Office 365: Configuring Outbound Delivery Routing

Document created by user.oxriBaJeN4 Employee on Sep 21, 2015Last modified by user.oxriBaJeN4 Employee on Feb 22, 2019
Version 19Show Document
  • View in full screen mode

This step must be completed to route emails outbound from Office 365 to Mimecast.

We recommend completing this step at least three working days before switching your MX records to route inbound email through us. This allows us to build your Auto Allow list, based on recipients your users send messages to. This has a positive impact on inbound email delivery speed, because many senders will already be known and consequently not be subject to our greylisting security feature.

What You'll Need


  • An Office 365 administrator logon with permission to create a send connector.
  • Your internal domains must already be registered with us.
  • A Mimecast administrator logon with at view permission to the Gateway | Accepted Email menu item.




Updating the SPF Record for your Domain(s)


You must have an SPF record for the domain(s) registered with Office 365. When implementing Mimecast with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following:

  • Remove: v=spf1 –all
  • Replace with or add:  v=spf1 ~all

If your outbound email is temporarily coexisting with us, you can leave the v=spf1 –all SPF record. However it must be removed once all your outbound email is routed through us.

Configuring Outbound Routing

We recommend this process is completed using Internet Explorer. Other browsers have issues with the controls used in the final validation step.

  1. Log in to the Office 365 Administration Console.
  2. Select the Admin | Exchange menu item.
  3. Select the Mail Flow | Connectors menu item.
  4. Create a Connector.
  5. Complete the New Connector - Select Your Mail Flow Scenario dialog as follows:

    FromSelect "Office 365" from the drop down list.
    ToSelect "Partner Organization" from the drop down list.
  6. Select the Next button.
  7. Complete the New Connector - New Connector dialog as follows:

    NameEnter a name for the connector.
    DescriptionEnter a description for the connector.
    Turn It OnSelect this option to enable the connector.
  8. Select the Next button.
  9. Select the Only When Email Messages are Sent to These Domains option.
  10. Select the ico_plus.png icon to add the recipient domains that should use this connector.
  11. Enter a value of * to route all outbound emails through us.
  12. Select the OK button.
  13. Select the Next button.
  14. Select the Route Email Through These Smart Hosts option.
  15. Select the ico_plus.png icon to add your region's smart hosts.
    RegionOffice 365 Account Hostnames
    Europe (Excluding Germany)



    South Africa



  16. Select the Save button.
  17. Select the Next button.
  18. Select the following options:
    • Always use Transport Layer Security (TLS) to Secure the Connection (recommended)
    • Issued by a trusted certificate authority (CA)
  19. Select the Next button.
  20. Select the Next button.
  21. Add an Email Address of a recipient from a domain external to your organization.
  22. Select the Validate button.
  23. Select the Save button once Office 365 has successfully validated your settings.

Disable or remove any other Outbound Send Connectors. Failure to do this means your outbound email still uses theseand isn't routed through us. Any send connectors used for other purposes (e.g archiving) may still be enabled. If in doubt, consult Mimecast Support.

Adding the Office 365 Tenant Domain as an Internal Domain


Your Office 365 tenant domain must be added to the list of internal domains available in the Mimecast Administration Console. See the Configuring Internal Domain / Subdomains page for full details. This enables us to recognize certain auto response messages, where the sender address is not a normal internal domain. This is typically in the format Contact the Mimecast Support team if you have queries regarding this step.


Verifying Your Configuration

Once this step is complete, Office 365 must be added to your authorized outbounds as an umbrella account. View the Maintaining Authorized Outbound Addresses page for more information.

To verify that Office 365 is successfully routing email outbound via us:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button.
  3. Select the Message Center | Accepted Messages menu item.
See the Message Center: Accepted Messages page for full details.

You should see messages from your organization's internal users to external recipients. If you don't see messages shortly after they're sent, this indicates a configuration problem on your Office 365 send connector. Double check your configuration. Use the Office 365 Message Trace Tool in the Mail Flow | Message Trace menu of the Exchange Admin Center to help identify the issue.

12 people found this helpful