How to Configure Exchange Online to Accept Emails from a SaaS Relay

Prerequisites

• Access to Microsoft 365 Admin Center and Exchange Admin Center (EAC).
• Static public IP address of the SaaS relay.
• Proper DNS configuration for SPF (Sender Policy Framework).
• Administrator permissions in Microsoft 365 tenant.

Step 1: Create a Connector in Exchange Online

1. Log in to the Exchange Admin Center ([https://admin.exchange.microsoft.com](https://admin.exchange.microsoft.com)).

2. Navigate to Mail Flow > Connectors.

3. Click Add a connector.

4. Choose:

* From: Your organization's email server

* To: Office 365

5. Click Next.

Step 2: Configure Connector Settings

1. Provide a name for the connector (e.g., _SaaS Relay Connector_).

2. Select By verifying the IP address of the sending server.

3. Add the static IP address of your SaaS relay.

4. Click Next and then Create.

Step 3: Configure SPF Record

Update your domain's SPF record to include the SaaS relay IP address:

v=spf1 ip4:<SaaS_Relay_IP> include:spf.protection.outlook.com -all

Step 4: Authentication Options

• For additional security, consider using certificate-based authentication if supported by your SaaS relay.
• Alternatively, restrict by IP only (less secure).

Step 5: Test the Configuration

1. Send a test email from a legacy application through the SaaS relay.

2. Verify delivery in the Exchange Admin Center under Mail Flow > Message Trace.

Additional Recommendations

• Enable DKIM and DMARC for your domain for better email security.
• Monitor the connector regularly for any anomalies.

Note: Ensure that your SaaS relay does not allow open relay to prevent abuse.