Imagine this scenario: You have an anti-spam appliance in front of your Office 365 tenant, and you want outbound mail flow from your tenant to go via that appliance, but depending on what the email domain of the sender is. For example you have domainA.com and domainB.com as two vanity domains in Office 365, and you want User1@domainA.com outbound email to go via the mail appliance, but user2@domainB.com outbound email to go direct to the Internet.
The scenario above requires conditional routing, meaning the outbound mail flow path will be different depending on what the email domain of the source user (the sender) is. The example above is just one of several that might lead you to apply such configuration.
Now the important part: How do you configure it? Well, you can do it via PowerShell or via the UI, and to do the configuration you will need the following:
- A Transport Rule
- An Outbound Connector
Create the Outbound Connector
The first thing you need to create is the Outbound connector.
Via Exchange Online PowerShell
To create the connector via the PowerShell, connect to Exchange Online and run the following:
New-OutboundConnector -Name “To Internet Direct” -ConnectorType Partner -UseMXRecord $true -IsTransportRuleScoped $true
The command above creates a connector that goes directly to the Internet and it’s scoped to the transport rule we will create next. If you want to create a connector that goes via an appliance run the following:
New-OutboundConnector -Name “To Internet via Appliance” -ConnectorType Partner -UseMXRecord $false -SmartHosts <Appliance IP> -IsTransportRuleScoped $true
Via the Exchange Online Admin Center
Navigate to Mail Flow > Connectors and click “+”
Select Office 365 as source and Partner Organization as destination
Enter a name and description
Select “Only when I have a transport rule set up that redirects messages to this”
Select “Use MX Record” or “route email through these smart hosts” depending on if you want the email to go direct or via an appliance/smart host
Remove the always use TLS selection, unless the appliance or server your sending the email to is configured to use TLS
Confirm the settings and click next
Validate the connector and save
Create the transport rule
Once you have the outbound connector created, you can now create the transport rule.
Via Exchange Online PowerShell
To create the transport rule via the PowerShell, connect to Exchange Online and run the following:
New-TransportRule -Name “UseAppliance” -SenderDomain <Source Domain> -SentToScope NotInOrganization -RouteMessageOutboundConnector “To Internet Via Appliance”
The command above creates a transport rule, that uses the “To Internet Via appliance outbound connector, and that applies when the source domain is specific and the destination recipient is outside of the organization (very important setting).
Via the Exchange Online Admin Center
Navigate to Mail Flow > Rules and click “+ Create a New rule”
Click on more options
Give the rule a name
In the Conditions select “Apply this rule if..” > The recipient is located > Outside of the Organization
Click in Add Condition
Select “Apply this rule if..” > The Sender > Domain is > Enter the domain name of the source user
In the “Do the Following…” section select “Redirect the message to..” > The following connector. Select the outbound connector from the drop down list
Make sure the enforce rule option is selected
Now that you have both the transport rule and the outbound connector created, lets test and see if it’s being applied.
Test the routing
The first thing you should do is simple: Send an outbound email from the user that should have conditional routing applied to his domain. Make sure the email is to an external recipient.
Once you sent the email, in the Exchange Admin Center go to Mail flow > Message trace, select the sender you want to trace the message for and click on “search”
Note: It might take a few minutes after you sent the message before it shows in the message trace
Once you can see the message there, double click on it to see the details
In the details you can see if the transport rule was applied and the transport rule name
You will also be able to see if the message was delivered, is pending or has failed. This is key for you to troubleshoot the mail flow and see if the correct rules are applied and the correct outbound connectors are being used.
And that’s it. Job done! As always if you have questions let me know.
Exchange, Office 365 and Azure 
Can it be implemented in Exchange 2016 On Premises? If not, are there any other solutions?
Unfortunately conditional mail routing is an EOP (Exchange Online Protection) feature, so exclusive to 365.
The sad part: “-RouteMessageOutboundConnector” is not available on a normal Exchange 2016.
That is correct unfortunately. You can you forwarding addresses or non authoritative domains in Exchange on premises
Thanks for this article, AMVargas. It’s saved me after over 2.30 hrs on phone to MS. we have two domains on O365. one hybrid and the other to send email direct to the internet. We needed the hybrid to route email via on the onpremise.
The instruction was clear and precise……I use the GUI one.
Thanks for this – we wanted to add a test domain connect to our SPAM service before going fully live across our Office 365 estate, and your post helped us quickly isolate why the transport rule wasn’t be utilised.
I’ve linked here from my post at https://nickver.de/gem/?p=305
You’re welcome I am glad it helped
What if your test email fails and you cannot validate? Ex: I have it@domain.com on Office 365 and it@domain.com on Gmail. It will not allow me to use that email address. Help please?
Validation should not be a blocker. Let me know if you still need help