A reader emailed to ask:
During a Hybrid deployment, where should the MX records point for mail flow?
This question is asked quite often during customer projects, and the answer is really “it depends”. Let’s take a look at some of the common scenarios I encounter in the field for configuring MX records in a Hybrid deployment.
Scenario 1 – MX Records Pointing to On-Premises Exchange Servers
This scenario of MX records pointing to on-premises Exchange servers is usually due to one or both of the following business and technical requirements:
- The majority of the organization’s mailboxes are on-premises
- The customer needs to use centralized transport to meet their compliance requirements
The effect of this configuration is that email from the internet is received first by on-premises Exchange, and then routed to Exchange Online for any cloud mailboxes. Often when customers are beginning a Hybrid deployment and are only moving a small number of pilot users to the cloud they will retain the MX records pointing to on-premises Exchange. Later as the migration progresses they may choose to cut the MX records over to Office 365 instead, especially if going “full cloud” is the plan.
MX records pointing at on-premises Exchange is often combined with centralized transport, which means that outbound email from Exchange Online mailboxes is routed via on-premises Exchange as well. Centralized transport is often used to meet a compliance requirement, for example journalling all email messages, holding outbound email messages for moderation, or stamping all outbound emails with a disclaimer.
The on-premises server used in this topology may also be an Edge Transport server if the organization requires SMTP traffic to traverse a perimeter network instead of internal servers.
Scenario 2 – MX Records Pointing to Office 365
This scenario of MX records pointing to Office 365 is usually due to one or both of the following requirements:
- The majority of mailboxes are in Exchange Online
- The customer is using Exchange Online Protection for email hygiene
The effect of this configuration is that inbound email is first received by Office 365 where it is scanned by Exchange Online Protection before it is routed to cloud or on-premises mailboxes. This solution can replace third party email hygiene products and services, which is convenient for customers that want to reduce costs and leverage the security of Exchange Online Protection to protect their email.
As with the first scenario the routing between Exchange on-premises and Exchange Online can be via an Edge Transport server if the organization requires it.
In this configuration you should take care to configure your firewall to only allow inbound SMTP from the Office 365 IP ranges. Otherwise you may find that even though no MX records are pointing to the Exchange server, attackers will still detect an open SMTP port with an active server listening and will target it with spam, malware and phishing emails anyway.
Scenario 3 – MX Records Pointing to a Third Party Device or Service
In this final scenario the MX records for the domain are pointing to a third party email security device or service. This may be a cloud-hosted service, or it may be a virtual appliance running inside of the corporate network. This solution is often used when the company has a third party email security device or service that they wish to continue using, either due to a subscription that is yet to expire, a specific feature that they rely on, or a determination that it will provide more effective protection than Exchange Online Protection.
Where the email is routed after the third party device or service processes it can be either Exchange on-premises, or Exchange Online.
This decision usually depends on the same factors as the previous scenarios – whether the majority of mailboxes are on-premises or online, and whether centralized transport is used.
Again, care should be taken to ensure that the internal Exchange server is not exposed to direct SMTP connection from the internet. The firewall should only allow inbound SMTP to Exchange by the email security device or service, Office 365, or both, depending on the mail routing requirements.
As you can see MX records for Hybrid deployments do not have a single solution that fits all scenarios. It all depends on your business and technical requirements, and whether any third party products are involved in your mail routing. Always take the to carefully plan your MX records and firewall rules for Exchange Hybrid deployments to ensure you do not have any unwanted connections hitting the on-premises Exchange servers directly.