Enabling a connector to resolve SMTP relay service email issues in Microsoft Exchange

This article describes the email delivery issues organizations using a SMTP relay service in their Microsoft Exchange email process may experience. It also explains how enabling the Enhanced Filtering for Connectors in Microsoft Exchange will resolve the issues.

Issue

Organizations using a SMTP relay service in their Microsoft Exchange email process without configuring a connector may experience the following email delivery issues:

Incoming messages received from trusted senders are being flagged as false-positives by Microsoft or third-party service providers.
Incoming messages received from trusted senders are being placed in the "Junk" folder.
Warnings about phishing or spam appear in messages received from trusted senders.
Incorrect behaviour of custom mail flow rules or sender whitelisting in Microsoft services.
Authentication of sender through Sender Policy Framework (SPF) “failed” or “soft failed“ because of an unauthorized third-party IP address detected in the mail flow.
DomainKeys Identified Mail (DKIM) verification failed because modification of the email content was detected.

IMPORTANT Symptoms could occur intermittently, meaning some messages may be delivered properly while others from the same sender may be blocked.

Why does this issue occur?

As demonstrated in the schema below, when an organization has integrated an SMTP relay service, such as Barracuda or Proofpoint, into their Microsoft Exchange email delivery process, an email sent to the organization from an outside entity will be received by the SMTP relay server first. The SMTP server may make modifications to the email, like adding its own information in the header or including security warnings in the message body or title, before it sends it on to the Microsoft Exchange server.

Upon receiving the email, the Microsoft Exchange server will identify that the sender of the email, the relay server, has a different IP address than the original sender and will most likely determine that the sender is unauthorized.

In addition, the Microsoft Exchange server can identify any modifications that have been made to the email by the SMTP relay server via the DKIM signature. The DKIM signature may show that the original email content does not match the final email content.

The insecure delivery flow and the modification of the original email would cause Microsoft Exchange and any anti-phishing services enabled in the environment to identify the email as a possible threat and block delivery.

Such behaviour is very similar to the security breach known as a “man-in-the-middle attack.“ In this attack, the bad actor obtains access to a company's communication channel and changes messages between the sender and recipient in order to create harm for the company.

Enhanced Filtering for Connectors in Microsoft Exchange

To make using SMTP relay based services with Microsoft Exchange secure and avoid email deliverability issues, you should enable Enhanced Filtering for Connectors in Microsoft Exchange.

Setting up a connector with Enhanced Filtering will authorize your SMTP relay service to translate the email message it receives so Microsoft Exchange can identify and authenticate the original sender. This improves validation of the DKIM signature by providing Microsoft Exchange access to the initial state of the email message when possible. Email messages will be filtered based on their actual content and status of the initial sender.

This schema illustrates the result of enabling Enhanced Filtering for Connectors in Microsoft Exchange when an SMTP relay service is being used for email delivery. The SMTP relay service has translated the email message so the Exchange server can identify the original sender's IP address and view original email.

For information about enabling the connector, see the Microsoft article Enhanced Filtering for Connectors in Exchange Online.

Benefits of configuring the connector

The following summarizes the benefits of configuring Enhanced Filtering for Connectors in Microsoft Exchange when using SMTP relay based services:

Microsoft Exchange remains secure and protected from “man-in-the-middle attacks.“
Microsoft Exchange email flow and all anti-phishing protection services integrated with Microsoft Exchange will work properly.
Improved deliverability of email messages from external senders by minimizing false positive filtration of email messages.
Improved information available in Microsoft Exchange tools for investigating threats.

Revision	Date
Original release	2/18/25

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.