Microsoft is making some changes to harden the configuration for emails relayed or forwarded through Office 365 SMTP server(s).
Starting July 27, 2021, they will be updating Special Relay Pools – a separate IP address pool used for relayed or forwarded emails sent from domains that do not come under accepted domains in your tenant. Till July 26, 2021, they will be redirecting forwarded and relayed emails from all the domains (including those which do not come under accepted ones). However, the forwarded emails will no longer be directed through special replay pools but Regular Relay Pools (or high-risk delivery pools) after the mentioned date.
How This Will Impact Your Organization
When the changes mentioned above are implemented, messages that do not meet the below-given criteria will route through the Regular Relay Pool. Resultantly, the emails might end up in the recipient’s spam.
| 1. Outbound sender domain must be an accepted domain of the tenant.
2. SPF check is passed when the email comes to the Microsoft o365 server. 3. DKIM is passed when the email comes to the Microsoft o365 server. |
Emails that meet the above criteria will not be relayed through the Regular Relay Pool. However, the SRS rewrite will be skipped for forwarded emails (that do not pass the above-mentioned three-point criteria). In essence, emails sent from domains that are not accepted domains in your tenant will be impacted by this change.
What You Can Do To Prepare For This Change
When the changes are in effect, you can identify if an email was sent via the Relay Pool either by:
- Going through the outbound server IP (The IP range of all Regular Relay Pool will be 40.95.0.0/16) or
- Observing the outbound server name (which will have “rly” in the name).
For the emails to go through the Regular Relay Pool, you will need to ensure that they pass SPF and DKIM checks or the sender domain of the outbound message matches an accepted domain of your tenant.
Additional Info: How To Enable DKIM For Your Domain(s) & Add Custom Domains
To comply with the above changes, ensure you enable DKIM for the sending domain(s); for example, say yoursecondarydomain.com is part of yourprimarydomain.com accepted domains. Then if the sending address is sender@yoursecondarydomain.com, the DKIM needs to be enabled for yoursecondarydomain.com. For more information on how you can enable DKIM on Microsoft o365, you can go through here.
To add custom domains, you can follow the steps outlined here.
Final Words
If you use Microsoft o365 SMTP server for forwarding or relaying emails, it is strongly recommended to make the changes as mentioned above before July 27, 2021, or your emails may have to suffer going through Regular Relay Pools (or high-risk relay pools), where there is no guarantee that emails would land up in the desired inbox folder, and not in spam/junk folders. Besides, if you want to avoid this hassle altogether, you can consider switching to DuoCircle’s reliable SMTP server as your outbound relay and can rest assured that all your emails will be delivered via a dedicated or good reputation IP only so they always land in recipients’ primary mailbox only.