Set up Exchange on-premise to relay outbound Emails to the Internet via Exchange Online Protection (EOP)
If you had an Exchange Hybrid configuration, you can route also outbound email messages from your on-premise mailboxes through Exchange Online Protection (EOP).
Therefore you just had to create a new send connector on your Exchange on-premises Server and in each of your AD sites if more than one for the address space *, which includes all outbound emails for the internet. You also need to assign the FQDN from EOP as smart host which is the relay. The Fqdn parameter specifies the FQDN used as the source server for connected messaging servers that use the Send connector to receive outgoing messages. This is the FQDN of your public onPrem Exchange Organization.
New-SendConnector -Name “E-Mail to Internet via ExchangeOnline” -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn mail.braintesting.de -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts braintesting-net.mail.protection.outlook.com -TlsAuthLevel CertificateValidation
The CloudServicesMailEnabled parameter specifies whether the connector is used for hybrid mail flow between an on-premises Exchange environment and Microsoft 365. Specifically, this parameter controls how certain internal X-MS-Exchange-Organization-* message headers are handled in .messages that are sent between accepted domains in the on-premises and cloud organizations.
The Fqdn parameter specifies the FQDN used as the source server for connected messaging servers that use the Send connector to receive outgoing messages. The value of this parameter is displayed to connected messaging servers whenever a source server name is required.
The SmartHosts parameter specifies the smart hosts the Send connector uses to route mail. This parameter is required if you set the DNSRoutingEnabled parameter to $false and it must be specified on the same command line.
Below you can see the newly created send connector from the above New-SendConnector cmdlet.
As you can see in the screenshot below, I will using an Edge Transport server located in the lab environments perimeter network.
So far it was in charge of sending email messages out to the internet and for bidirectional secure mail transport between the exchange on-premise organization and Exchange Online.
The MX record is set to Exchange Online Protection, so incoming mails from the internet will not hit directly the Edge Transport server and instead be routed from EOP.
So from now on, the Edge Transport server it is just in charge for for bidirectional secure mail transport between the exchange on-premise organization and Exchange Online. Outbound email messages to the Internet and not internal recipients in Exchange Online, from now on will send out through the newly created send connector.
More about the Edge Transport server and configure it in a Exchange Hybrid Classic Full environment, you will found in my following post
Here you can see that the new send connector had a cost value with 1. If you still had other send connectors for the address space * (all undefined/Internet), either you disable them or set the cost value higher than the existing (valid range from 1 through 100). A lower cost indicates a better route and therefore this route is used instead routes with a higher cost.
Otherwise your outbound email messages will not use the new relay to Exchange Online Protection (EOP) and won’t get signed for DKIM.
The Cost value on the address space is used for mail flow optimization and fault tolerance when you have the same address spaces configured on multiple Send connectors on different source servers. A lower priority value indicates a preferred Send connector.
The Send connector that’s used to route messages to a recipient is selected during the routing resolution phase of message categorization. The Send connector whose address space most closely matches the recipient’s email address, and whose priority value is lowest is selected.
Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers