Share via

External emails coming directly from other O365 tenants (not honoring mx records)

Anonymous
2020-07-15T23:43:13+00:00

Hi, 

I am working on/assisting creating transport rules to lock down my organizations O365 tenant to only allow mail from our third party email threat protection platform's IP's. Before doing this we created a rule to identify any mail that is currently bypassing that email protection (i.e. finding emails that are hard coated using smtp hostname/IP and not our MX records which point to the email protection). We found a fair number of legitimate emails (unaffiliated to our company but not spam/malicious) going from O365 directly to our O365 tenant. Is there any "feature" or configurable option within the admin portal to send directly from O365 to O365 tenant with no regard for MX records? Thank you!

Ben Owens

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Anonymous
    2020-07-16T04:35:35+00:00

    Hi Ben,

    To my knowledge, the external emails basically are based on MX record to route emails. However according to RFC 5321, if there's no MX record, the domain name must return A or AAAA record to give the SMTP server IP address so that the email can still be delivered to your mailbox. 

    Besides, from my research, there're some exceptions that emails will not be delivered by MX record between two Office 365 tenants. For your reference, see the FAQ #3 in the following article. 

    https://techcommunity.microsoft.com/t5/exchange-team-blog/office-365-message-attribution/ba-p/749143

    Regards,

    Marvin

    Was this answer helpful?

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-07-22T09:02:51+00:00

    Hi Ben,

    Based on the article, when an Office 365 tenant sends emails tto another Office 365 tenant, if the recipient uses the initial domain (xxx.onmicrosoft.com) as its primary email address, then the emails will be routed directly to the Office 365 tenant no matter where the MX record points. So if your tenant uses the initial domain as the primary email address, you can change it to your custom domain to check if it helps.

    Regards,

    Marvin

    Was this answer helpful?

    0 comments
  2. Anonymous
    2020-07-21T16:35:19+00:00

    Hi Marvin,

    Thank you for sharing that link. We do have MX records in place with the following priority:

    10 Primary for email protection platform

    20 First alt for email protection platform

    30 Second alt for email protection platform

    40 Third alt for email protection platform

    80 domain-com.protection.outlook...(O365 tenant)

    We are seeing emails going to users mailboxes routing directly to the O365 tenant (priority 80 in MX records) bypassing 10-40 priority records. From the information you provided O365 should not be ignoring MX records and sending directly to other O365 tenants, based on this it sounds like a possible sender misconfiguration.

    Thank you,

    Ben Owens

    Was this answer helpful?

    0 comments
  3. Anonymous
    2020-07-18T13:54:45+00:00

    Hi Ben,

    Do you have any further updates with us?

    Regards,

    Marvin

    Was this answer helpful?

    0 comments