay Pool and the messages might potentially end up in recipient junk folder.
Outbound sender domain is an accepted domain of the tenant.
SPF passes when the message comes to M365.
DKIM on the sender domain passes when the message comes to M365.
All messages that meet the above criteria will not be relayed through the Relay Pool. For relayed messages, we will skip SRS rewrite.
What you can do to prepare:
When this change takes effect, you can tell a message was sent via the Relay Pool by looking at the outbound server IP (all Relay Pool IPs will be in the 40.95.0.0/16 range), or by looking at the outbound server name (will have "rly" in the name).
For the messages to go through the regular pool you will need to make sure when a message arrives to Microsoft Office 365, SPF or DKIM passes, or sender domain of the outbound message matches an accepted domain of your tenant
For DKIM to work, make sure you enable DKIM for sending domain for example fabrikam.com is part of contoso.com accepted domains, if the sending address is ******@fabrikam.com, the DKIM needs to be enabled for fabrikam.com. you can read on how to enable DKIM here.
To add custom domains follow the steps outlined here.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @Henrik Brown ,
Just checking in to see how things are going on with this thread. If the replies provided by Andy were helpful, you can try to accept it as answer. If you still have further questions or concerns on this, feel free to post back.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This will affect you only if they go outbound through 365 and the FROM is not one of your verified accepted domains in 365.
So our main domain is not actually verified at the moment. To verify it we need it is asking us to add an autodisover cname record. I am concerned as to what this will do to mailflow. It seems to get the domain verified we need to add this. I also see this message when attempting to add the domain I see this message
Don't add these DNS records if:
You need custom DNS routing for your email, for example, to route traffic through an external spam filtering service
You're already using Exchange on-premises as well as Exchange Online (also called a hybrid deployment)
If this applies, you will need to clear the Exchange and Exchange Online Protection selection and set up your own custom DNS records to route email through Microsoft 365 later.
We do have a Hybrid exchange setup albeit we have no on prem mailboxes. I guess that leads to two questions if you will indulge me?
If we don't make our domain verified are we saying all the mail that goes out via office 365 is affected?
Would completing the domain setup and adding the dns records as suggested including the autodisover record affect our mailflow?
What domain are the mailboxes using in Exchange Online? That has to be verified already .
The autodiscover record is not related to mail flow however.
I assume your mx record and autodiscover record already points to 365.
The domain we send email from has 'incomplete setup' status in the domains section of the portal.
Yes our MX points to Office365
Re Autodisover a look at my orgs DNS zone file I can see an A record autodisover which is pointing to a Microsoft IP address so I assume this means we are pointint this to office365?
Yes, and incomplete status doesn't mean its not verified. It s' actually expected in a hybrid environment:
https://learn.microsoft.com/en-us/office365/troubleshoot/administration/setup-in-progress-office-365-portal#solution
If the domain wasnt verified, you wouldnt be able to use it in 365.
It sounds like everything is setup correct actually and the message alert is simply saying that if you send outbound with an unverified domain in the FROM, then the messages will be treated like SPAM by 365 and sent through their high risk IP pool. If you arent doing that, then you are fine.
Right ok that makes sense and makes me question some work I have done recently.
We have a number of domains in our tenant. Our users don't have mailboxes in these tenants but they use the domain names as aliases when they are working on certain projects.
I have been tasked with making these domains verified and 'healthy' within the portal. I have completed the setup for some of these domains by adding in the dns records suggested in the setup. They are now green and healthy.
I guess what we are saying here is there is no real requirement for this?
If my company wants me to proceed and make all these domains healthy would this have any negative effect in a hybrid exchange scenario?
It wouldnt have any negative effect because all your records already point to 365 and all the mailboxes exist in Exchange Online.
At this point, its really just "paperwork" and that will check to ensure the DNS records are set correctly. If they aren't the wizard will let you know :)
Let us know if you have any further questions, otherwise, if you could an accept an answer, we can close this up. Thanks!
Thanks Andy you have been a great help.
One last thing to clarify and I will mark answer as complete.
We relay via on prem to office365 for various applications and such. So just to confirm any email that we relay in this way that does not come from a verified domain is affected?
The wording of the alert does not make it clear if its means relaying from office365 itself or relaying through office 365?
I hope that makes sense
Correct. Sending messages mail outbound through 365 must be sent from one of your accepted/verified domains in the FROM. Anything you send from on-prem that isnt from a verified domain will be affected by this.
Thanks Andy
I have logged this with Microsoft also and your answers are making more sense.
Just one last thing sorry
All mail in our environment goes through office365.
So what we are saying hers is
You can also use the built in 365 report :
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report?view=o365-worldwide
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 15%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
we have xyz.com added in accepted domain, still while auto email forwarding its using 40.95 IP range, and its getting block.
550 5.7.367 Remote server returned not permitted to relay -> 550 5.7.1 Relaying denied