How to block direct delivery to email address with the suffix as domain.onmicrosoft.com or domain.mail.onmicrosoft.com


We Often come across a scenario where in we are in the process of migrating mailboxes to Exchange Online and to ensure compliance, we want all inbound emails for external sources to be processed by an in house SMTP gateway.

This is not an issue for domains that we own in Hybrid setup as we have complete control on the MX record but that is not the case for 2 additional domains made available when we subscribe to a tenant and once we enable DirSync

domain.onmicrosoft.com (made available as part of tenant subscription)
domain.mail.onmicrosoft.com (when DirSync is enabled)

Mailboxes provisioned in Exchange Online or Moved to Exchange Online by setting up Hybrid can have 2 additional SMTP addresses one with the suffix as domain.omicrosoft.com and the other one with the suffix as domain.mail.onmicrosoft.com

External recipients can send emails to these secondary SMTP addresses directly which can bypass in house SMTP gateway.

The below outlined procedure is only applicable to customers who do not want to move their MX record to EOP. If you have decided to change your MX to EOP for any of the domains added in office 365 then you should be fine in accepting emails directly on secondary SMTP addresses with the suffix as domain.onmicrosoft.com or domain.mail.onmicrosoft.com.

One thing to keep in mind is that we cannot make use of transport rules to block emails sent to secondary SMTP addresses with the suffix as domain.onmicrosoft.com or domain.mail.ommicrosoft.com. The reason for this is that transport rules are processed post onresolveMessage event and when this happens the email address for the recipient changes to the PrimarySMTPAddress which will be having the suffix as domain.com.

Procedure to be followed

1.We have to setup an Inbound Partner connector and restrict the partner connector to IP Addresses or to Certificate. The sender domain address space on the Inbound Connector has to be set as *. The procedure is based on the assumption that we have a setup in which we have exectued Hybrid Configruation Wizard successfully.

2.We can run  the below command lets which will provide us with a list of inbound connectors setup by Hybrid Configuration Wizard. If we have Hybrid setup across multiple Exchange Organization then we can see more than one entry.
$onpremiseorg=Get-OnPremisesOrganization | Select-Object organizationguid,inboundconnector | where {$_.inboundconnector -ne $null}
$onpremiseorg

3. If the Inbound Connectors are setup by Hybrid Configuration Wizard then the attribute TlsSenderCertificateName would be mapped either to domain name included in subject or subject alternate name attribute of the 3 party certificate associated with Hybrid Configuration wizard or it will contain details of the 3 party certificate in the formart '<I>Issuer String<S>Subject Name string'

4. We can then setup in inbound partner connector using the below command let.

New-InboundConnector -Name 'Restrict Direct Delivery to Initial and Hybrid Co existence domain' -ConnectorType partner -SenderDomains * -TlsSenderCertificateName (Get-InboundConnector $onpremiseorg[0].InboundConnector).TlsSenderCertificateName -RestrictDomainsToCertificate $true -RequireTls $true

5. After this if we try to send an email to domain.onmicrosoft.com or domain.mail.onmicrosoft.com the sender should get NDR stating '550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set'

6. Emails destined to Exchange Online mailboxes to be routed to Exchange online through on premise Exchange servers included in Hybrid Configuration wizard will be attributed to the Inbound Connector setup through Hybrid Configuration Wizard.

7. For ensuring smoot email flow to Exchange Online via Exchange on premise, please ensure that the sending servers included with the send connector 'Outbound to Office 365' should have the 3rd Party certificate included in HCW imported and enabled for SMTP service.


Comments (0)

Skip to main content