Office 365: Outbound conditional (per source domain) mail flow routing

Imagine this scenario: You have an anti-spam appliance in front of your Office 365 tenant, and you want outbound mail flow from your tenant to go via that appliance, but depending on what the email domain of the sender is. For example you have and as two vanity domains in Office 365, and you want outbound email to go via the mail appliance, but outbound email to go direct to the Internet.

The scenario above requires conditional routing, meaning the outbound mail flow path will be different depending on what the email domain of the source user (the sender) is. The example above is just one of several that might lead you to apply such configuration.

Now the important part: How do you configure it? Well, you can do it via PowerShell or via the UI, and to do the configuration you will need the following:

  • A Transport Rule
  • An Outbound Connector

Create the Outbound Connector

The first thing you need to create is the Outbound connector.

Via Exchange Online PowerShell

To create the connector via the PowerShell, connect to Exchange Online and run the following:

New-OutboundConnector -Name “To Internet Direct” -ConnectorType Partner -UseMXRecord $true -IsTransportRuleScoped $true

The command above creates a connector that goes directly to the Internet and it’s scoped to the transport rule we will create next. If you want to create a connector that goes via an appliance run the following:

New-OutboundConnector -Name “To Internet via Appliance” -ConnectorType Partner -UseMXRecord $false -SmartHosts <Appliance IP> -IsTransportRuleScoped $true

Via the Exchange Online Admin Center

Navigate to Mail Flow > Connectors and click “+”


Select Office 365 as source and Partner Organization as destination


Enter a name and description


Select “Only when I have a transport rule set up that redirects messages to this”


Select “Use MX Record” or “route email through these smart hosts” depending on if you want the email to go direct or via an appliance/smart host


Remove the always use TLS selection, unless the appliance or server your sending the email to is configured to use TLS


Confirm the settings and click next


Validate the connector and save

Create the transport rule

Once you have the outbound connector created, you can now create the transport rule.

Via Exchange Online PowerShell

To create the transport rule via the PowerShell, connect to Exchange Online and run the following:

New-TransportRule -Name “UseAppliance” -SenderDomain <Source Domain> -SentToScope NotInOrganization -RouteMessageOutboundConnector “To Internet Via Appliance”

The command above creates a transport rule, that uses the “To Internet Via appliance outbound connector, and that applies when the source domain is specific and the destination recipient is outside of the organization (very important setting).

Via the Exchange Online Admin Center

Navigate to Mail Flow > Rules and click “+ Create a New rule”


Click on more options

Give the rule a name

In the Conditions select “Apply this rule if..” > The recipient is located > Outside of the Organization

Click in Add Condition

Select “Apply this rule if..” > The Sender > Domain is > Enter the domain name of the source user

In the “Do the Following…” section select “Redirect the message to..” > The following connector. Select the outbound connector from the drop down list

Make sure the enforce rule option is selected


Now that you have both the transport rule and the outbound connector created, lets test and see if it’s being applied.

Test the routing

The first thing you should do is simple: Send an outbound email from the user that should have conditional routing applied to his domain. Make sure the email is to an external recipient.

Once you sent the email, in the Exchange Admin Center go to Mail flow > Message trace, select the sender you want to trace the message for and click on “search”


Note: It might take a few minutes after you sent the message before it shows in the message trace

Once you can see the message there, double click on it to see the details


In the details you can see if the transport rule was applied and the transport rule name


You will also be able to see if the message was delivered, is pending or has failed. This is key for you to troubleshoot the mail flow and see if the correct rules are applied and the correct outbound connectors are being used.

And that’s it. Job done! As always if you have questions let me know.


9 thoughts on “Office 365: Outbound conditional (per source domain) mail flow routing

  1. Eddie Lui May 15, 2018 / 12:19 pm

    Can it be implemented in Exchange 2016 On Premises? If not, are there any other solutions?

    • AMVargas June 15, 2018 / 5:46 am

      Unfortunately conditional mail routing is an EOP (Exchange Online Protection) feature, so exclusive to 365.

  2. Joachim Otahal May 21, 2018 / 6:13 pm

    The sad part: “-RouteMessageOutboundConnector” is not available on a normal Exchange 2016.

    • AMVargas June 15, 2018 / 5:48 am

      That is correct unfortunately. You can you forwarding addresses or non authoritative domains in Exchange on premises

  3. Lolu September 21, 2018 / 10:26 pm

    Thanks for this article, AMVargas. It’s saved me after over 2.30 hrs on phone to MS. we have two domains on O365. one hybrid and the other to send email direct to the internet. We needed the hybrid to route email via on the onpremise.

    The instruction was clear and precise……I use the GUI one.

  4. nerdegem August 29, 2019 / 5:48 pm

    Thanks for this – we wanted to add a test domain connect to our SPAM service before going fully live across our Office 365 estate, and your post helped us quickly isolate why the transport rule wasn’t be utilised.

    I’ve linked here from my post at

    • Antonio Vargas August 30, 2019 / 6:08 am

      You’re welcome I am glad it helped

  5. Stephanie M Medina June 23, 2021 / 2:27 pm

    What if your test email fails and you cannot validate? Ex: I have on Office 365 and on Gmail. It will not allow me to use that email address. Help please?

    • Antonio Vargas September 21, 2021 / 10:13 am

      Validation should not be a blocker. Let me know if you still need help

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s