How to Configure Office 365 SMTP Relay for Sending Email

Office 365 SMTP relay lets printers, scanners, multifunction devices, and line-of-business applications send email through Microsoft 365 without needing a licensed user account. This is different from basic Outlook SMTP (client submission), which requires an individual M365 account. SMTP relay uses your organization’s static IP or a dedicated connector, routes through smtp.office365.com on port 25, and doesn’t require per-user authentication. There are three Microsoft-supported sending methods — this guide covers when to use each, how to configure SMTP relay specifically, and code examples for apps that send programmatic email through M365.

:::note[TL;DR]

SMTP relay: smtp.office365.com port 25, no user auth required, uses your static IP or connector
SMTP client submission: smtp.office365.com port 587, requires a licensed M365 user + SMTP AUTH enabled
Direct send: uses [yourtenant]-com.mail.protection.outlook.com port 25, no auth, only delivers to internal addresses
Choose based on: who you’re sending to, whether the device has a licensed account, and your network setup :::

What are the three Office 365 sending methods?

Microsoft supports three distinct approaches. Picking the wrong one is why most Office 365 email setup problems happen.

Method	Port	Auth Required	Can Send Externally?	Best For
SMTP Client Submission	587	Yes (M365 user + SMTP AUTH)	Yes	Apps with a licensed user account
SMTP Relay	25	No (IP or certificate-based)	Yes	Printers, scanners, legacy apps
Direct Send	25	No	Internal only	Notifications to internal users

SMTP Client Submission is what the Outlook SMTP guide covers. You authenticate as a licensed M365 user. Good for apps where you have a dedicated “noreply” account.

SMTP Relay is what this guide covers. No user account required, but you need either a static IP (to configure in Exchange admin) or a certificate.

Direct Send is the simplest but most limited — it can only deliver to addresses inside your Microsoft 365 tenant.

How do I configure Office 365 SMTP Relay?

SMTP Relay requires setup in the Exchange Admin Center by a Microsoft 365 administrator. There are two configuration paths.

Option 1: IP-based relay (static IP required)

This is the standard approach for on-premises devices like printers and scanners with a fixed IP address.

In the Exchange Admin Center (admin.exchange.microsoft.com):

Go to Mail flow > Connectors
Click Add a connector
Connection from: Your organization’s email server
Click Next
Give the connector a name (e.g., “SMTP Relay from Office”)
How to identify the sending server: By verifying that the IP address of the sending server matches one of these IP addresses
Add your device/server’s static IP address
Under Security restrictions, select your preference (TLS recommended if supported)
Save the connector

Device/Application SMTP settings after connector creation:

Setting	Value
SMTP Server	`smtp.office365.com`
Port	`25`
TLS	If your device supports it
Authentication	None required
From address	Any address at your verified M365 domain

Option 2: Certificate-based relay

For servers or apps that can present a TLS certificate. Configure the connector to accept connections where the certificate subject matches your domain. Useful when static IPs aren’t available (e.g., cloud-hosted apps with dynamic IPs).

How do I configure SMTP Client Submission (with user auth)?

For applications that have a dedicated M365 licensed account (like a “noreply@company.com” mailbox):

In Microsoft 365 Admin Center: ensure the account exists and is licensed
Enable SMTP AUTH for that account:
- Admin center → Users → Active Users → select the user
- Click the Mail tab → Manage email apps
- Check Authenticated SMTP → Save
Use these settings in your app:

Setting	Value
SMTP Server	`smtp.office365.com`
Port	`587`
Encryption	STARTTLS
Authentication	Required
Username	The M365 account email
Password	Account password (or App Password if MFA is on)

The Scenario: You’re the IT admin for a 50-person company. The office just got a new multifunction printer that needs to scan-to-email. The vendor’s support doc says to use “the company email server.” You set it up with port 587 and someone’s credentials — it works until that person leaves and their account gets disabled. Setting up SMTP relay with IP-based auth means the printer keeps working regardless of employee turnover.

How do I send email via Office 365 SMTP in code?

For application code using SMTP Client Submission (port 587, user auth):

PHP with PHPMailer

composer require phpmailer/phpmailer

<?php
use PHPMailer\PHPMailer\PHPMailer;

require 'vendor/autoload.php';

$mail = new PHPMailer(true);

$mail->isSMTP();
$mail->Host       = 'smtp.office365.com';
$mail->SMTPAuth   = true;
$mail->Username   = 'noreply@yourcompany.com';  // Licensed M365 account
$mail->Password   = 'your-account-password';
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->Port       = 587;

$mail->setFrom('noreply@yourcompany.com', 'Company Name');
$mail->addAddress('recipient@example.com');
$mail->Subject = 'Notification from Company App';
$mail->Body    = 'This email was sent through Office 365 SMTP.';

$mail->send();
echo 'Message sent.';

Python with smtplib

import smtplib
from email.mime.text import MIMEText

smtp_server = "smtp.office365.com"
port = 587
username = "noreply@yourcompany.com"   # Licensed M365 account
password = "your-account-password"

msg = MIMEText("Sent through Office 365 SMTP.")
msg["Subject"] = "Notification from Company App"
msg["From"] = username
msg["To"] = "recipient@example.com"

with smtplib.SMTP(smtp_server, port) as server:
    server.ehlo()
    server.starttls()
    server.login(username, password)
    server.sendmail(username, "recipient@example.com", msg.as_string())

print("Email sent.")

Node.js with Nodemailer

npm install nodemailer

const nodemailer = require("nodemailer");

const transporter = nodemailer.createTransport({
  host: "smtp.office365.com",
  port: 587,
  secure: false,    // STARTTLS
  auth: {
    user: "noreply@yourcompany.com",   // Licensed M365 account
    pass: "your-account-password",
  },
  tls: {
    ciphers: "SSLv3",    // Prevents TLS negotiation errors on some Node.js versions
  },
});

async function sendMail() {
  await transporter.sendMail({
    from: '"Company Name" <noreply@yourcompany.com>',
    to: "recipient@example.com",
    subject: "Notification from Company App",
    text: "Sent through Office 365 SMTP with Nodemailer.",
  });
  console.log("Email sent.");
}

sendMail().catch(console.error);

Common Office 365 SMTP errors and how to fix them

535-5.7.3 Authentication unsuccessful SMTP AUTH is disabled for the account. Enable it: Admin center → Users → Active Users → user → Mail tab → Manage email apps → Authenticated SMTP.

530-5.7.57 SMTP; Client was not authenticated Same as above — SMTP AUTH is off.

550 5.7.54 SMTP; Unable to relay For SMTP relay setup: your sending IP doesn’t match what’s in the connector configuration. Verify the static IP in Exchange Admin Center → Mail flow → Connectors.

454-4.7.0 Temporary authentication failure Often a TLS negotiation issue. Add tls: { ciphers: "SSLv3" } to Nodemailer config, or verify TLS settings in PHPMailer. Also occurs when the M365 account requires MFA and no App Password was set up.

Connection refused on port 25 For SMTP relay (port 25), your network must allow outbound port 25 to Microsoft’s IP ranges. Many cloud providers (AWS EC2, for example) block port 25 by default. Request a PTR/rDNS record and port 25 unblock from your provider.

FAQ

Do I need a paid Microsoft 365 license for SMTP relay?

For IP-based SMTP relay (port 25), no licensed user account is required — just a verified domain and a connector. For SMTP client submission (port 587), you need at least one licensed mailbox to authenticate with.

Can Office 365 SMTP relay send to external addresses?

Yes, with SMTP relay (the connector-based setup). Direct Send cannot send to external addresses. Client submission on port 587 can also send externally.

What’s the difference between smtp.office365.com and outlook.office365.com?

smtp.office365.com is the SMTP submission endpoint. outlook.office365.com is the IMAP/Exchange endpoint (used for receiving email in clients). Don’t confuse them.

Is SMTP AUTH being deprecated in Microsoft 365?

Microsoft has been pushing organizations toward Modern Authentication (OAuth 2.0) and has disabled SMTP AUTH at the tenant level by default in new tenants. Admins can re-enable it per-user or org-wide. It’s not fully removed yet, but for new app development, OAuth 2.0 is the more future-proof approach.

Can I use Office 365 SMTP relay from a cloud server with a dynamic IP?

Not with IP-based relay — that requires a static IP. Use certificate-based relay instead, or switch to SMTP client submission (port 587) with a licensed account, which works from any IP.