MC266466: New outbound relay pool

We’re making some changes to harden the configuration for relaying or forwarding emails through Office 365. Starting July 27, 2021, we are updating special relay pools, a separate IP address pool that is used for relayed or forwarded emails that are sent from domains that are not a part of accepted domains in your tenant. Only messages that are sent from domains that are not accepted domains in your tenant are impacted by this change.

Affected Workloads

• Exchange Online

How this will affect your organization

When this change is implemented, messages that do not meet the below criteria will route through the Relay Pool and the messages might potentially end up in the recipient junk folder.

• Outbound sender domain is an accepted domain of the tenant.
• SPF passes when the message comes to M365.
• DKIM on the sender domain passes when the message comes to M365.

All messages that meet the above criteria will not be relayed through the Relay Pool. For relayed messages, we will skip SRS (Sender Rewriting Scheme) rewrite.

What you can do to prepare

When this change takes effect, you can tell a message was sent via the Relay Pool by looking at the outbound server IP (all Relay Pool IPs will be in the 40.95.0.0/16 range), or by looking at the outbound server name (will have “rly” in the name).

For the messages to go through the regular pool you will need to make sure when a message arrives to Microsoft Office 365, SPF or DKIM passes, or the sender domain of the outbound message matches an accepted domain of your tenant

For DKIM to work, make sure you enable DKIM for sending domains for example fabrikam.com is part of contoso.com accepted domains, if the sending address is sen[email protected], the DKIM needs to be enabled for fabrikam.com.

Learn more

• Use DKIM to validate outbound email sent from your custom domain
• Add a domain to Microsoft 365

Message ID: MC266466
Published: 02 July 2021
Updated: 02 July 2021