Comparing Different Methods for Relaying Emails Through Microsoft Exchange Online
Microsoft offers multiple methods for sending emails from multifunction devices or applications to users on the Internet via Microsoft 365 or Office 365. This page compares these methods based on functionality and ease of configuration. Refer to How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Learn for details about these methods.
In short, they offer the following 3 methods:
- Using SMTP Authentication via OAuth. Details...
- Setting inbound connector, which can use a client-side SSL certificate, or a static IP. Details...
- Direct send. Click here for details. This method assumes you want to relay emails. However, you don't have to relay through Microsoft when using this method. Read below for further details.
Comparing These Methods
| Method | Prerequisites | Setup Complexity | Limitations |
|---|---|---|---|
| Authentication with OAuth | OAuth 2.0 | Complicated | Every sender's address must be configured. |
| Connector/SSL Certificate | An SSL certificate or static IP | Easy | No limitation. |
| Direct Send | Static IP and DNS setup | Easiest | No limitation |
Basic authentication used to be very simple: all you needed was to specify a username and a password. This practice, however, is not very secure and is discouraged by Microsoft. In fact, they will soon completely turn off basic authentication and replace it with OAuth 2.0, which is significantly more secure but can be a bit complicated to set up.
Setup Complexity
The following must be done before using OAuth.
- You must register an app on Azure Portal with proper permissions, or use an app registered by Synametrics Technologies. Refer to this page for instructions.
- You must enable SMTP for the user whose email address is specified in the "From" field.
Limitation
- By default, the sender's email address must match the authenticating user's email address. In other words, you cannot use the credentials of userA but send emails as userB, unless you configure the Send As permissions.
- You cannot send outbound emails from non-existent users, such as
hp_office_printer@yourOrg.comorserver_alerts@yourOrg.com, because there is no user with that address.
This method requires using an SSL certificate issued by a trusted CA for the sender's domain. For example, if the sender's email address is hp_printer@yourcorp.com, the SSL certificate must be for yourcorp.com.
Setup
- You configure a connector in Microsoft for your domain, as described here.
- You import an SSL certificate in Xeams, as decribed here.
Limitation
There are no limitations. Microsoft will:
- Accept emails for recipients in your organization and relay for foreign domains, as long as the sender's domain matches the SSL certificate.
- The sender's address does not have to belong to a valid user. In other words, sending emails from
hp_printer@yourcorp.comis fine.
This method makes your public IP an authorized IP address for sending outbound emails. You only send emails to Microsoft if the recipient belongs to your domain. Recipients in a foreign domain receive emails directly from your Xeams.
Setup
- No configuration is needed in Microsoft
- You will need a static IP address from your ISP
- You will need to add this IP address in the SPF record for your domain, and create DKIM keys in Xeams.
Limitation
There are no limitations.
- Microsoft will only receive emails belonging to your domain.
- Emails sent to other domains, such as @gmail.com, or @yahoo.com, will be sent directly to their respective servers.