top of page

How Does Exchange Hybrid Mail Flow Works – Exchange Online Protection (EOP)

Updated: Dec 29, 2023

Welcome Back!!

In this Article, We will are going to see how the mail flow works when you have an Exchange Hybrid Setup.


Let’s Consider, You have setup as mentioned in the above picture.

Let us assume,

  1. We have pointed your MX record to Exchange Online Protection(EOP).

  2. Have configured Hybrid Exchange On-Premises with Exchange Online and created connectors to route the emails based on the Email address policies .

  3. Have Smart Host or EDGE Servers for the On-Premises Mailboxes to receive the mails and that has been configured with Send / Receive connectors to the internal Exchange Transport Servers.

Before we begin talking the Mail flow, we should be very clear in some basic the information to help you understand complete.

  1. MX Record: It is the Exchange record which is pointed to the Smart hosts which are responsible to receive emails. MX record needs to be created in your public DNS Providers and pointed to the right Host which is receiving the mails to your domain.

  2. SPF Record: Sender Policy Framework simply called as SPF defines a policy who, which are servers can send emails from the domain. It will be very useful to the large and Medium Scale companies to avoid Spoofing attacks from the spammers but now a days small scale companies also started to use the SPF Records. For more details, Please refer my previous Article

  3. DKIM Record: DomainKeys Identified Mail (DKIM) is another method of Spam and Phishing fighting by Signing outgoing Mails using Cryptographic Signature. So that Recipient can validate and determine the Mail whether it is sent by Authorized Mail System. For more details, Please refer my previous Article

  4. DMARC Record: Helps receiving organization decide what to do with e-mails that fails checks and create a feedback loop to allow course correction. For more Details, Please refer the article

These are some important records that required for every organizations to have proper mail flow up to date and avoid Spam Mails.

Considering that you have setup all the records properly and let us start discussing about the Mail Flow how it works.

Scenario 1: Inbound Mail Flow

In Exchange Online Protection (EOP), We have two types of the Inbound Mail flow Setups

  1. Centralized Mail Flow

  2. Decentralized Mail Flow

You should understand them in detail and how it is configured in your Organization to troubleshoot any Mail Flow issues.

1. Centralized Mail Flow Setup

In this Centralized Mail Flow Setup, once EOP received the mails, it does the scanning of the mails for Anti-Malware and Viruses. Post validation, Exchange Online back to On-Premises Smart Host based on the connectors configured. In Centralized Mail Flow Setup, all the mails for on-premises Mailboxes users and Exchange Online users will be send to On-premises Exchange Servers.

On-premises mailboxes will be directly delivered in the Exchange Servers and Post validation and identified that Exchange online User Mailboxes, Mails again send back to Exchange Online Protection (EOP).

Now, Exchange Online Protection (EOP) takes that mails and deliver them to the Exchange Online users directly.



In this setup, You will see all the mails are coming to On-Premises Exchange environment first and gets delivered to Exchange online. Hence you will have full control of the mails. This solution ideally works well when you have On-Premises Data Loss Prevention(DLP) and other Security / Data Controls.


On-premises users will receive mails faster than the Online users and troubleshooting will take more time when you get any mail issues. also, if there are any issues with Exchange On-Premises Setup it will impact the Exchange Online Users as well.

2. Decentralized Mail Flow Setup

In this Decentralized Mail Flow Setup, Once EOP Received the mails , it does the Scanning of the mails for Anti-Malware and Viruses. Post validation, Exchange Online Protection (EOP) checks for the recipients and Exchange Online user Mails will be delivered directly in the Exchange online and On-premises user Mails will be sent back to On-Premises Servers based on the connectors configured. In Decentralized Mail Flow Setup, Mails gets delivered directly to Exchange Online and On-premises Exchange Servers based on their mailboxes located.



Mails delivery will be faster. There will not be any issues in delivering the mails to Exchange online if there is any issues in Exchange On-Premises Environment but still On-premises users will get affected. so impact will be Partial


Since Mails are delivered in both locations, you need check the mailbox locations and troubleshoot based mailboxes located if there is any issues in the Mail Delivery. Applying On-Premises based DLP / Data / Security Controls will not be sufficient as it takes care only the On-Premises Mailboxes and we need separate cloud based setup for Exchange Online users.

Scenario 2: Outbound Mail Flow

When you configured the EOP has your Outbound Last Hop, all the mails from On-Premises & Exchange Online will be directly sent to Exchange Online Protection and the mails are sent to the respective mail domains using the MX Records and the connectors configured.


when you using EOP as last Hop, You can use Exchange Online Protection (EOP) Completely like Exchange Online Protection, Transport Rules, Data Loss Prevention(DLP).

Scenario 3: Inbound / Outbound Mail Flow between On-Premises and Exchange Online

Mails between Exchange Online / On-Premises Exchange Mail Servers will be delivered using the Connectors configured during the Hybrid Setup and it also can be manually configured based on the requirements.

All the communications done using TLS. Hence you should have proper Public / Third Party SAN Certificates configured in the On-Premises Smart Host / EDGE Servers end.

How does Exchange Online Protection (EOP) Works?

Exchange Online Protection when it receives an email for the Exchange Online / On-Premises Exchange, It follows the sequences as mentioned below


Connection Filter:

When reaches the mail first in Exchange Online Protection (EOP), It first reaches the connection Filtering. In this phase, first validates the Sender’s Reputation and Validates the IP Addresses from where the mail has come from and Safe Sender List / Blocked Senders list. If the received mail not passed any of the validation, mail will be deleted. in some instance, you can configure for the Junk delivery to the mailboxes.

Anti-Malware Filter:

This will be second filter applied for the mails. In this filtering, Emails will be inspected for the Malware and Viruses.

Majority of the spam Mails will be stopped at the connection filter and Anti-Malware filtering. After the evaluation of the Sender’s reputation and Anti-Malware, Mail will be passed to the next Phase

Transport Rules / Policy Filtering :

Mails will be validated against the Transport Rules and Data Loss Prevention Policies applied in the Exchange Online prevention for the Organization.

Here we can apply custom transport rules to filter the mails and make them Junk delivery / Quarantine the Mails based the conditions.

Content Filtering :

When messages send through the content filtering, all the emails are validated for terminology or properties common to spam. A message determined to be spam by the content filter can be sent to a user’s Junk Email folder or to the quarantine

After all the filtering applied and Mail has been determined as Genuine, Mail will be delivered to user mailbox.

We will see the technical details how this is getting setup and Mail tracking tricks in the next upcoming articles.

Until then Ta-Ta!! 🙂

14 views0 comments


bottom of page