If you have an on-premises mail environment that you are protecting with Exchange Online Protection (EOP) then you’ll need to create some connectors in the cloud. This article is going to focus on EOP Outbound Connectors and how they deliver mail when configured with a smart host.
Keep in mind that with EOP connectors, the naming convention is EOP centric (from EOPs point of view). When we talk about incoming mail, we are referring to mail that has originated on the Internet and is destined to our on-premises mail servers. This Internet originating message will be directed to EOP first because this is where your MX record is pointing. Once EOP processes the message, it needs an Outbound Connector to deliver the message to your on-premises mail environment. Here’s what we’re looking at.
Because your MX record will be pointed towards EOP, the EOP Outbound Connector (type is on-premises) will need a smart host to be able to deliver mail to your on-premises mail environment. For the smart host, you can enter either an IP or a Fully Qualified Domain Name (FQDN).
How does the lookup for the FQDN smart host work? Does the EOP Outbound Connector look up the MX record or the A record for the smart host FQDN?
The Outbound Connector respects RFC 5321 section 5 which clearly states the following must happen once the recipient domain is known.
- Look up the MX record of the recipient domain.
- If no MX is present, lookup the A record and if present, treat this as the MX record.
- If an MX record is present, clients MUST NOT use the A record.
Note: In our scenario we are using a smart host and not the recipient domain to determine routing, however this same MX/A logic still applies.
Because the EOP Outbound connector first does an MX lookup on the smart host FQDN, MX priorities are also respected just like you would expect. This in a nutshell is exactly what an EOP Outbound Connector does when it finds an FQDN entered for the smart host.