Sending Email
How does an email make it from point A to point B? How does a mail server know how to route the message? First, the mail server must be configured correctly for name lookups using Domain Name Servers (DNS). DNS is used by a mail server by taking the domain name portion of an email address and looking up what is known as a Mail Exchange (MX) record in the public DNS zone for this domain.
An email address has three elements, the alias (sometimes also referred to as prefix), the ‘@’-symbol (separator), and the domain name:
When the mail server queries the MX record for this domain it will retrieve the name and IP address of the destination server and attempt to send the email to that server. We can simulate this lookup by using the Lookup utility in Windows
C:\>nslookup
Default Server: dns.google Address: 8.8.8.8
set type=mx
cloud-itpro.com Server: dns.google Address:
Non-authoritative answer:
cloud-itpro.com MX preference = 0, mail exchanger = cloud-itpro.com.mail.protection.outlook.com
We can see a DNS entry, the MX record, for the domain being looked up. The same MX record has a corresponding A record with an IP address connected as shown below:
- cloud-itpro.com.mail.protection.outlook.com Server: google
Address: 8.8.8.8
Non-authoritative answer:
Name:cloud-itpro.com.mail.protection.outlook.com Addresses: 162.251.80.68
162.251.80.68
We can see a DNS entry, the MX record, for the domain being looked up. The same MX record has a corresponding A record with an IP address connected as shown below:
- cloud-itpro.com.mail.protection.outlook.com Server: google
Address: 8.8.8.8
Non-authoritative answer:
Name: cloud-itpro.com.mail.protection.outlook.com Addresses: 162.251.80.68
162.251.80.68
Receiving Email
On the other end of the equation is the recipient’s server which answers the sending mail server and starts a conversation to make the connection and accept the SMTP traffic, ultimately delivering the email to the destination mailbox. For a mailbox in Exchange Online, the message, once this initial conversation between mail servers is over, is then scanned by protection engines in Exchange Online Protection. Once it clears EOP, the message is then routed to the destination mailbox which could be hosted in Exchange Online, an on-premises mail server, or some other cloud mail service.
FAQ
- How are your MX records configured? External mail servers determine where to transport messages for your organization by the MX record of your public DNS domain. The servers configured in your MX record are your perimeter servers that are the first to accept external messages and often scan them for spam and malware.
- How are messages routed from your perimeter to your user mailboxes? After a message was received on the perimeter network, it needs to be routed to the correct Mailbox server hosting the user mailbox or recipient.
- How many protection barriers are between your Mailbox Servers and the outside world? A minimum of one email gateway must be used to scan for spam and malware, but you can have multiple gateways in your perimeter network to scan your incoming and outgoing mail flow. These gateways can include external providers such as Exchange Online Protection and Edge servers.
- How many different rules are applied to your mail flow? A transport or mail flow rule can modify, copy, or redirect messages flowing to your mail servers and anti-spam gateways. Transport rules can also apply different rules on messages to add anti-spam header fields and possibly redirect messages. The more organizations apply rules to their mail flow, the greater the complexity when troubleshooting their mail flow.
- Do you use a mandatory TLS encryption with a partner organization? Sometimes you must establish TLS-encrypted connections to partner organizations or, for example, with Exchange Online.
Teams is different. If you send an email to a Teams channel, the email is processed by another EOP tenant. You may wonder why this occurs, but the explanation is simple in mail flow terms. The email domain name for a Teams channel is not set to a domain in your tenant, but rather it is based on a Microsoft predetermined name. Thus, when the email is routed to the channel, it will go from your Exchange Online tenant to the Teams EOP tenant, where it is scanned before it is delivered (back) to the Teams channel in your own tenant. Messages originating from outside your organization follow the same path: they’ll be delivered in the EOP tenant of Microsoft first, before being delivered to your Teams channel(s). |