Set up Exchange Online Protection for on-premises organizations

If you use Exchange Online Protection (EOP) for cloud protection of an on-premises email environment, this article explains how to set up EOP.

If you landed here from the Office 365 domains wizard, go back to the Office 365 domains wizard if you don't want to use EOP.

If you're looking for more information on how to configure connectors, see Configure mail flow using connectors in Office 365.

What do you need to know before you begin?

• Estimated time to complete this task: One hour

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Exchange Online Protection permissions: You need the Remote and Accepted Domains role, which is assigned to the Organization Management and Mail Flow Administrator role groups by default.

  • Microsoft Entra permissions: Membership in the Global Administrator role.

    Important

    Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

• If you aren't already signed up for EOP for cloud protection of on-premises email environments, visit Exchange Online Protection and choose to buy or try the service.

• For information about keyboard shortcuts that might apply to the procedures in this article, see Keyboard shortcuts for the Exchange admin center in Exchange Online.

Step 1: Use the Microsoft 365 admin center to add and verify your domain

1. In the Microsoft 365 admin center at https://admin.microsoft.com, go to Setup > Get your custom domain set up to add your domain to the service.

2. Follow the steps to add the applicable DNS records to your DNS-hosting provider in order to verify domain ownership.

Add a domain to Office 365 and Create DNS records at any DNS hosting provider for Office 365 are helpful references as you add your domain to the service and configure DNS.

Step 2: Add recipients and optionally enable DBEB

Before configuring your mail to flow to and from EOP, we recommend adding your recipients to the service. There are different was to add recipients as documented in Manage mail users in Exchange Online.

Also, if you want Directory Based Edge Blocking (DBEB) to enforce recipient verification, you need to set your domain type to Authoritative. For more information about DBEB, see Use Directory Based Edge Blocking to reject messages sent to invalid recipients.

Step 3: Use the EAC to set up mail flow

Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. For detailed instructions, see Set up connectors to route mail between Microsoft 365 and your own email servers.

To verify mail flow between EOP and your on-premises environment, see Test mail flow by validating your Microsoft 365 connectors.

Step 4: Allow inbound port 25 SMTP access

1. After you configure connectors, wait 72 hours to allow propagation of your DNS record updates.
2. Restrict inbound traffic on TCP port 25 (SMTP) on your firewall to accept mail only from the cloud datacenters as listed in Microsoft 365 URLs and IP address ranges. This step protects your on-premises environment by limiting the scope of inbound messages you can receive.
3. Update any email server settings that control the IP addresses allowed to connect for mail relay.

Step 5: Ensure that spam is routed to each user's Junk Email folder

To ensure that spam (junk) email is routed correctly to each user's Junk Email folder in on-premises Exchange, you need to do a couple of configuration steps to translate EOP spam verdicts to values that on-premises Exchange can use. The steps are provided in Deliver cloud-detected spam to the Junk Email folder in on-premises mailboxes.

If you don't want to move messages to each user's Junk Email folder, you can choose a different action by editing your anti-spam policies. For more information, see Configure anti-spam policies in cloud organizations.

Step 6: Use the Microsoft 365 admin center to point your MX record to Microsoft 365

Follow the domain configuration steps to update the MX record for your domain, so that your inbound email flows through Microsoft 365. Be sure to point your MX record directly to Microsoft 365 instead of a non-Microsoft service. For more information, you can again reference Create DNS records for Office 365.

How do you know your MX record points to Microsoft 365?

At this point, you verified service delivery for a properly configured on-premises Send connector, and you verified your MX record points to Microsoft 365. You can now choose to run the following additional tests to verify that an email will be successfully delivered by the service to your on-premises environment:

• Check mail flow between the service and your environment. For more information, see Test mail flow by validating your Microsoft 365 connectors.
• Send an email message from any web-based email account to a mail recipient in your organization whose domain matches the domain you added to the service. Confirm delivery of the message to the on-premises mailbox using Microsoft Outlook or another email client.
• If you want to run an outbound email test, you can send an email message from a user in your organization to an external email service.