About
If you use Microsoft 365 or Office 365 and have multi-factor authentication (MFA) enabled, you might run into errors when attempting to send emails through Insightly. To correct this, you will need to setup SMTP relay within Microsoft 365 or Office 365, then setup the account in Insightly in User Settings > Email Accounts.
In this article
How Microsoft 365 or Office 365 SMTP relay works
Features of Microsoft 365 or Office 365 SMTP relay
Requirements for Microsoft 365 or Office 365 SMTP relay
Limitations of Microsoft 365 or Office 365 SMTP relay
Settings for Microsoft 365 or Office 365 SMTP relay
Configuration instructions for SMTP relay
Configure a certificate-based connector to relay email through Microsoft 365 or Office 365
Set up your account to send email from Insightly
How Microsoft 365 or Office 365 SMTP relay works
SMTP relay lets Microsoft 365 or Office 365 relay emails on your behalf by using a connector that's configured with your public IP address or a TLS certificate.
Choose this option when:
- Your environment uses Microsoft Security Defaults or multi-factor authentication (MFA).
- SMTP client submission is not compatible with your business needs or with your device
- You must send email to external recipients.
In the following diagram, the application or device in your organization's network uses a connector for SMTP relay to email recipients in your organization.
The Microsoft 365 or Office 365 connector that you configure authenticates your device or application with Microsoft 365 or Office 365 using an IP address. Your device or application can send email using any address (including ones that can't receive mail), as long as the address uses one of your domains.
The email address doesn't need to be associated with an actual mailbox. For example, if your domain is http://contoso.com, you could send from an address like do_not_reply@contoso.com.
Microsoft 365 or Office 365 SMTP relay uses a connector to authenticate the mail sent from your device or application. This allows Microsoft 365 or Office 365 to relay those messages to your own mailboxes and external recipients. Microsoft 365 or Office 365 SMTP relay is similar to direct send except that it can send mail to external recipients. Due to the added complexity of configuring a connector, direct send is recommended over Microsoft 365 or Office 365 SMTP relay, unless you must send email to external recipients.
To send email using Microsoft 365 or Office 365 SMTP relay, your device or application server must have a static IP address or address range. You can't use SMTP relay to send email directly to Microsoft 365 or Office 365 from a third-party hosted service, such as Microsoft Azure.
Features of Microsoft 365 or Office 365 SMTP relay
- Microsoft 365 or Office 365 SMTP relay does not require the use of a licensed Microsoft 365 or Office 365 mailbox to send emails.
- Microsoft 365 or Office 365 SMTP relay has higher sending limits than SMTP client submission; senders are not bound by the 30 messages per minute or 10,000 recipients per day limits.
Requirements for Microsoft 365 or Office 365 SMTP relay
Static IP address or address range: Most devices or applications are unable to use a certificate for authentication. To authenticate your device or application, use one or more static IP addresses that are not shared with another organization.
Connector: You must set up a connector in Exchange Online for email sent from your device or application.
Port: Port 25 is required and must not be blocked on your network or by your ISP.
Licensing: SMTP relay doesn't use a specific Microsoft 365 or Office 365 mailbox to send email. This means that users must have their own licenses if they send email from devices or applications that are configured for SMTP relay.
If you have senders who use a device or LOB application and those senders do not have Microsoft 365 or Office 365 mailbox licenses, obtain and assign an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that allows you to send email via Microsoft 365 or Office 365.
Limitations of Microsoft 365 or Office 365 SMTP relay
- Sent mail can be disrupted if your IP addresses are blocked by a spam list.
- Reasonable limits are imposed for sending. For more information, see High-risk delivery pool for outbound messages.
- Requires static unshared IP addresses (unless a certificate is used).
Settings for Microsoft 365 or Office 365 SMTP relay
Device or application setting | Value |
Server/smart host | Your MX endpoint. For example, yourdomain-com.mail.protection.outlook.com |
Port | Port 25 |
TLS/StartTLS | Enabled |
Email address | Any email address in one of your Microsoft 365 or Office 365 verified domains. This email address does not need a mailbox. |
If you already have a connector that's configured to deliver messages from your on-premises organization to Microsoft 365 or Office 365 (for example, a hybrid environment), you probably don't need to create a dedicated connector for Microsoft 365 or Office 365 SMTP relay. If you need to create a connector, use the following settings to support this scenario:
Connector setting | Value |
From | Your organization's email server |
To | Microsoft 365 or Office 365 |
Domain restrictions: IP address/range | Your on-premises IP address or address range that the device or application will use to connect to Microsoft 365 or Office 365 |
We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static IP address, add it to your SPF record in your domain registrar's DNS settings as follows:
DNS entry | Value |
SPF | v=spf1 ip4:<Static IP Address> include:spf.protection.outlook.com ~all |
Configuration instructions for SMTP relay
- Obtain the public (static) IP address that the device or application with send from. A dynamic IP address isn't supported or allowed. You can share your static IP address with other devices and users, but don't share the IP address with anyone outside of your company. Make a note of this IP address for later.
- Sign in to the Microsoft 365 admin center.
- Go to Settings > Domains, select your domain, and find the MX record. The MX record will have a Points to address or value value that looks similar to contoso-com.mail.protection.outlook.com.
- Make a note of the MX record Points to address or value value, which we refer to as your MX endpoint.
- Check that the domains that the application or device will send to have been verified. If the domain is not verified, emails could be lost, and you won't be able to track them with the Exchange Online message trace tool.
- In Microsoft 365 or Office 365, select Admin and then Exchange to go to the Exchange admin center.
- In the Exchange admin center, go to Mail flow > Connectors.
- Check the list of connectors set up for your organization. If there is no connector listed from your organization's email server to Microsoft 365 or Office 365, create one:
- To start the wizard, click the plus symbol +.
- On the first screen, choose the options that are depicted in the following screenshot:
- Click Next, and give the connector a name.
- On the next screen, choose By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization and add the IP address from step 1.
- Leave all the other fields with their default values, and select Save.
- Now that you are done with configuring your Microsoft 365 or Office 365 settings, go to your domain registrar's website to update your DNS records. Edit your SPF record. Include the IP address that you noted in step 1. The finished string should look similar to this v=spf1 ip4:10.5.3.2 include:spf.protection.outlook.com ~all, where 10.5.3.2 is your public IP address. Skipping this step can cause email to be sent to recipients' junk mail folders.
- Now, go back to the device, and in the settings, find the entry for Server or Smart Host, and enter the MX record POINTS TO ADDRESS value that you recorded in step 3.
- To test the configuration, send a test email from your device or application, and confirm that it was received by the recipient.
Configure a certificate-based connector to relay email through Microsoft 365 or Office 365
If your devices or applications are capable of using a certificate for mail flow, you can configure a certificate-based connector to relay email through Microsoft 365 or Office 365. To do this, verify the subject name on the certificate used by the sending device or application. The common name (CN) or subject alternative name (SAN) in the certificate should contain a domain name that you have registered in Microsoft 365 or Office 365. You must create a certificate-based connector in Microsoft 365 or Office 365 with this same domain name to accept and relay emails coming from these devices, applications, or any other on-premises server.
Set up your account to send email from Insightly
- Go to User Settings > Email Accounts.
- Select your email service. For SMTP connections, select the Other option.
- Enter your server name and click Next.
- You'll be prompted for your port number and other login information. Click Add Account.
- Insightly will send you a verification email and the new account will appear in the Email Accounts list. If you don't receive an email, try deleting the account and adding it again.
If your account does not appear immediately or you see an error message, check your email inbox.