Home » Exchange Server » Switching Hybrid Mail Flow to Use Exchange Online Protection for Inbound Email

Switching Hybrid Mail Flow to Use Exchange Online Protection for Inbound Email

In the previous article in this series on Hybrid configuration, we looked at testing a new Hybrid configuration between on-premises Exchange and Office 365.

In this article I’m going to demonstrate the cutover of inbound mail flow from the on-premises Exchange servers to Exchange Online, so that the organization can use Exchange Online Protection (EOP) for email anti-spam and anti-malware protection.

Currently the mail flow looks like the diagram below. The MX records for the domain are pointing to the on-premises environment, which is using an Edge Transport server to receive incoming email.


In your own scenario the Edge Transport isn’t mandatory, and could just as easily be a third party email security appliance, a cloud-hosted service, or mail might be going directly to Exchange. Whatever the case, if you’re planning to start using EOP to protect your email then you can still follow this guide.

EOP is already enabled for all Exchange Online tenants, so there’s nothing specifically required from you to turn it on or get it working. However, you might want to spend a little time looking at the EOP configuration, before you cut over mail flow to it. This is especially true if you are switching from a different email security appliance or system. Although all of these products basically do the same thing, they all do it in different ways, and they all have different administrative options and controls.

You can find the Exchange Online Protection settings for your Office 365 tenant by logging in to the Exchange admin center, and then navigating to the protection settings.

Once you’re happy with the EOP settings for your tenant, and assuming that mail flow between the cloud and on-premises servers has been successfully tested, it’s time to change your MX records. The MX record that will point your domain’s email to EOP is found in the Office 365 admin center by navigating to Domains, and then clicking Domain settings for your domain name.


DNS changes of this nature can take some time to take effect, even if you have a low TTL set on your DNS records already. I recommend not making any changes to your firewall or any other configuration that might cut off your on-premises server from receiving emails, until perhaps 24-48 hours after the DNS change when you’ve confirmed that mail flow is going via EOP.

The end state will be something like the diagram below. If you don’t have an Edge Transport server, mail flow from EOP will go to one or more of your other Exchange servers.


You can test the MX record change by sending emails from external sources, such as Gmail, and then inspecting the headers (ExRCA has an analyzer you can use for this) after the messages arrive. You should see the emails go from Gmail to Microsoft’s EOP servers (with names like DB3FFO11FD931.mail.protection.outlook.com), before they are routed on to your on-premises servers.


Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. filip says:

    If mx points to o365 it is necessary that domain in o365 is internal relay domain.
    Also check the OOF config as external OOF message will be send to * domain and thus also to internal users.

  2. jay c says:


    I’ve moved all of the mailboxes for one email domain (I have multiple accepted domains in my Exchange org) to the cloud and I’ve changed my MX record to point to protection.outlook.com. Messages are going to outlook.com as intended, but then they’re routed to my on-premise servers before being sent right back to outlook.com. How can I prevent messages destined for this one domain from routing through my on-premise servers?

    • That would be expected behaviour if centralized transport was enabled when running the HCW. If you don’t want centralized transport you can re-run the HCW and remove that option.

  3. Nathan says:


    We have an Exchange 2010 Hybrid server with on premise and 356 mail accounts.

    Would internal mail still be delivered if the internet connection went down?


  4. Sharath says:

    A query related to the EOP licensing… I am undertaking a hybrid deployment with O365 and Exchange 2013. Out of 1500 users, 500 will move to O365 enterprise, the rest will remian on-premise. Do i need to procure additional EOP licenses for the on-premise users. I already have a Barracuda serving for on-premise antispam filters.

    The MX is to point to the O365/EOP instance.

  5. Nagaraj says:

    Hello Paul,

    I have one Question, we are planning to moved to my all Mailbox’s On-Premises to office 365 (hybrid Inverolment) . At On-Premises configuration we have Iron port and McAfee saas modual (Email Security), My Question is after moved my mailbox’s to could the email routing also same configuration ….? (Like McAfee –> Ironport –> Exchange) or i need to change the email routing on Direct to Office 365 …? which one Secure

  6. Tom says:

    My company is currently planning to migrate to Office 365, We have Exchange 2010 with Outlook 2007 SP3 – 2016 RTM.
    Our mail flow is currently routing through EOP and out to ON-Prem.

    On Plan is to do a Hybrid migration.
    Question – Since our MX records already point to EOP do we need to make changes to them?
    Question 2 – What changes do we make in EOP to get the messages to flow into the online mailboxes?
    Question 3 – Since we are in a hybrid migration, and during the migration, will mail flow into the on-prem servers and them to O365?


  7. Glenn says:


    Loved the article! To the point, good image usage, simply awesome! Best one I have seen so far, and I have seen a lot of them.

  8. Rini says:

    Hi Paul,

    Great article.My domain is moved to another office365 tenant. All mailboxes are still on premise, How to reconfigure the existing hybrid setup , Exchange2010. I have Azure AD sync


Leave a Reply

Your email address will not be published. Required fields are marked *