Exchange Online Email Flow Explained: inbound and outbound email routing How to understand MS Exchange Online Mail Flow Let us assume a user who is using Gmail wants to send an email to a user whose mailbox is hosted in online. in this example, Mr. jojo sends mail from his Gmail account to mr—murali whose account is in Microsoft 365 exchange online. Id – murali@ Every mailbox provider has an email server that is responsible for processing the email. Exchange server, exchange online, Gmail server, yahoo mail server and so on. In this example, the mail is sent from Gmail hence the Gmail server or in other words Google Mail server responsible for processing the Email. As soon as jojo compose and sent the email from his Gmail account, that mail will be picked up by message transfer agent and handed over to message submission agent . Message transfer agent and message submission agent are the services running on the email server. these services are responsible to pick the emails from the client applications and send emails for further processing. Then smtp service will pick up that email from message submission agent . Now SMTP service knows that I need to deliver this email to murali@ . but it does not know where is this user is . Who is murali ? Smtp service only knows if I find the domain “ ”, I will find the user also. So smtp service will go to the DNs and will ask for this domain information dns will consult its own internal server like root server , top level domain server , authoritative name server and will route smtp service to domain provider where this domain hosted now .from here smtp service will find the mx record for this domain . We know MX record is used to receive emails. Mx record tells the email servers to where to route the email for particular domain So now smtp service will knows how it can reach this domain. Now there can be 2 scenarios. I can point my mx record for this domain to a third party email filtering server like barracuda or sofos . or I can point exchange online protection. Let us assume that the mx record for is pointed to third party email filtering server. For example suppose when we integrate an email filtering server with exchange online protection we create an inbound connector in exchange online that the email from the server and we create one outbound connector that sends email from exchange online to email server . so, with the help of mx record email will be delivered to Sophos and with the help of inbound connector this email will be routed to the exchange online protection. and if the MX record pointed to exchange online protection then email will be delivered to EOP directly. Once the email is delivered to exchange online protection , it goes to multiple email filters that scan it one by one . The first email filter in exchange online protection is connection filter. connection filter run directory-based edge blocking check on this email directory based edge blocking check names \. If the recipient of the email is not found with in this tenant the email will be rejected the sender will receive NDR then the connection filter will check the connection ip address with in the email header where this email Is sent . in this case it will be the ip address of the google mail server connection filter also check if the connection ip is added within ip allow or block list and will take action on the email as per the configuration then connection filter will validate connecting ip address against ip repuation list . connecting ip addresses within ip reputation list it adda value to the email header that is ipvnli that indicate the connecting ip address was not found within the ip reputation list after this connection filter will check the save sender list maintained by the recipient . Antimalware filter. Antimalware filter scan all incoming and outgoing emails in exchange online organization scan the mail for 3 major malware category 1. Virus 2. Spyware 3. Ransome Malware can be attachment. it scan the mail body and detect the malware inside the attachment or the email moves that mail to quarantine . the email those are quarantined by anti malware polices can be viewed released only by the administrators . lets assume there is no malware with in the email or its attachment. Advanced threat protection or ATP ATP scans attachments and links with in the incoming emails atp includes 2 security features 1. Safe attachments 2. Safe links once email is passed from inbound anti-spam policies it is delivered to the mailbox as soon as email is delivered to the mailbox it is scanned against inbox rules those are configured by the end user also if the mailbox forwarding is enabled on the mailbox the email will be forwarded to respective mailbox and after inbox rules mailbox forwarding or auto purge zap scans for malware . the email will be delivered to the inbox now