Microsoft 365 SMTP Settings: How to Configure Email Sending
Microsoft 365 (formerly Office 365) supports three methods for sending email via SMTP: client submission, SMTP relay, and direct send. Each serves a different use case with different configuration requirements. This guide covers all three, along with the server settings, authentication requirements, and DNS considerations.
Method 1: SMTP Client Submission (Authenticated SMTP)
This is the standard method for email clients, applications, and devices that send email as a specific Microsoft 365 user.
Connection Settings
| Setting | Value |
|---|---|
| SMTP Server | smtp.office365.com |
| Port | 587 |
| Encryption | STARTTLS |
| Authentication | Required (username + password) |
| Username | Full email address (e.g., [email protected]) |
| Password | User's Microsoft 365 password or App Password |
Key Characteristics
- Requires a licensed Microsoft 365 mailbox.
- Messages appear in the user's Sent Items folder.
- Subject to Microsoft 365 sending limits: 10,000 recipients per day, 30 messages per minute.
- Supports sending to both internal and external recipients.
- The
Fromaddress must match the authenticated user's mailbox or an alias/shared mailbox they have Send As permissions for.
Enabling SMTP AUTH
Microsoft disables SMTP AUTH by default for new tenants as a security measure. To enable it:
- Per-user: In the Microsoft 365 admin center, go to Users > Active users > select the user > Mail > Manage email apps > enable Authenticated SMTP.
- Tenant-wide (PowerShell):
Set-TransportConfig -SmtpClientAuthenticationDisabled $false
Per-user enablement is preferred. Enabling SMTP AUTH tenant-wide is a broader security exposure.
Modern Authentication and App Passwords
If the account has multi-factor authentication (MFA) enabled, standard password authentication will fail unless:
- You generate an App Password through the user's security settings, or
- The application supports OAuth 2.0 authentication with the
XOAUTH2SASL mechanism.
Microsoft is moving toward deprecating basic authentication for SMTP entirely. Plan for OAuth 2.0 support in applications where possible.
Method 2: SMTP Relay (Connector-Based)
SMTP relay is designed for applications and devices that send high volumes of email or need to send as addresses that do not correspond to a Microsoft 365 mailbox.
How It Works
You configure a connector in Exchange Online that accepts email from specific IP addresses and relays it through Microsoft 365. The sending device or application connects to your MX endpoint.
Connection Settings
| Setting | Value |
|---|---|
| SMTP Server | Your MX endpoint (e.g., yourdomain-com.mail.protection.outlook.com) |
| Port | 25 |
| Encryption | TLS (opportunistic) |
| Authentication | IP-based (no username/password) |
Setup
- In the Exchange admin center, go to Mail flow > Connectors.
- Create a new connector: From: Your organization's email server. To: Office 365.
- Configure the connector to authenticate by the sending server's IP address.
- Add the static IP addresses of your sending servers or devices.
Key Characteristics
- No mailbox license required for the sending address.
- Can send to internal and external recipients.
- No recipient limits per day (though Microsoft may throttle excessive volume).
- The sending IP must be static and added to the connector.
- The
Fromaddress must use a domain verified in your Microsoft 365 tenant.
Method 3: Direct Send
Direct send is used when a device or application needs to send email only to internal Microsoft 365 recipients (within your organization).
Connection Settings
| Setting | Value |
|---|---|
| SMTP Server | Your MX endpoint (e.g., yourdomain-com.mail.protection.outlook.com) |
| Port | 25 |
| Encryption | TLS (opportunistic) |
| Authentication | None required |
Key Characteristics
- Cannot send to external recipients.
- No mailbox license required.
- No connector configuration needed.
- Useful for internal alerts, monitoring systems, and scanner-to-email functionality.
- The
Fromaddress must be a valid address in your Microsoft 365 tenant.
Choosing the Right Method
| Requirement | Client Submission | SMTP Relay | Direct Send |
|---|---|---|---|
| External recipients | Yes | Yes | No |
| Authentication | Username/password | IP-based | None |
| Mailbox required | Yes | No | No |
| Sending limits | 10,000/day | High volume | No limit |
| Port | 587 | 25 | 25 |
DNS Configuration
Regardless of which method you use, your domain's DNS should include proper authentication records.
SPF Record:
@ TXT "v=spf1 include:spf.protection.outlook.com ~all"
This authorizes Microsoft 365's infrastructure to send email for your domain. If you also send from other sources (marketing platforms, CRM), include those in the same SPF record.
Validate with the InboxTooling SPF Check.
MX Record:
@ MX 0 yourdomain-com.mail.protection.outlook.com.
Verify with the InboxTooling MX Lookup.
DKIM: Enable DKIM signing in the Microsoft 365 Defender portal under Email & collaboration > Policies > DKIM. Publish the CNAME records Microsoft provides.
DMARC: Publish a DMARC record to complete your authentication stack.
Troubleshooting
- "535 5.7.139 Authentication unsuccessful": SMTP AUTH is disabled for the user or tenant. Enable it in the admin center.
- "550 5.7.60 SMTP client does not have permissions": The
Fromaddress does not match the authenticated user or the user lacks Send As permissions. - Connector relay not working: Verify the sending IP is correctly listed in the connector and that port 25 is not blocked by your ISP.
- SPF failures: Ensure
include:spf.protection.outlook.comis in your SPF record. Run a check with the Full Report tool.
For a complete assessment of your Microsoft 365 email configuration, use the InboxTooling Full Report to check MX, SPF, DKIM, and DMARC in a single pass.
Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.