Using SES as an SMTP relay with Office365

Question

Working on  a DC migration. As part of this there are applications that need to send emails and currently do via onprem SMTP relays (Exchange)
How can this be achieved with SES + O365?

SES provides the option of dedicated IP address which can be allowed but how does this work with the domain namespace where the sending address will have the same domain as the O365 tenancy.
E.g. SES would be configured with the namespace of "customer.com" and O365 is also configured with the namespace of "customer.com" as they want the applications emails to come from one of their email addresses.
The above config will result in a phishing attack being detected.
Also there is a requirement that these emails are treated as internal emails which do not get scanned and vetted as do external emails. E.g. internal emails are allowed a larger attachment size than external emails from printer scans, document applications etc.
There are connectors that can be configured but I was wondering if anyone has done this and understands the config required on the O365 side.
Thanks for your help.

Accepted Answer

O365/Exchange allow for foreign servers to be designated as internal to the environment, allowing them to bypass filtering.

The IP address of the SES endpoint would be added to the allow list as described here:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-connection-filter-policy?view=o365-worldwide

Other considerations:
Including SES in the customer SPF/DKIM/DMARC records.  Each of these impacts whether an email sender is considered to be spoofed.

It is something to test in stages to avoid issues, but definitely not an uncommon configuration.

Answer

The accepted answer to this question may be out of date.

When you send mail from SES using your [verified domain identity](https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html#verify-domain-procedure), the messages are DKIM signed and will pass the DMARC policy for the domain.

The question of whether Office 365 Exchange Online will honor the authentication results for a domain that is also configured within the tenant may depend on how the tenant is configured, or the behavior may have changed since this question was first asked and answered.

Please read this [Microsoft article](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide#domain-pair-syntax-for-spoofed-sender-entries)

Under section: Create allow entries for spoofed senders. "Allow entries for spoofed senders take care of intra-org, cross-org, and DMARC spoofing. Only the combination of the spoofed user and the sending infrastructure as defined in the domain pair is allowed to spoof."

Sending infrastructure can be identified by: "A verified DKIM domain"

Using SES as an SMTP relay with Office365

관련 콘텐츠