By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SES Receive using 'external' account (Microsoft 365)

0

Hi all! I work in a large organization using Microsoft 365 as e-mail provider. Recently we were tasked to automate the processing of e-mails in a specific mailbox from our main domain, let's say court-notice@my.org, involving the use of sage maker ground truth, lambda functions, among others. All of this begins with the receiving of the e-mail with SES. We don't use AWS Workmail, just exchange online from Microsoft 365 subscription.

I'm having a hard time trying to put the pieces together on how to transport the e-mail from Microsoft to AWS SES. I've already verified the e-mail account and the domain in SES console by publishing the CNAME records in our DNS, but I'm not allowed to change the Microsoft Exchange's MX record. I've added the AWS MX record in the DNS but given it has a lower priority the mail isn't delivered to it. I've tried to create a rule and a connector from exchange to route those e-mails for court-notice@my.org to aws ses inbound-smtp.us-east-1.amazonaws.com , but it fails the validation with mailbox unavailable.

Topics
ComputeFront-End Web & MobileBusiness Applications
Tags
Microsoft ExchangeAmazon Simple Email Service
Language
English
Keber
asked 2 months ago154 views
3 Answers
0

Im confused what Email Domain your using in SES and M365. Are they both the same?

profile picture
EXPERT
Gary Mclean
answered 2 months ago
0

You can’t run the same domain on different mail servers without some complexity.

You’d best setup a subdomain in SES and forward the emails over.

profile picture
EXPERT
Gary Mclean
answered 2 months ago
0

Thank you Gary, you are right, a subdomain is way more simple.

These posts [0,1,2] pointed me in the right direction. In my lab environment it wasn't working because the exchange server was configured as authoritative, hence it was trying to deliver the mail inside the server instead of redirecting it to aws. Once I changed the acepted domain setting to internal relay the validation was successfull and the rule started working, correctly receiving the mail in AWS SES and executing the action previously configured.

So, to summarize:

  • On the Exchange online Admin side:
    1. Verify that the domain you'll use (in my case, my.org ) is set as internal relay instead of authoritative, or edit it accordingly [3]
    2. Create a connector from Office 365 to your organization's email server [4], settting the use of connector to only when a transport rule is set up that redirects messages to this connector, routing it to the AWS SES inbound SMTP endpoint URL for your region [5] (in my case, inbound-smtp.us-east-1.amazonaws.com )
    3. Create a rule [6] that uses the connector for the email address you wan't to use with SES (in my case court-notice@my.org)
  • On the AWS side:
    1. Follow this Knowledge Center article [7] or the SES documentation [8], including the email and domain validation (the last requires to publish some CNAME records in your DNS).
  • In the DNS:
    1. Your MX record for M365 stays the same, priority 0, name @ and content yourdomain.mail.protection.outlook.com
    2. As per this Knowledge Center article [7] , one the first steps is to publish an MX record [9], it has to be a lower priority than M365 (anything than 0, unless for some reason your MX record for M365 has a priority other than 0, which in such case it has to be a greater number in order to be a lower priority).

refs: 0. https://stackoverflow.com/questions/75542238/link-office-365-to-aws-workmail-ses

  1. https://serverfault.com/questions/1141709/send-emails-from-exchange-to-external-recipient-with-the-same-domain-name
  2. https://practical365.com/how-to-share-an-email-domain-between-two-mail-systems/
  3. https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains
  4. https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail
  5. https://docs.aws.amazon.com/ses/latest/dg/regions.html#region-receive-email
  6. https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules
  7. https://repost.aws/knowledge-center/ses-receive-inbound-emails
  8. https://docs.aws.amazon.com/ses/latest/dg/receiving-email-setting-up.html
  9. https://docs.aws.amazon.com/ses/latest/dg/receiving-email-mx-record.html
Keber
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content