Recently we looked at the high level technical implications of considering a hybrid Office 365/Exchange On-premises deployment.  We covered many technical facts, but of them securing your mailflow between your two sites should be front and center.  When in a hybrid deployment your internal messages may flow through the internet.  As security become more and more important to organizations, and with the uptake of security breaches; knowing how to secure Office 365 hybrid mail  flow TLS is crucial.

Secure Office 365 Hybrid Mail Flow TLS


Defining Secure Mail flow

So what is secure mail flow?  Well, your send connector will contain the host name for on-premises organization. This mail will be treated differently bypassing Anti-spam filters. So, hybrid configurations use secure mail flow with TLS certificates to ensure that messages are encrypted during transit.

Secure Mail flow 3rd party certificates checklist

Knowing what type of certificate to choose, and how to monitor is key to successful secure mailflow.

  • SSL Certificate – Validates Subject Name/Subject Alternative Name with FQDN of remote server
  • Where to find a certificate? – Use a 3rd party certificate provider with an active certificate revocation list available
  • Check routinely for expiration – an expired certificate will not work

Confirming Secure Office 365 Hybrid Mail Flow TLS

You can very simply confirm your level of security in your mailflow once you have implemented it by checking the message headers.  Here is an example for you:  Let’s say that we are both part of the same organization, and my mailbox in On-premises, and yours is in Office 365.  Once the message has been received by you we can check the message headers.  You should see the following in the message header confirming the message was encrypted and is using TLS.

SMTP X-MS-Exchange-Org-AuthAs: Internal and was encrypted with TLS

If that statement exists in the message header, then you are good to go with TLS secure message flow!

Outbound Mailflow

Also, important to understand when securing email is that if you are going to centralize mailflow then the outbound messages will be routed through on-premises Exchange organization.

If the mailflow will be non-centralized, then you should install and configure mailflow with the Hybrid Configuration Wizard.  The great thing about this option is that it maintains the same sending pattern as previously used by your organization, and I would personally strongly recommend this option over centralized mailflow

Inbound Mailflow

Inbound mailflow in a hybrid configuration should also be analyzed and potentially changed.  Here are the two options you can choose from when configuring inbound mailflow securely.

Pointing the MX record to On-premises organization, and then forward to Exchange Online is a completely acceptable option.  Alternatively, you could set your MX record to point at Exchange Online.  In this case the messages are forward to on-premises through your outbound connector from the Hybrid Configuration Wizard.  So, this second option would be preferred.

Wrapping up!

Secure Office 365 Hybrid Mail Flow TLS correctly is important to not only the health of your email flow, but also to the security of any corporate information that is sent through email.  If you are deploying the Office 365 Hybrid option, plan and secure your mailflow today!