Office 365: Configuring Outbound Delivery Routing

Document created by user.oxriBaJeN4 Employee on Sep 21, 2015Last modified by user.Yo2IBgvWqr on Dec 19, 2017
Version 13Show Document
  • View in full screen mode

The following steps should be completed to route emails outbound from Office 365 to Mimecast.

We recommend you complete this step at least a few working days before switching your MX records to route inbound email through Mimecast. This is so we can start building the Auto Allow list, based on recipients that your users send email to. Following this process has a positive impact on the speed of inbound email delivery. This is because when you start receiving email through Mimecast, many senders will already be known and consequently not be subject to Mimecast's greylisting security feature.

What You'll Need


  • An Office 365 Administrator with permission to create a send connector.
  • Your organization's internal domains must already be registered with Mimecast.
  • A Mimecast Administrator with at least view permission to the Gateway | Accepted Email menu in the Administration Console.




Updating the SPF Record for your Domain(s)


Your organization should already have a SPF record for the domain(s) registered with Office 365. When implementing Mimecast with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following:

  • Remove: v=spf1 –all
  • Replace with or add:  v=spf1 ~all

If your outbound email is coexisting with us for a period, you can leave the v=spf1 –all SPF record. However we recommend you remove it once all your outbound email is routed through us.

Configuring Outbound Routing

Mimecast has observed that this process can only be successfully completed using Internet Explorer. This is due to an issue with the controls used in the final validation step.

  1. Log in to the Office 365 Administration Console.
  2. Select the Admin | Exchange menu item. The Exchange Admin Center is displayed.
  3. Select the Mail Flow | Connectors menu item and create a new Connector.
  4. Complete the New Connector - Select Your Mail Flow Scenario dialog as follows:

    FromSelect "Office 365" from the drop down list.
    ToSelect "Partner Organization" from the drop down list.
  5. Click the Next button.
  6. Complete the New Connector - New Connector dialog as follows:

    NameEnter a name for the Connector.
    DescriptionOptionally, enter a description for the Connector.
    Turn It OnSelect this option to enable the Connector.
  7. Click the Next button.
  8. Select the Only When Email Messages are Sent to These Domains option.
  9. Click the ico_plus.png icon to add the recipient domains that should use this connector.

  10. Enter a value of * to route all outbound emails through Mimecast.
  11. Click the OK button.
  12. Click the Next button.
  13. Select the Route Email Through These Smart Hosts option.
  14. Click the ico_plus.png icon to add the smart hosts from the table below for the region where your Mimecast service is hosted.
    RegionOffice 365 Account Hostnames

    North America

    South Africa



  15. Click the Save button.
  16. Click the Next button.
  17. Select the following options:
    • Always use Transport Layer Security (TLS) to Secure the Connection (recommended)
    • Issued by a trusted certificate authority (CA)
  18. Click the Next button to verify your settings.
  19. Click the Next button.
  20. Add an email address of a recipient from a domain external to your organization.
  21. Click the Validate button.
  22. Once Office 365 has successfully validated your settings, click the Save button.
  23. Disable or remove any other Outbound Send Connectors that were previously used. Failure to do this means your outbound email still uses these older send connectors, and is not routed through Mimecast. Any send connectors used for other purposes (e.g archiving) may still be required to be enabled. If in doubt, consult your Mimecast Support engineer.


Adding the Office 365 Tenant Domain as an Internal Domain


Your Office 365 tenant domain must be added to the list of internal domains available in the Directories | Internal Directories menu item. This enables Mimecast to recognize certain auto response messages where the sender address is not a normal internal domain. This is typically in the format


See the Validating an Tenant Domain page for further details.


Next Steps

After configuration is complete, Office 365 will need to be added to your authorized outbounds as an umbrella account. View the Maintaining Authorized Outbound Addresses page for more information.

To verify that Office 365 is routing email outbound via Mimecast successfully:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Gateway | Accepted Email menu item.
  4. Use the View option to filter on Outbound email.


You should see messages from your organization's internal users to external recipients listed here. If you do not see messages listed here shortly after they have been sent, this typically indicates a configuration problem on your Office 365 send connector. Double check your configuration and use the Office 365 Message Trace tool found in the Mail Flow | Message Trace menu of the Exchange Admin Center to help you identify the issue.

6 people found this helpful