Setting up forced TLS in Exchange online

Introduction to TLS

TLS is a protocol to ensure privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party can tamper with message. Setting up forced TLS in Exchange Online requires setting up mail flow connectors. By default, all emails in Office 365 are sent using Opportunistic TLS.

When sending using Opportunistic TLS, if a TLS connection cannot be established, it will fall back to a basic connection and send the message in plain text using Simple Mail Transfer Protocol (SMTP). When a message is sent using a Forced TLS connection, if the TLS handshake is not established, the message will not be delivered and the sender will receive NDR message.

By default, Office 365 is configured to use Opportunistic TLS for all email flow in Exchange Online. Exchange Online servers always encrypt connections to other Exchange Online servers in Microsoft data centers with TLS 1.2.

Setting up Forced TLS

Setting up forced TLS in Exchange online requires you to setup send and receive connector following steps to be performed.

  • Login to Office 365 admin center.
  • Navigate to Admin, then click Exchange under Admin Centers to go to the Exchange Admin Center.
Setting up forced TLS
  • Navigate to Mail Flow and Click on Connectors.
Setting up forced TLS
  • Click on + icon to start Connector wizard.
  • On first page to specify your scenario, select “Office 365” as source and “Partner Organization” as target.
Setting up forced TLS
  • Name your connector and add description and click on Next.
Setting up forced TLS
  • Specify the domain names to force the TLS with and click on Next
Setting up forced TLS

You need to specify all partner domains with whom you would like to setup force tls mail flow.

  • Specify how Office 365 will deliver the emails to partner organization and click Next.
Setting up forced TLS
  • Select the checkbox “Always use Transport Layer Security (TLS) to secure the connection (Recommended)” to ensure all emails are sent on TLS.
Setting up forced TLS
  • Review the configurations and click on Next.
Setting up forced TLS
  • Specify an email address of partner domain to validate the connector. You can add multiple addresses. Click on + icon to add an email address and click Validate.
Setting up forced TLS
  • Validation wizard will perform 3 step validation.
Setting up forced TLS
  • Click Close to complete the validation wizard.
Setting up forced TLS
  • Once the validation is successfully done, click on Save to save the configurations.
Setting up forced TLS
  • Once the wizard Save the configurations, you will have force tls configured in Exchange online with partner organization.
Setting up forced TLS

With force tls, you need to work closely with your partner organization to ensure both organizations setup force tls at the same time. If partner organization is not setup with force tls and trying to communicate with SMTP protocol then the email messages will be rejected.


Also published on Medium.

Leave a Reply

Your email address will not be published. Required fields are marked *