Home » Exchange Server » Switching Hybrid Mail Flow to Use Exchange Online Protection for Inbound Email

Switching Hybrid Mail Flow to Use Exchange Online Protection for Inbound Email

In the previous article in this series on Hybrid configuration, we looked at testing a new Hybrid configuration between on-premises Exchange and Office 365.

In this article I’m going to demonstrate the cutover of inbound mail flow from the on-premises Exchange servers to Exchange Online, so that the organization can use Exchange Online Protection (EOP) for email anti-spam and anti-malware protection.

Currently the mail flow looks like the diagram below. The MX records for the domain are pointing to the on-premises environment, which is using an Edge Transport server to receive incoming email.


In your own scenario the Edge Transport isn’t mandatory, and could just as easily be a third party email security appliance, a cloud-hosted service, or mail might be going directly to Exchange. Whatever the case, if you’re planning to start using EOP to protect your email then you can still follow this guide.

EOP is already enabled for all Exchange Online tenants, so there’s nothing specifically required from you to turn it on or get it working. However, you might want to spend a little time looking at the EOP configuration, before you cut over mail flow to it. This is especially true if you are switching from a different email security appliance or system. Although all of these products basically do the same thing, they all do it in different ways, and they all have different administrative options and controls.

You can find the Exchange Online Protection settings for your Office 365 tenant by logging in to the Exchange admin center, and then navigating to the protection settings.

Once you’re happy with the EOP settings for your tenant, and assuming that mail flow between the cloud and on-premises servers has been successfully tested, it’s time to change your MX records. The MX record that will point your domain’s email to EOP is found in the Office 365 admin center by navigating to Domains, and then clicking Domain settings for your domain name.


DNS changes of this nature can take some time to take effect, even if you have a low TTL set on your DNS records already. I recommend not making any changes to your firewall or any other configuration that might cut off your on-premises server from receiving emails, until perhaps 24-48 hours after the DNS change when you’ve confirmed that mail flow is going via EOP.

The end state will be something like the diagram below. If you don’t have an Edge Transport server, mail flow from EOP will go to one or more of your other Exchange servers.


You can test the MX record change by sending emails from external sources, such as Gmail, and then inspecting the headers (ExRCA has an analyzer you can use for this) after the messages arrive. You should see the emails go from Gmail to Microsoft’s EOP servers (with names like DB3FFO11FD931.mail.protection.outlook.com), before they are routed on to your on-premises servers.


Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. filip says:

    If mx points to o365 it is necessary that domain in o365 is internal relay domain.
    Also check the OOF config as external OOF message will be send to * domain and thus also to internal users.

  2. jay c says:


    I’ve moved all of the mailboxes for one email domain (I have multiple accepted domains in my Exchange org) to the cloud and I’ve changed my MX record to point to protection.outlook.com. Messages are going to outlook.com as intended, but then they’re routed to my on-premise servers before being sent right back to outlook.com. How can I prevent messages destined for this one domain from routing through my on-premise servers?

    • That would be expected behaviour if centralized transport was enabled when running the HCW. If you don’t want centralized transport you can re-run the HCW and remove that option.

  3. Nathan says:


    We have an Exchange 2010 Hybrid server with on premise and 356 mail accounts.

    Would internal mail still be delivered if the internet connection went down?


  4. Sharath says:

    A query related to the EOP licensing… I am undertaking a hybrid deployment with O365 and Exchange 2013. Out of 1500 users, 500 will move to O365 enterprise, the rest will remian on-premise. Do i need to procure additional EOP licenses for the on-premise users. I already have a Barracuda serving for on-premise antispam filters.

    The MX is to point to the O365/EOP instance.

  5. Nagaraj says:

    Hello Paul,

    I have one Question, we are planning to moved to my all Mailbox’s On-Premises to office 365 (hybrid Inverolment) . At On-Premises configuration we have Iron port and McAfee saas modual (Email Security), My Question is after moved my mailbox’s to could the email routing also same configuration ….? (Like McAfee –> Ironport –> Exchange) or i need to change the email routing on Direct to Office 365 …? which one Secure

  6. Tom says:

    My company is currently planning to migrate to Office 365, We have Exchange 2010 with Outlook 2007 SP3 – 2016 RTM.
    Our mail flow is currently routing through EOP and out to ON-Prem.

    On Plan is to do a Hybrid migration.
    Question – Since our MX records already point to EOP do we need to make changes to them?
    Question 2 – What changes do we make in EOP to get the messages to flow into the online mailboxes?
    Question 3 – Since we are in a hybrid migration, and during the migration, will mail flow into the on-prem servers and them to O365?


  7. Glenn says:


    Loved the article! To the point, good image usage, simply awesome! Best one I have seen so far, and I have seen a lot of them.

  8. Rini says:

    Hi Paul,

    Great article.My domain is moved to another office365 tenant. All mailboxes are still on premise, How to reconfigure the existing hybrid setup , Exchange2010. I have Azure AD sync


  9. Mark says:


    we are in the middle of a hybrid setup between local Exchange 2013 and Office 365. All mail from local exchange mailboxes is routet to the Internet via 3rd party antispam/antivirus appliance. We have configured centralized mail transport for hybrid so all mail from Office 365 mailboxes flows through the on premises exchange organization and then through the 3rd party antispam/antivirus appliance to the internet.
    Only 1/3 of mailboxes are migrated.

    We now need to get rid of the 3rd party antispam/antivirus appliance and want to use EOP completely for incoming (change mx) and outgoing mailflow from either local exchange mailboxes or Office 365 mailboxes.

    There are good documentations about using EOP for incoming mailflow in hybrid (like yours), would work without a problem. But how can we ensure that all outgoing mailflow uses EOP in this hybrid situation? Is this supported, what do we have to do to make it work?

  10. Steve says:

    Hey Paul,

    Nice write-up

    I have a question.

    Currently I am in a hybrid with centralized transport enabled. I want to re-direct all inbound & outbound through 365, & not through my on-prem org any longer.

    I am unable to find any information on how to switch/disable the centralized transport.
    Would we have to switch the MX(s) to 365, then re-run the Hybrid config wizard?

  11. Jason Lees says:

    Hi Paul,

    Your answer to Steve has confirmed what I thought, thanks. I have 2 questions about completion to office365, apologies if you have already answered this before.

    Question 1
    I have an on premise Exchange 2010 with HCW deployment using ADFS and have completed migration to Office365. If I remove the HCW does that stop me from administrating/creating future mailbox’s without manually using Office365 and local AD?

    Question 2
    I would like to decommission my current Exchange 2010 server and replace with an Exchange 2016 server and take advantage using the free HCW license offered by Microsoft. I understand that Exchange 2016 does not recognise a 2010 HCW so I would assume that would need to be removed first. Can this been done from Exchange 2016? Would you recommend this as Exchange 2010 is no longer being supported.

    Finally many thanks for your guides that you have posted over the years online they have been a great support and enable me to get this far over the years 🙂

    • HCW = Hybrid Configuration Wizard. It’s a tool that you run to configure a hybrid between Exchange on-premises and Exchange Online/Office 365. It’s not a thing that you “remove” or that Exchange 2016 needs to “recognize”.

      To answer what I think are your questions:
      – You can deploy an Exchange 2016 server to facilitate the hybrid functionality.
      – The free license is not applicable to customers who have Exchange 2010 servers, only 2007 or earlier (you can check the TechNet page for more info on that)
      – If you want to deploy Exchange 2016 and have it facilitate the hybrid connectivity, you will need to re-run the HCW to reconfigure the hybrid configuration (among all the other deploy/co-exist/migration/decomm steps to make that 2010 -> 2016 transition).

  12. Jason Lees says:

    Thanks Paul, Yes you have answered my questions.

    My understanding is limited to what I have read and interpreted online, I will definitely have to invest in one of your books in future.

    That said I have managed to keep a company’s e-mail working in the last 8 years with only a few hours of down time (I wouldn’t have been employed here long if it were more). Migrating them from Exchange 2003 to 2010 and now completed an office 365 migration for 400 mailboxes who use 4 different company domain names all working from 2 Exchange servers in a DAG…..so I can’t be to bad at this.

    Thanks again.

  13. James says:

    Hi Paul,

    Great post.

    Can you please help, my setup is;

    2 x Exchange 2010 servers in a DAG
    Exchange 2010 Hybrid environment
    Running ADConnect for ADFS

    I have migrated all mailboxes to the cloud and changed Autodiscover and DNS to point to Office 365, mail flow is working fine.

    I would like to continue using ADFS and install a single VM Exchange 2016 server only for administration of mailboxes and decommission the Exchange 2010 servers.

    Can you please advise me on the best way i could achieve this?

    Do i still require a Hybrid setup if i am only using Exchange 2016 for admin purposes?

    Much appreciated.

    • Do a standard migration from 2010 to 2016. You can re-run the Hybrid Configuration Wizard to update it when the 2016 server is in place. Plan for firewall changes etc for hybrid connectivity to the new server.

      Whether you keep the Hybrid config in place or not is a decision for you. I would keep it in most cases.

  14. AL NG says:

    Hi Paul,

    Thank you for the guide. My outbound/inbound for emails going through Proofpoint thus MX records are of theirs. Now some of my mailboxes will be migrated to Exchange Online but I still want to retain Proofpoint for my other on-premise mailboxes

    So, can I add MS MX record to the existing Proofpoint’s and give it higher priority? Or I have to remove Proofpoint MX records completely? Thank you.

    • If you want inbound mail to keep going through Proofpoint you’ll need to leave your MX records pointing at Proofpoint.

      MX records can’t be used to differentiate mail for on-prem vs cloud mailboxes. It’s just a DNS record.

  15. Brad says:

    Hoping you can shed some light on this scenario:
    On-premise (physical) exchange 2013 server (Single Server)
    Migration to O365 completed (using ADSync)
    Has been running smooth for months, ready to decommission on-premise physical Exchange. Read benefits for retaining an on-prem exchange (2010) server for management of the ADsync exchange attributes. I created a new Windows VM to host the Exchange Management functionality, but I cannot find ANY procedure for ensuring this new VM/ExchMgmnt Server will function after decommission of the old on-premise physical Exchange.
    Any guidance is greatly appreciated!

  16. Prabodha says:

    Hi Paul,
    I followed your article and successfully setup the Hybrid with Exch 2013 (DAG) with Office 365. I want to keep the Hybrid setup for a longer time. I have only few users migrated to Exchange Online, however is it OK to change the MX pointer to Office365 even there are larger mails are still on-premise?

    Second, what about on-premise outgoing mails. Currently we are sending mails through a third party Smarthost. But we want to send mails through Office365. Now after hybrid setup, there are two Send connectors in exchange server. How can I achieve to send mails thru Office 365 only and not use the smarthost for outside mails?


  17. Daniel Woodward says:

    How does the existing, in my example Exchange 2010 Server send mail? Does it route everything through Office 365 first?

    I am concerned with this because I am wondering if I need to include my on-site in the SPF/DKIM scheme we will be setting up along with the move to Office 365.

  18. Tony says:

    I just wanted to confirm that by routing all the emails to Exchange Online instead of on-premise (there will be no on-premise mailboxes) that any Outlook clients will have to be reconfigured if they were initially configured for on-premise. Is that a correct?

Leave a Reply

Your email address will not be published. Required fields are marked *