Verify Microsoft Online Services Transport Layer Security (TLS) E-mail Delivery
Next, determine whether Transport Layer Security (TLS) was used during Message Delivery. Assumption: Your on-premise SMTP Connector has been configured to request a TLS Session.
- Send a test message from your on-premise environment to a Microsoft Online Services mailbox.
- Log in to your Microsoft Online Services mailbox by opening Office Outlook.
- Open the test message that you sent from from your on-premise sender, and then click the small down-arrow in the options section:
-
Review the Header information for TLS, which indicates that the message was delivered using TLS:
Note: Perform this test in the opposite direction to make sure TLS is being used in both directions
Exchange Hosted Services (EHS) front-ends all Microsoft Online Mail and uses Deterministic TLS when sending/receiving messages, which means that it will attempt to send/receive mail via TLS (issuing EHLO statements to understand the message servers capabilities).
On-Premise à TLS à EHS à TLS à Microsoft Online Services
Microsoft Online Services à TLS à EHS à TLS à On-Premise
Note: IF TLS is not available anywhere along this path, delivery will fallback to SMTP port 25 and deliver in clear-text.
If a customer requires full TLS Messaging Transport capabilities, they will need a TRUSTED certificate (a certificate that can be verified and is trusted – Verisign, GoDaddy, etc.) on their On-Premise Exchange Bridgehead Server, so when MS Online/EHS delivers mail, it can properly negotiate the TLS session. ALSO, the On-Premise Exchange Admin must configure their SMTP Connector to use Outbound Security – TLS, in order to request a TLS session for any Address Namespaces (i.e. contoso1.microsoftonline.com) defined for that Connector.
