If you configured Office365 prior to September 2024, you should update your configuration there.

If you configured Office365 prior to January 2026, you should consider disabling DirectSend (see Step 4).

MailRoute Instructions for Configuring Microsoft Office 365/Exchange Online were updated in September 2024. If your MailRoute configuration was done prior to that time, we HIGHLY recommend that you update to the settings in this specific article. We have seen increased exploitation of the DirectSend feature as well, and as of January 2026, we recommend disabling that feature if it's not something you require.

Configuring Microsoft Office 365 for MailRoute takes a few steps. But it's important that they be done in order. This article makes it look like it's a lot, but we've tried to be very complete and show you each and every step along the way. It's not really that difficult.

The first step is to configure MailRoute for your inbound email flow. If you're a new customer, we may have already done this for you. If you are changing from another service or an in-house server, you may need to do this yourself (or ask us to help!)

Then we will set up Transports to handle inbound and outbound email flow, and a rule that prevents anyone from bypassing MailRoute and sending email directly to Microsoft.

Microsoft talks about some of this stuff in their article Managing mail flow using a third-party cloud service with Exchange Online

We're going to do these things in order:

Configure MailRoute with your Inbound Email Server
Change your MX record to mail.mailroute.net
Add your SPF, DKIM, DMARC, and ADSP records to your DNS server
Create Inbound and Outbound Connectors to allow Microsoft to identify that your incoming mail is coming from a trusted partner and that they should relay your outbound mail out there too.

Step 1. (Which we may have already done for you!) - Configure Inbound Email Server in MailRoute Control Panel

Locate your Office 365 mailserver hostname in the Microsoft 365 Admin Center: https://admin.microsoft.com/#/Domains
- Select your domain, and then click DNS records. You'll find your inbound Office 365 mailserver listed in the MX record under Microsoft Exchange. It will look something like this: example-com02c.mail.protection.outlook.com
- Visit the MailRoute Admin center at https://admin.mailroute.net, and select Domains at the top, and then click on your domain in the list
- Then Choose Inbound Servers from the menu at the left, and then click the Add button:
- Enter in the Office 365 Mailserver, and set the priority to 10, and click Save:
- Set your Server Type by clicking the edit button, and then setting the Type to Office 365 and then clicking Save.

Note: MailRoute will automatically recognize that you are relaying email out from Microsoft, so there is no need to set up an Outbound server in the MailRoute Control Panel for your outbound mail.

Step 2. Change your MX Record to mail.mailroute.net

This will start the flow of email through MailRoute!

We have articles on how to do this for many common DNS providers at https://support.mailroute.net/hc/en-us/sections/205311968-Changing-MX-Records

Step 3. Add SPF, DKIM, DMARC, and ADSP records

To properly protect your outbound mail, add your SPF, DKIM, DMARC, and ADSP records while you're in there changing your MX record.

We have a primer on what all these are for, if you're interested here: https://support.mailroute.net/hc/en-us/articles/360061128614-Email-Authentication-An-Explanation-and-Exploration

We have a Knowledge Base articles for each of these:

Step 4. Configure Inbound and Outbound Connectors

Microsoft uses an inbound Connctor to identify email that comes in via MailRoute to prevent false-positives from their own email filtering. An Outbound connector routes all your outbound email through our filtering service.

Setting up the inbound Connector for MailRoute now requires using the Microsoft PowerShell, since they seem to have removed some features from their web-based UI that allow us to restrict incoming email from outside IP addresses.

Step-by-step Directions:

Create a new Inbound Connector using PowerShell

If you have an old MailRoute Inbound Connector created before September 2024, you must delete it and set up a new connector using this new configuration. Visit https://admin.exchange.microsoft.com/#/connectors, select the connector, and then select the small trashcan icon in the detail panel on the right to delete the connector.
Install PowerShell if you don't already have it.
- Windows:
  https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4
  
  For Windows 11 and later:
  Install from the Microsoft Store, or you can try:
  winget install --id Microsoft.PowerShell --source winget
  For other versions of Windows, see the above article.
- Mac and Linux:
  https://github.com/PowerShell/PowerShell/releases/tag/v7.4.5
Run powershell
- Windows:
  In a Windows command shell, type "PowerShell"
- Mac and Linux:
  In a terminal window, type "pwsh"
In your bright, shiny new powershell window, install the Exchange Online powershell cmdlets and install a new connector:
- ```
Install-Module ExchangeOnlineManagement
```

Authenticate to Exchange Online:
- ```
Connect-ExchangeOnline -UserPrincipalName <your exchange admin login>
```
  This will open a browser window so you can login to your Exchange Online account. When you complete logging in, you can close the browser window and return to your powershell window.
  
  Note: If you are in Germany, China, or using GCC High or GCC DOD, you must also specify your ExchangeEnvironmentName, like this (this is not required for regular Office365 of Office 465 GCC)
```
Connect-ExchangeOnline -UserPrincipalName <your exchange admin login> -ExchangeEnvironmentName O365USGovGCCHigh 
```
  The choices for ExchangeEnvironmentName are:
  Microsoft 365 or Microsoft 365 GCC: <Not required>
  Office 365 Germany: O365GermanyCloud
  Office 365 operated by 21Vianet: O365China
  Microsoft 365 GCC High: O365USGovGCCHigh
  Microsoft 365 DoD: O365USGovDoD
- Now create a new connector:
```
New-InboundConnector -Name "MailRoute Inbound" -ConnectorType Partner -SenderDomains * -RestrictDomainsToCertificate $true -TlsSenderCertificateName *.mailroute.net -RequireTls $true -EFSkipIPS 199.89.0.0/21
```
  This connector will only accept mail from servers that are encrypted with TLS and that come from servers with the MailRoute TLS certificates, preventing other sites from connecting directly to MS Exchange Online and transferring mail to you, bypassing your filtering. This also sets up the "Advanced Filtering" for Microsoft Defender.
  
  This can take a minute or two to run.
- Verify that the connector is in place and looks correct:
```
Get-InboundConnector -Identity "MailRoute Inbound" | Format-List *

   Enabled : True
   ConnectorType : Partner
   ConnectorSource : Default
   ...
   SenderDomains : {smtp:*;1}
   ...
   RequireTls : True
   RestrictDomainsToIPAddresses : False
   RestrictDomainsToCertificate : True
   TlsSenderCertificateName : *.mailroute.net
   ...
   ...
   Name : MailRoute Inbound
   ...
```
Now add mailroute.net as a "Trusted ARC Sealer". Microsoft recommends this in their article at article about managing mail flow while using third-party services& and here is an Microsoft article about Improving “Defense in Depth” with Trusted ARC Sealers

Microsoft also recommends that you add third-party services that modify
messages in transit as Trusted ARC sealers, if the service supports ARC
sealing. Add the service as a trusted ARC sealer helps affected messages
pass email authentication checks, and helps prevent legitimate messages
from being delivered to the Junk Email folder, quarantined, or rejected.

If you don't have any Trusted ARC Sealers set, or if you want to replace yours with the MailRoute entry, you can use this powershell command:
```
Set-ArcConfig -Identity Default -ArcTrustedSealers "mailroute.net"
```
OR

If you already have Trusted ARC Sealers and you want to add MailRoute to the list, you can use this bit of code instead. It will retrieve any existing list, add mailroute.net to the list, and then set ArcTrustedSealers to the full list of trusted sealers:

$DomainsAdd = @(Get-ArcConfig | select -Expand ArcTrustedSealers)
$DomainsAdd += "mailroute.net"
Set-ArcConfig -Identity Default -ArcTrustedSealers $DomainsAdd

Disable Microsoft DirectSend (recommended)

Microsoft's Direct Send is a method used to send emails directly to an Exchange Online customer’s hosted mailboxes from on-premises devices, applications, or third-party cloud services using the customer’s own accepted domain. This method does not require any form of authentication because, by its nature, it mimics incoming anonymous emails from the internet, apart from the sender domain.

This can provide a route for messages to come directly into your Exchange Online servers, bypassing MailRoute. Unless you require DirectSend support for internal or partner tools, we recommend disabling the DirectSend feature.

In April 2025, Microsoft added a way to disable DirectSend, as per this MS Article: Introducing More Control Over Direct Send in Exchange Online. They added more context in August 2025 in the article Direct Send vs. Sending Directly to an Exchange Online Tenant

Set-OrganizationConfig -RejectDirectSend $true

This change can take 30 minutes to propagate throughout the Exchange Online Network.
NOTE: RejectDirectSend setting is currently not enabled for GCC-High, DoD and USNat/USSec environments.

Step 5. Configure Outbound Connector

Microsoft uses an outbound Connector to identify route outbound email out through MailRoute, so that we can improve our filtering accuracy and give your domain even more protection.

Creating Outbound Connector using PowerShell

Since you may already be in powershell, you can create your outbound connector from here:

New-OutboundConnector -Name "MailRoute Outbound" -ConnectorType Partner -RecipientDomains * -SmartHosts outbound.mailroute.net -UseMXRecord $false -TlsSettings DomainValidation -TlsDomain *.mailroute.net

This creates an outbound connector that will route all your traffic out to outbound.mailroute.net, and requires that the server have a valid mailroute.net TLS certificate

If you hate powershell, and want to do it by hand, you can do this from the online webadmin:

Creating Outbound Connector using the Exchange Online webadmin

If you're not still there, visit https://admin.exchange.microsoft.com/#/connectors to manage your connectors.
Click Add a connector
In the New connector window, choose Connection from Office 365 and Connection to Partner organization, and click Next:
Give your connector a name like MailRoute Outbound, be sure Turn it on is selected, and then click Next:
In Use of connector, choose Only when email messages are sent to these domains. Then enter * in the text field and click the + (plus) icon to add this sender domain:
After it's added, click Next:
On the Routing window, choose Route email through these smart hosts, enter outbound.mailroute.net into the text field and click the + (plus) icon to add this SmartHost:
Now that it's been added, click Next:
Under Security restrictions, choose Always use Transport Layer Security..., and then Issued by a trusted certificate authority (CA) and Add the subject name or subject alternative name (SAN) matches the domain name and enter *.mailroute.net into the text field, and click Next:
in Validation email, enter an email address that is outside your own domain for testing. You can use the same one as we do here, if you would like (test@mailroute.net). Enter the email address into the text field, and then click + (the plus symbol) to add the address:
Then click Validate and wait a bit for the test to run.
Once it's done, and it shows that it's successful, click Next:
In Review connector, make sure it all looks good, and hit Create connector, and then press Next to finish this up!