Mail flow in Exchange Online (EXO) looks simple from the admin center until you bolt on a third-party security gateway, a hybrid Exchange Server, and a dozen transport rules — then a single misconfigured connector loops half your inbound mail or strips every sender’s reputation. This guide builds a predictable pipeline end to end, with the connectors, enhanced filtering, prioritized rules, and routing decisions that survive a real cutover.
Everything here uses the Exchange Online PowerShell V3 module (
ExchangeOnlineManagement). The admin-center UI is fine for a quick look, but connectors and rules are configuration-as-intent — script them so they are reviewable and repeatable.
Install-Module ExchangeOnlineManagement -Scope CurrentUser
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
1. Map the EXO mail flow pipeline before you change anything
Inbound mail does not just “arrive in a mailbox.” It traverses an ordered pipeline, and every feature you configure plugs into a specific stage. Internalize the order or you will fight phantom behavior:
- Receive (connector match) — EXO accepts the SMTP session on its MX endpoint (
*.mail.protection.outlook.com). If the source matches an inbound connector (by sender IP or certificate), that connector’s settings apply. - Anti-malware and EOP filtering — Exchange Online Protection scans the message and stamps the SCL (Spam Confidence Level) and related headers.
- Transport rule agent — your mail flow rules (formerly transport rules) evaluate in priority order.
- Categorizer / routing — the message is resolved to a recipient and a next hop is chosen. This is where an outbound connector (centralized routing, smart host) or hybrid routing decides where the message physically goes.
- Delivery — to a mailbox, to the on-premises org, or out to the internet / a gateway.
The two failure modes that dominate support tickets both come from misunderstanding this order: filtering that runs before you wanted it to (so your gateway’s verdict is ignored), and rules that collide because two of them claim the same priority slot. We address both below.
| Component | Cmdlet noun | Scope |
|---|---|---|
| Inbound connector | *-InboundConnector |
How partner/on-prem mail enters EXO |
| Outbound connector | *-OutboundConnector |
How EXO sends to a gateway / on-prem / partner |
| Mail flow rule | *-TransportRule |
In-transit conditions, actions, exceptions |
| Accepted domain | *-AcceptedDomain |
Authoritative vs internal relay |
| Remote domain | *-RemoteDomain |
Per-destination formatting/NDR behavior |
2. Build connectors for a third-party security gateway
The classic enterprise topology routes inbound internet mail through a gateway (Proofpoint, Mimecast, Cisco, etc.) and then into EXO, and routes outbound EXO mail back out through that same gateway. That is two connectors.
Inbound connector (gateway -> EXO)
Restrict who is allowed to deliver to your tenant as authenticated partner traffic. Lock it to the gateway’s published sending IPs:
New-InboundConnector -Name "Inbound from Security Gateway" `
-ConnectorType Partner `
-SenderDomains '*' `
-SenderIPAddresses '198.51.100.0/24','203.0.113.0/24' `
-RestrictDomainsToIPAddresses $true `
-RequireTls $true `
-TlsSenderCertificateName 'mail.gateway-vendor.com'
RestrictDomainsToIPAddresses $true is the load-bearing flag: it tells EXO to reject mail claiming to be from your accepted domains unless it arrives from these IPs. That single setting blocks a huge class of inbound spoofing that pretends to originate inside your org.
Outbound connector (EXO -> gateway)
Route everything leaving the tenant to the gateway’s inbound MX or smart host:
New-OutboundConnector -Name "Outbound to Security Gateway" `
-ConnectorType Partner `
-UseMxRecord $false `
-SmartHosts 'outbound.gateway-vendor.com' `
-TlsSettings DomainValidation `
-TlsDomain 'gateway-vendor.com' `
-RecipientDomains '*' `
-IsTransportRuleScoped $false
Set
IsTransportRuleScoped $trueif you want a mail flow rule to select which messages use this connector (via the “Route the message using the connector” action) rather than blanket-routing all outbound traffic. That is how you do conditional routing — covered in section 6.
Finally, update your public MX record to point at the gateway, not at contoso-com.mail.protection.outlook.com. The gateway becomes the front door; EOP becomes a second layer behind it.
3. Enhanced filtering: stop the gateway from blinding EOP
Here is the subtlety that breaks most gateway deployments. When mail enters EXO through your inbound connector, EXO sees the last hop — the gateway’s IP — as the sender. It runs its IP-reputation and SPF checks against the gateway, not the actual originating server. Result: every message looks like it came from one trusted source, SPF effectively passes for everyone, and SCL accuracy collapses.
Enhanced Filtering for Connectors (also called skip listing) fixes this. You tell EXO how many hops to skip — or which IPs to ignore — so it evaluates the real sender:
Set-HostedConnectionFilterPolicy -Identity Default `
-EnableSafeList $false
# Skip the gateway IPs so EOP reads the true originating IP
Set-InboundConnector -Identity "Inbound from Security Gateway" `
-EFSkipLastIP $true `
-EFSkipMailGateway $false
If your gateway adds a predictable number of hops, skip by count instead of relying on last-IP detection:
Set-InboundConnector -Identity "Inbound from Security Gateway" `
-EFSkipLastIP $false `
-EFSkipIPs '198.51.100.0/24','203.0.113.0/24'
With enhanced filtering on, EOP restores accurate SPF/DKIM/DMARC evaluation and SCL stamping against the genuine source. Verify by inspecting Authentication-Results and X-MS-Exchange-SkipListedInternetSender in a message header after enabling it — the header confirms EOP saw past the gateway.
Do not simply IP-allow your gateway in the connection filter as a shortcut. That tells EOP to trust everything the gateway forwards, including the spam it failed to catch, and it suppresses your own DMARC enforcement.
4. Author and prioritize mail flow rules without collisions
Mail flow rules are an ordered list. Each rule has a unique integer Priority (0 is highest / evaluated first). Two design decisions prevent the chaos that creeps into mature tenants:
- Order from most-specific to most-general. A narrow rule (“from this partner, with this header”) must sit above a broad catch-all, or the catch-all swallows the message first.
- Use
StopRuleProcessingdeliberately. By default all matching rules apply. If a rule should be terminal — say, a quarantine-and-stop for a detected threat — set the “Stop processing more rules” action; otherwise downstream rules still fire on a message you already actioned.
Example: stamp an external-sender warning, but only for genuinely external mail, and skip mail already vetted by the gateway (which sets a known header):
New-TransportRule -Name "External Sender Warning" `
-Priority 1 `
-FromScope NotInOrganization `
-SentToScope InOrganization `
-ExceptIfHeaderContainsMessageHeader 'X-Gateway-Verified' `
-ExceptIfHeaderContainsWords 'pass' `
-ApplyHtmlDisclaimerLocation Prepend `
-ApplyHtmlDisclaimerText '<div style="border:1px solid #d97706;padding:8px;">External sender. Do not click links or open attachments unless you trust the source.</div>' `
-ApplyHtmlDisclaimerFallbackAction Wrap
A few correctness notes that bite people:
FromScope NotInOrganizationkeys off authentication and accepted domains, not the visible From address — which is exactly why it survives spoofing better than matching on a sender string.ApplyHtmlDisclaimerFallbackAction Wrapmatters: if EXO cannot inject HTML (signed/encrypted mail), it wraps the original as an attachment rather than silently dropping the disclaimer or rejecting the message.- Reordering is just a priority rewrite. Lowering a number moves a rule up and pushes the others down:
Set-TransportRule -Identity "External Sender Warning" -Priority 0
Get-TransportRule | Sort-Object Priority |
Format-Table Priority, Name, State, Mode
Stage new rules in TestWithoutNotifications mode (
-Mode AuditAndNotifyor-Mode Audit) first. You get message-trace evidence of what would have matched without impacting users — essential before a rule that blocks or redirects.
5. Centralized mail transport vs direct send in hybrid coexistence
In a hybrid org (Exchange Server + EXO), outbound routing has two models, and choosing wrong creates compliance gaps or unnecessary latency.
Direct send (default hybrid behavior): EXO mailboxes send outbound internet mail directly from Exchange Online to the recipient’s MX. Fast, fewer moving parts. Choose this when your on-prem environment has no outbound-path requirement.
Centralized Mail Transport (CMT): EXO routes all outbound mail back through the on-premises Exchange org before it reaches the internet. You enable it on the hybrid configuration:
Set-HybridConfiguration -CentralizedTransportEnabled $true
CMT is the right call only when you have a hard requirement that on-prem must touch every message — a perimeter DLP appliance, an archiving/journaling appliance, or a smart host that only on-prem can reach. The cost is real: every outbound message makes a round trip to your datacenter, so on-prem outages become EXO outbound outages, and you add latency to mail that had no reason to leave the cloud.
| Direct send | Centralized Mail Transport | |
|---|---|---|
| Outbound path | EXO -> internet | EXO -> on-prem -> internet |
| Latency | Lower | Higher (datacenter round trip) |
| On-prem dependency for cloud mail | None | Hard dependency |
| Use when | No on-prem path requirement | Perimeter DLP / journaling / legacy smart host |
The Hybrid Configuration Wizard (HCW) builds the on-prem<->EXO connector pair (OnPremises connector type, certificate-authenticated) for you. Let it. Hand-editing HCW-managed connectors is a common way to break hybrid mail flow — if you need a change, re-run the wizard.
6. Conditional routing: domains, distribution groups, and exceptions
Selective routing is where transport rules and scoped connectors combine. Suppose mail to a specific partner domain must egress through a dedicated compliant connector, while everything else uses the default gateway. Scope the connector to rules, then write the rule that selects it:
# Connector is inert until a rule routes to it
New-OutboundConnector -Name "Route to Partner X" `
-ConnectorType Partner -UseMxRecord $false `
-SmartHosts 'mx.partner-x.example' `
-TlsSettings DomainValidation -TlsDomain 'partner-x.example' `
-RecipientDomains 'partner-x.example' `
-IsTransportRuleScoped $true
New-TransportRule -Name "Force Partner X via dedicated connector" `
-Priority 0 `
-RecipientDomainIs 'partner-x.example' `
-RouteMessageOutboundConnector "Route to Partner X" `
-ExceptIfSentToMemberOf 'NoSpecialRouting@contoso.com'
Common conditional patterns and the predicates that implement them:
- By recipient domain —
RecipientDomainIs/RecipientAddressContainsWords. - By distribution group membership —
SentToMemberOf(andExceptIfSentToMemberOffor carve-outs). Note this expands the group at evaluation time. - By sender attribute —
SenderADAttributeContainsWords/FromMemberOf, e.g. route Legal department mail differently. - Exceptions always win. Within a single rule, an
ExceptIf...predicate overrides the match. Use that for the inevitable “everyone except these three mailboxes” requirement rather than authoring a second contradictory rule.
Keep routing rules at the top of the priority list and consider
StopRuleProcessingon them. A message that has been deliberately routed should usually not be re-evaluated by content rules that might re-route or block it.
Enterprise scenario
A financial-services org (~28k mailboxes) routed all inbound mail through Mimecast into EXO. After the gateway connector went live, internal DMARC dashboards showed spf=fail on a flood of legitimate partner mail, and the security team nearly forced p=reject org-wide — which would have bounced real invoices. Root cause: enhanced filtering was off, so EOP scored Mimecast’s egress IPs as the sender. Every message inherited one reputation; SPF was being evaluated against the gateway, not the originator.
The fix was not “trust the gateway.” We enabled skip-listing scoped to Mimecast’s published ranges only, pulled from their portal (they rotate them, so we wired a monthly diff against their published list into the connector config):
Set-InboundConnector -Identity "Inbound from Mimecast" `
-EFSkipLastIP $false `
-EFSkipIPs '207.211.30.0/23','207.211.40.0/24','146.101.78.0/24'
Get-InboundConnector "Inbound from Mimecast" | Select EFSkipIPs,EFSkipLastIP
The gotcha that cost a day: EFSkipLastIP $true and explicit EFSkipIPs are mutually exclusive in behavior — last-IP detection picked the wrong hop because Mimecast injected an internal load-balancer address as the final Received line, so EOP skipped past it to an RFC1918 IP and scored nothing. Pinning explicit CIDRs and setting EFSkipLastIP $false made Authentication-Results resolve against the genuine sender. Within an hour, X-MS-Exchange-SkipListedInternetSender appeared with real originating IPs, SPF/DKIM/DMARC went accurate, and the team rolled DMARC to p=reject two weeks later with confidence instead of guesswork.
Verify
Validate the whole pipeline before declaring victory. Do not trust the UI’s green checkmarks alone.
Connector configuration and validation:
Get-InboundConnector | Format-List Name,SenderIPAddresses,RequireTls,RestrictDomainsToIPAddresses,EFSkipLastIP,EFSkipIPs
Get-OutboundConnector | Format-List Name,SmartHosts,TlsSettings,IsTransportRuleScoped,RecipientDomains
# EXO will send a synthetic test message through the outbound connector
Validate-OutboundConnector -Identity "Outbound to Security Gateway" `
-Recipients 'probe@contoso.com'
Trace a real message end to end (modern, async trace for the last 10 days):
Start-HistoricalSearch -ReportTitle "Inbound flow check" `
-StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) `
-ReportType MessageTrace -SenderAddress 'sender@partner.example'
# Or the synchronous trace for recent mail:
Get-MessageTraceV2 -SenderAddress 'sender@partner.example' `
-StartDate (Get-Date).AddHours(-2) -EndDate (Get-Date) |
Select-Object Received,SenderAddress,RecipientAddress,Status,FromIP,ToIP
Read the message header to confirm filtering and routing did what you intended. Save the raw header from a delivered message and check, at minimum:
Authentication-Results:—spf=,dkim=,dmarc=reflect the true sender (enhanced filtering working).X-Forefront-Antispam-Report:—SCL=andCAT=show EOP’s verdict.Received:chain — confirms the hop path (gateway -> EXO, or EXO -> on-prem under CMT).X-MS-Exchange-Transport-Rules-Loop— its presence is a red flag for looping (see Pitfalls).
Paste the header into Message Header Analyzer (the Insights report in the Microsoft Remote Connectivity Analyzer) for a parsed view of delay between hops. Use the same Remote Connectivity Analyzer’s Inbound SMTP test to validate your MX, TLS, and that the gateway accepts mail before you flip production MX.
Cutover checklist
Pitfalls
Mail loops. The classic loop is an MX pointing at the gateway, a gateway configured to send to EXO, and EXO configured to send back out through the gateway for internal domains. EXO detects excessive Received hops and NDRs the message (550 5.4.x loop). Prevention: keep your accepted domains Authoritative in EXO (so EXO delivers internal recipients locally and never re-routes them outbound), and ensure the gateway routes your own domains only to EXO, never back to the internet.
Spurious NDRs after cutover. If outbound mail fails immediately, check the outbound connector’s TlsDomain against the certificate the smart host actually presents — a mismatch causes 4.4.x/5.4.x TLS failures. For 550 5.7.x rejections, confirm the destination gateway IP-allows EXO’s outbound ranges.
The “all mail suddenly looks clean / dirty” symptom is almost always enhanced filtering misconfigured — either off (EOP scoring the gateway) or skipping the wrong IPs (EOP scoring an internal relay). Re-check X-MS-Exchange-SkipListedInternetSender in headers.
Connector type confusion. A Partner inbound connector with no IP/cert restriction is an open door for spoofing. Always pair ConnectorType Partner inbound with either SenderIPAddresses + RestrictDomainsToIPAddresses or TlsSenderCertificateName.
Next steps
Layer DMARC enforcement (p=reject) once enhanced filtering confirms accurate authentication results, add a DLP policy that rides the same transport pipeline, and set per-destination Set-RemoteDomain behavior (auto-reply, NDR, and TNEF handling) for partners that mishandle rich-text mail.