Microsoft Exchange Online and Hybrid Exchange

Modern Email Technologies
The vast majority of businesses use email as the primary form of internal and external communication between their clients, suppliers as well as their employees. Collaboration tools and social media are powerful tools that are often utilised for communications between businesses and their customers, but social media isn’t quite ready to fully replace emails just yet. 

Technology has advanced drastically since the early 2000s and even more so in the last 10 years providing far greater functionality than ever before.  Where as previously businesses would tend to utilise an on-premise Microsoft Exchange Server which would require an IT Administrator to ensure that the server receives regular patch updates to provide reliability and best security practises, that is slowly becoming a thing of the past. Those days whereby a physical server presence taking up space in an office or comms room are becoming a thing of the past due to many businesses choosing to move to one of the cloud based email solutions with the preference on Microsoft Exchange Online platform often referred to as Office 365.

Comparison of Email solutions
Choosing one of the many email solutions available for your business should be based upon the requirements of your business.  Cloud-based alternatives to Microsoft Exchange Online include G-mail (part of G-suite, Google’s collection of collaboration and productivity apps) Amazon’s WorkMail, Fasthosts, 1&1, JustHost, Bluehost, Rackspace, Zoho, Liquid Web which are just a few to mention (other providers are available).  They all provide businesses with an account/platform to setup and associate your domain and link to any of your required mailboxes.  A key benefit of using your own domain is to give yourself a more professional look by having an email address which matches your business/domain name. 
Upon signing up to an email hosting provider, there will quite often be different packages which each have different features, these may include limitations on the quantity of mailboxes you can setup, the total size limit of the mailbox, to which protocols are supported (e.g POP3/IMAP) and even the helpdesk support hours.

Cloud-based email platforms are a popular alternative to on-premise solutions, although each has pros and cons that should be considered:

Email TypeYou must have 
your own Domain
Domain Renewal
(ongoing cost)
You control the 
Email Server
A 3rd party administer 
the Email Server
Using a 3rd party Domain for your Email 
 Tends to be free
 No ongoing cost of hosting
 No ongoing cost of Domain
 No regular Email server maintenance is required
 Is easy to manage without a dedicated Email Administrator

 Limitations with functionality with what can be done with Email (vs Microsoft Exchange)
 Limitations of maintenance schedules
 Limitations of Administration of backend functionality
 Doesn’t provide a professional custom branding for your business
  When someone leaves your company, you mayloose control of the Email Address
Using your own Domain for your Email and hosting via a 3rd party 
 No server maintenance required (this is done by 3rd party provider)
 Provides professional custom branding (your Domain) for your business
 When someone leaves your company, you remain in-control of the Email Address

 Administration is likely to require a dedicated Email Administrator
 Ongoing cost of hosting
 Ongoing cost of Domain
 Limitations with functionality with what can be done with mail (vs Microsoft Exchange)
 Limitations of maintenance schedules
 Limitations of Administration of backend functionality
Using your own Domain for your Email and hosting via an on-premise mail server No ongoing cost of hosting (3rd party provider)
 Provides professional custom branding (your Domain) for your business
 When someone leaves your company, you remain in-control of the Email Address
 Provides good functionality over 3rd party hosting
 You control maintenance schedules
 You Administer backend functionality
 Administration is likely to require a dedicated Email Administrator
 Ongoing cost of Domain
 Should the internet go down within the hosting office inbound and outbound mail will be unavailable
Using your own Domain for your Email and hosting via Office 365 Exchange Online 
* without unrestricted full control of backend
 Provides professional custom branding (your Domain) for your business
 When someone leaves your company, you remain in-control of the Email Address
 Provides good functionality over 3rd party hosting
 Provides 99.9% uptime which has a financially-backed service level agreement
 Data loss prevention
 Easy to use Reporting Tools
 Ongoing monthly subscription (Microsoft Office 365)
 Administration is likely to require a dedicated Email Administrator
 Ongoing cost of Domain
 You can’t control maintenance schedules
 You can’t Administer all backend functionality

Office 365 Email hosting

Office 365’s Microsoft Exchange Online service is a subscription based package (stand-alone service or Office 365 Subscription) which provides a securely hosted platform whereby almost all of the features which are available to administrators when using an on-premise version of Microsoft Exchange are available within Exchange Online.  With the added piece of mind that Microsoft Exchange Online has been built to help protect your business with advanced capabilities which include anti-malware and anti-spam filtering protects mailboxes. There is also the added benefit of data loss prevention capabilities, which prevent users from mistakenly sending sensitive information to unauthorised people. 
Office 365 have provide globally redundant servers, premier disaster recovery capabilities and have a team of Microsoft Engineers monitoring Exchange Online services 24hours a day, 7 days a week, 365 days a year.

Microsoft offer customers a guaranteed 99.9% uptime which has a financially-backed SLA (Service Level Agreement), meaning you can almost guarantee the reliability (downtime) will be better than hosting emails yourself on-premise.

Exchange Online

Exchange Online is the cloud hosted email version of Microsoft’s Exchange Server platform that organisations can subscribe to either as a stand-alone service or via an Office 365 subscription. Microsoft Exchange Online gives businesses the majority of the same benefits and functions that on-premises Exchange deployments provide with the added benefit of not needing to perform upgrades or purchase new licenses when a new release comes out.  A lot of businesses today base their costing upon OPEX therefore this is a particularly more favourable option.

Exchange Online (just like Exchange on-premise) connects via Microsoft Outlook (desktop client), Outlook on the web (via a web browser), or with mobile devices using either the Outlook mobile app or the built in mail client to access email.  Exchange Online not only provides users with the mechanism to send and receive Emails, it also provides a collaboration functionality for the use of shared calendars, conference rooms and global address lists.  With a dedicated Centralised Management Portal which can be accessed via the web which allows for the creation of new mailboxes, distribution groups and security groups, it also includes more advanced features such as permissions, compliance management and mobile device management which can be controlled via a GUI (Graphic User Interface).  Exchange Online can also be managed via a command line from Windows PowerShell on your local computer to create a remote PowerShell session to Exchange Online. 
This can be done in a three-step process whereby you enter your Office 365 credentials within Windows PowerShell, provide the required connection settings, and then import the Exchange Online cmd lets into your local Windows PowerShell session so that you can use them.

Example of how to connect below:
1. On your local computer, open Windows PowerShell and run the following command and sign-in using your Office 365 Global Admin credentials:

$UserCredential = Get-Credential
2. Run the following Command:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

For Office 365 operated by 21Vianet, use the ConnectionUri value:
For Office 365 Germany, use the ConnectionUri value:
For Office 365 Government Community Cloud High (GCC High), use the ConnectionUri value:
If you're behind a proxy server, run this command first: $ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where the ProxyAccessType value is IEConfig, WinHttpConfig, or AutoDetect.
Then, add the following parameter and value to the end of the $Session = ... command: -SessionOption $ProxyOptions.

3. Run the following command: Import-PSSession $Session -DisableNameChecking

On-prem Exchange
Microsoft Exchange is an Email and Calendaring Server which runs exclusively on Windows Server operating systems.  It was first released on 11th April 1996 with the release name “Exchange Server 4.0”.  
Microsoft Exchange initially used the X.400 directory service but switched to Active Directory later and has continued to use ever since. Up until version 5.0, Microsoft Exchange came with an email client called “Microsoft Exchange Client”. This was later discontinued in favour of Microsoft Outlook.

Exchange Server primarily uses a proprietary protocol called MAPI to talk to Email Clients, but subsequently added support for POP3 (‘Post Office Protocol V3’), IMAP (Internet Message Access Protocol) and EAS (Exchange Active Sync). 
The standard SMTP (Simple Mail Transfer Protocol) is used to communicate to other Internet mail servers.

·         Microsoft Exchange Server has two editions:
Standard, which is designed for the mailbox needs of small to midsize organisations (this edition supports 1 to 5 mailbox databases) 
Enterprise, which is designed for larger organisations that may require a greater number of mailbox databases (this edition supports 1 to 100 mailbox databases)

A License is then required for both the Exchange Server, as well as Client Access Licenses (CALs) which are sometimes also referred to as a “seat”.  These Licenses are usually purchased via a VLSC subscription (Volume Licensing Service Centre – typically such as an Enterprise Agreement), or alternatively from a Partner Reseller such as Ingram Micro, Tech Data, Arrow, SYNNEX Corporation, D&H Distributing and MA Labs inc.

Microsoft Exchange (on-premise) is becoming less widely used by business due to two key elements: 

1. The Cost (CAPEX) involved in purchasing Microsoft Exchange Server License(s) aswell as CALs when a new version has been released (lots of Businesses don’t purchase Software Assurance for their Volume Licensing and are therefore unable to upgrade for free as per the terms of the Software Assurance)
2. The Time and risk of downtime involved in setting up prerequisites to perform a migration and the time involved in resolving issues from the migration


Server Operating SystemExchange 2019Exchange 2016 CU3 and laterExchange 2016 CU2 and earlierExchange 2013 SP1 and laterExchange 2010 SP3
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 SP1
Windows Server 2008 SP2

TIP: Unlike other Microsoft Office Server 2019 products such as SharePoint and Skype for Business, Microsoft Exchange Server 2019 can only be deployed on Windows Server 2019.  One of the key features of the new release is that Exchange Server can now be deployed onto Windows Server Core for the very first time. Additionally Microsoft has retired the Unified Messaging feature of Exchange, meaning that Skype for Business on-premises customers will have to use alternative solutions for voicemail, such as Azure cloud voicemail. Unified Messaging continues to exist in Exchange Online requiring an Exchange Plan 2 license.

Hybrid Email solutions

The term “Hybrid” in the world of Microsoft emails means a mechanism which provides a business with a Microsoft Exchange on-premises deployment connecting to an Exchange Online deployment. Typically there are a few reasons why a business may choose to do that.

1. Business decision to utilise OPEX instead of CAPEX
While in most cases an option of purchasing licenses upfront looks more cost effective many show studies prove that the cost of equipment, consulting and licensing exceeds the subscription cost for Exchange Online. As such, many businesses have decided that it’s better to utilise subscription based service of Exchange Online (OPEX) as opposed to paying upfront for the deployment of an on-premise Exchange (CAPEX). Moving to Exchange Online can help to limit the CAPEX, but unfortunately Microsoft Exchange Online has number of limitations in regards to management. Most of those limitations can be mitigated by keeping a on-prem Exchange server along with the Exchange Online in a Hybrid mode purely for management purposes.
2. A Business merger with unknown long term plan
In the example below the original company is called NewCo and is merging with ‘LondonCo’

Should NewCo be performing a merger with LondonCo whereby the original business (LondonCo) is running on an Exchange on-premise deployment and the merging business (NewCo) is also running an a completely independent on-premise Exchange deployment, the mailboxes which exist within NewCo will need to be migrated over to LondonCo.  LondonCo have decided that they want to keep NewCo a separate entity within the business in case they decide to sell them on – therefore want to migrate these users to an Exchange Online deployment to make separation relatively easy. By setting up a Hybrid connection between LondonCo and the NewCo Exchange online deployment, this provides management for LondonCo whereby all users are situated within the same organisation but with an easy means of removing should it be required.
3. Hybrid Migration
a. Moving from On-premise Exchange to Exchange Online:
Should an existing business who are currently using an on-premise Exchange deployment wish to migrate to Exchange online, performing a migration using Hybrid rather than exporting the mailbox, then creating a user account/mailbox within Exchange Online and then finally reimporting the mailbox, or using 3rd party migration tools, has the great added benefit whereby it ties your AD and Office 365 together instead of moving your AD and Exchange to the cloud.  The bonus of this is Hybrid Exchange is free!

b. Moving from Exchange Online to On-premise Exchange:
In addition, a Hybrid deployment can also serve to moving away from Exchange Online back to your on-premise organisation.  This acts as a particularly useful tool for businesses who decide Exchange Online doesn’t fulfil requirements, i.e ongoing subscription cost or generally not being able to administer the whole of the backend based on your business needs.

Limitations / problems of MS Email solutions

Mailbox Databases
There are limitations on how many mailbox databases which can be supported based on the edition of Exchange you are using
Standard, which is designed for the mailbox needs of small to midsize organisations (this edition supports 1 to 5 mailbox databases) 
Enterprise, which is designed for larger organisations that may require a greater number of mailbox databases (this edition supports 1 to 100 mailbox databases)

Send/Receive limits within Microsoft Exchange 

By default, the Send and Receive quotas are set to 10MB.  This can however be easily amended via powershell for your organisation – however you should take into account that if an email is sent to an external recipient whereby their Server has a receive quota limit lower than your Server is able to send – you can expect to receive a NDR (Non-Delivery Report) saying your email was not delivered due to the size of the email being prohibited.  The same applies should an external sender try sending an email which is larger than your Server has been setup to receive, the sender would also receive a NDR.

Free/Busy on a Hybrid Migrated Users Calendar

There are some well-known limitations 

Installing Exchange 2019 On-prem
Microsoft Exchange 2019 on-prem can only be installed on a Windows Server 2019 Operating system – it is not possible to install on prior versions of Windows

Adding a Shared Mailbox to a mobile device

On-premise Exchange does not allow for users to add a shared mailbox to a mobile device, however due to recent development this feature is now available to organisations and users who do use Microsoft Exchange Online and are using the Outlook app on both iOS and Android. 

Migrating to Exchange 2016 from Exchange 2010
Migrating to Exchange Server 2016 is supported from Exchange Server 2010 SP3 RU 11 and Exchange Server 2013 CU10. Upgrading from earlier versions however is not supported, but it is possible to have a mix of 2010 and 2013 Exchange Server variants coexisting with Exchange Server 2016.

Email Migration to Office 365

Depending on what type of Email Migrating to Office 365 you wish to do, will depend on how and what tools can be used.  
Typically email migration to Office 365 consists of the following:

Source Mailbox to Microsoft Exchange Online Migration
This is a Migration from an environment such as Microsoft Exchange, Google/G Suite, Lotus Notes or another 3rd party provider

Source Public Folder to Microsoft Exchange Online Migration

This is a Migration from an Existing Exchange environment whereby just the Public Folders are migrated to Microsoft Exchange Online

Source Archive Mailboxes to Exchange Online Migration
This is a Migration of any Archived Mailboxes or Archived PST files (typically within an Exchange environment) and are migrated to Exchange Online

Migration between Office 365 Tenants
This is a Migration of Mailboxes which reside in an Office 365 Tenant and need to be migrated to completely independent Office 365 Tenant

In order to perform any of the above mentioned migrations the key objectives below should be met:
a. As an IT Administrator decide upon a provisional date you want to work to for ‘Go Live’ – typically a weekend for implementing the work tends to work best with a Go Live day of a Monday morning
b. Discuss within the business your intentions, identify if there are any time restrictions or business reasons for not proceeding to the provisional date
c. Ensure you have signed up with an Office 365 Tenant and setup/associated your Domain.  
d. Send out initial communications within the business to inform them of the changes coming, downtimes and what to expect (without going into too much Technical detail)
e. Plan the migration (Users/User Mailboxes/Shared Mailboxes/Calendars/Notes/Contacts/Distribution Groups/Security Groups/Permission Access) and create a step-by-step plan of the order the migration will be actioned
f. Where possible perform a trial migration (External inbound Mail will not work until MX Records have been amended – but internally will be possible to receive)
g. Resolve any issues identified
h. Provide confirmation communications to the business of the Migration the week before Go Live including implications (which may include reconfiguring mail clients / removing old connections etc)
i.  Perform the migration
j. Confirm to the business that the migration has taken place  
k. Assist users on Go Live with any queries users may have

Proxar IT have vast experience with email migrations – we can provide assistance with consultancy or perform the whole migration from start to finish. For more information please contact us

Email migrations tools
If you have a legacy Exchange environment, like Exchange 2003 or Small Business Server (SBS) 2008, or use the most recent Exchange version, like Exchange 2019, there are many 3rd party migration tool which lets you migrate all mailbox data to Microsoft Exchange Online.  Many migration companies provide a range of tools to perform email migrations and costs vary drastically depending on the vendor, migration type being performed, the features being used and most importantly how many mailboxes are in scope of the migration.  
It is important to understand that whilst most 3rd party companies provide guides or videos on how to setup, you will need to implement.  Should you run into any unexpected problems whilst configuring/performing the migration, there is the likely chance you will need to reach out to their support helpdesk which usually is at an additional costly. 

For Businesses using an on-premise Exchange Server, Microsoft provide their own mechanism to migration mailboxes to Microsoft Exchange Online.  In order to use this tool you must first create and configure a hybrid deployment between your on-premise Exchange Server and Microsoft Exchange Online.  To do this, you can follow the steps below:

1.       In the EAC on an Exchange server in your on-premises organisation, navigate to the Hybrid node.

2.       In the Hybrid node, click Configure to enter your Office 365 credentials.
NOTE: If your on-premises organisation is located in China and your Office 365 tenant is hosted by 21Vianet, you must select the My Office 365 organisation is hosted by 21Vianet check box. If your Office 365 tenant is hosted by 21Vianet and this checkbox isn’t selected, the Hybrid Configuration wizard won’t connect to 21Vianet service, your Office 365 account credentials won’t be recognized and the wizard won’t complete properly.

3.       At the prompt to log in to Office 365, select sign in to Office 365 and enter the account credentials. 
NOTE: The account you log into needs to be a Global Administrator in Office 365.

4.       Click Configure again to start the Hybrid Configuration wizard.

5.       On the Microsoft Office 365 Hybrid Configuration Wizard Download page, download the wizard. When you’re prompted, click Install on the Application Install dialog.

6.       Click Next, and then, in the On-premises Exchange Server Organisation section, select Detect a server running Exchange 2013 CAS or Exchange 2016/2019. The wizard will attempt to detect an on-premises Exchange server. If the wizard doesn’t detect an Exchange server, or if you want to use a different server, select Specify a server running Exchange 2013 CAS or Exchange 2016/2019 and then specify the internal FQDN of an Exchange Mailbox server.

7.       In the Office 365 Microsoft Exchange Online section, select Microsoft Office 365 and then click Next.

8.       On the Credentials page, in the Enter your on-premises account credentials section, select Use current Windows credentials to have the wizard use the account you’re logged into to access your on-premises Active Directory and Exchange servers. If you want to specify a different set of credentials, unselect Use current Windows credentials and specify the username and password an Active Directory account you want to use. Whichever selection you choose, the account used needs to be a member of the Enterprise Admins security group.

9.       In the Enter your Office 365 credentials section, specify the username and password of an Office 365 account that has Global Administrator permissions. Click Next.

10.   On the Validating Connections and Credentials page, the wizard will connect to both your on-premises organisation and your Office 365 organisation to validate credentials and examine the current configuration of both organisations. Click Next when it’s done.

11.   On the Hybrid Domains, select the domains you want to include in your hybrid deployment. In most deployments you can leave the Auto Discover column set to False for each domain. Only select True next to a domain if you need to force the wizard to use the Autodiscover information from a specific domain. Click Next.

This domain selection step of the Hybrid Configuration wizard may or may not appear when you run the wizard. This step won’t appear if:
• You have only one on-premises accepted domain added to your Office 365 tenant. Because this is the only domain available for hybrid deployment configuration, the domain is automatically selected and the step is skipped in the wizard.
• There aren’t any on-premises accepted domains added to your Office 365 tenant. In this case, you’ll receive an error and you’ll need to add at least one domain to your Office 365 tenant before continuing. You can do this by using the Office 365 Administrative portal, or by optionally configuring Active Directory Federation Services (AD FS) in your on-premises organisation.

This step will appear if you have more than one on-premises accepted domain added to your Office 365 tenant.

12.   On the Federation Trust page, click Enable and click then Next.

13.   On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you’ve selected to include in the hybrid deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration wizard, you must use this info to create a TXT record for each domain in your public DNS. Refer to your DNS host’s Help for information about how to add a TXT record to your DNS zone. Click Next after the TXT records have been created and the DNS records have replicated.

14.   On the Transport Certificate page, in the Select a reference server field, select the Exchange server that has the certificate you configured earlier in the checklist.

15.   In the Select a certificate field, select the certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority (CA) installed on the Mailbox server selected in the previous step. Click Next.

16.   On the Organisation FQDN page, enter the externally accessible FQDN for your Internet-facing Exchange server. Office 365 uses this FQDN to configure the service connectors for secure mail transport between your Exchange organisations. For example, enter “”. Click Next.

17.   The hybrid deployment configuration selections have been updated, and you’re ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated.

18.   The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard.

Email protection, security and anti-spam features

Understanding the meaning and differences between the daily used email protection terms can be a little confusing, it is therefore best to clarify what these key terms are:

 – this is a piece of malicious software which takes over a person’s computer in order to spread the bug onto other people’s devices and profiles. It can also infect a computer and turn it into a botnet, which means the cyber criminal can control the computer and use it to send malware to others.

Phishing – this is an attack which is designed to steal a person’s login and password details so that the cyber criminal can assume control of the victim’s social network, email and online bank accounts. Seventy per cent of internet users choose the same password for almost every web service they use. This is why phishing is so effective, as the criminal, by using the same login details, can access multiple private accounts and manipulate them for their own good.

Spamming – this is when a cyber criminal sends emails designed to make a victim spend money on counterfeit or fake goods. Botnets, such as Rustock, send the majority of spam messages, often advertising pharmaceutical products or security software, which people believe they need to solve a security issues which doesn’t actually exist.

With a better understanding now of the key terms, what should a business be doing to ensure that the emails which are being sent out and identify under your business (i.e the Domain) and the emails being received are safe and secure from the above? Proxar IT recommend for best email protection practises, every business should make every effort to stay secure and to help reduce and prevent Malware, Phishing and Spam.  Email Protection solutions tend to embed features around these key areas which in turn helps safeguard threats (such as impostor emails or email fraud). Email protection is deployed as a cloud or on-premises service solution which helps to secure Email services by providing customisable filtering to control the various features which acts as a mechanism for what should be safe and what is unwanted Email.  They types of things which can be configured will range from vendor to vendor but generally consists of a default policy engine which provides the administrator with flexibility to amend various policies such as Safe and unsafe Domains/IP Addresses, Content Settings such as words within an Email or attachments which are/are not allowed, Bulk mail settings, Realtime Black Listing subscriptions (RBL) as well as safe sender and block lists Email Addresses.  The expected outcome once configured is that Emails which pass through and meet the requirements will be delivered to the users mailboxes and Emails which don’t will either being rejected or quarantined.  Proxar IT host our own Spam Protection solution, to find out more information please don’t hesitate to contact us.   

As well as the Email Protection, a business should also be applying Email Security standards to their Domains, things such as SPF, DKIM and DMARK which is also seen as an Email Authentication mechanism

What is a SPF Record?

SPF – Sender Policy Framework is an open standard so that the owner of a domain can provide a public list of approved senders. If you use a 3rd party application such as Mailchip to send your marketing emails out with appearing as though they have been sent via your Domain, you’d want to include the Mailchip sending server as approved senders. This is done in the form of a DNS Record and by doing this, receiving mail servers can cross-check that the email originated from a server that has permission to send on your Domains behalf. If however the message originates from a server that is not included as part of your DNS SPF record, then the receiving server can consider it a fake and treat it accordingly based upon the policy handling specified within the DNS SPF record.

What is a DKIM Record
DKIM – Domain Keys Identified Mail is an authentication method designed to detect forged sender addresses in emails.

A sender creates the DKIM by “signing” the email with a digital signature. This “signature” is located in the message’s header. The sending mail transfer agent (MTA) generates the signature by using an algorithm applied to the content of the signed fields. This algorithm creates a unique string of characters, or a “hash value.”

When the MTA generates the signature, the public key used to generate it is stored at the listed domain. After receiving the email, the recipient MTA can verify the DKIM signature by recovering the signer’s public key through DNS. The recipient MTA then uses that key to decrypt the hash value in the email’s header and simultaneously recalculate the hash value for the mail message it received. If these two keys match, then the email has not been altered, giving  users some security knowing that the email did originate from the listed domain, and that nothing has modified it since it was sent.

What is a DMARC Record?

DMARC – Domain-based Message Authentication, Reporting and Conformance is a DNS record which should be added to a Domains public DNS.  DMARC defines what an email receiver should do with non-aligned mail which it receives with the purpose to detect and prevent email spoofing based upon a policy. 

How does this work?

In order to use a DMARC DNS Record, the sending domain needs to have at minimum a SPF and ideally also a DKIM record published within the public DNS (depending on business requirements).

1. SPF (Sender Policy Framework ) – a DNS Record which you can specify which IP addresses and/or hostnames are authorized to send emails from your Domain

2. DKIM (Domain Keys Identified Mail) – a DNS Record which is used to detect forged sender addresses in emails by the use of a digital signature linked to the domain name.

Once the SPF/DKIM record(s) are in place, the DMARC record acts as a ‘Public DNS Domain policy’ which defines a number of features/rules:

(i). The DMARC Version

(ii). Preferred treatment of what happens

(iii). What email address(es) to receive aggregate DMARC reports

(iv). What email address(es) would you like to receive forensic DMARC failure reports

(v). The percentage of mail to which the domain owner would like to have its policy applied

What gets checked?

For SPF, the message’s From domain and its Return-Path domain must match

For DKIM, the message’s From domain and its DKIM d= domain must match

It requires not only for the SPF or DKIM to pass but for the domain used by either one to also align with the domain found in the “From Address” in order for DMARC to pass

Authentication and single sign on

Email Authentication is the validation process to providing credentials to validate access to a mailbox or Mail Server. To access a mailbox will likely require at minimum a Username and a Password (although more Business are now choosing in addition to also require the use of Multi Factor Authentication (MFA).  Usernames will vary depending on the Mail Server but often are found to be in the format of an email address, a name or number (e.g John.Smith | JohnSmith | 201900003) or a Domain Username (e.g DOMAIN\Username – CONTOSO\John.Smith).  Once Authentication has taken place the user can utilise functionality  

Single Sign-On (SSO) is system that enables users to securely authenticate with multiple applications and websites by logging in only once—with just one set of credentials, generally a username and password and maybe the additional use of Multi Factor Authentication (MFA) to improve security.

With SSO, the application or website that the user is trying to access relies on a trusted third party to verify that users are who they say they are.  In most circumstances for the purpose of Email Microsoft ADFS is used (Active Directory Federated Services).  

In addition to SSO, there is also Federated SSO which is where a relationship is established and maintained between organisations resulting in users from each organisation gaining access across one other’s web properties.  This provides an authentication token to the user which is trusted across organisations meaning the user does not need to create a different account for every organisation in federation to access web properties and applications

How does SSO work with Email?

Authentication requests and information are passed using standard, secure protocols such as SAML or OAuth. The websites requesting authentication have a trust relationship with the SSO solution, and trust relationships exist between the SSO solution and the identity providers. A trust relationship means that one domain trusts another’s information about user identities, devices, and access privileges.  An example describes below how this process works when a user connects to Office 365 webmail from a Domain Joined PC

1. A user logs onto a Domain joined device, during the logon process the user provides a correct username and Password proving a validated authentication to the infrastructure via Active Directory (AD)

2. Now that the user is logged onto the Domain joined device, the user opens a web browser and browsers to

3. The website checks to see whether the user is already authenticated and if not redirects to the ADFS service 
4. The ADFS Service then authenticates the user via the organisation’s AD service
5. Upon authenticating, the ADFS service provides the user with an authentication claim token
6. The users web browser then forwards the claim token to the target application which either grants or denies access based on the Federated Trust service which has just been created

Common issues

Common issues when migrating to Microsoft Exchange Online
Unable to install the Microsoft Hybrid Tool
– You must ensure that your Exchange on-premise is up to date running the latest CU and that you have PowerShell available running at minimum 2.0 and preferably the latest version.  
– The Administrator Account you are going to use should have a mailbox
– If you are going to use a dedicate Proxy, in order to get the application to connect to Office 365, the netsh command should be used to set the proxy. For example if the proxy settings are configured in Internet Explorer you would run the following command in PowerShell to have it use the same proxy: netsh winhttp import proxy source=ie

Connecting to Remote Server Failed with the following error Message: The SSL Connection Cannot be Established 
This and similar errors are usually encountered when the application tries to connect to remote PowerShell in Office 365. Verify you can manually connect to Office 365 via Remote PowerShell on the system, if not it is likely to be due to incorrect credentials or access such as the account being used isn’t a Global Administrator or Firewall is blocking

Upload of Message Failed : ErrorMissingEmailAddress
This indicates that the Office 365 account being used does not have a mailbox, or that the wrong type of Admin Account is being used (i.e password or billing Admin – not a Global Admin)

Problems processing Mailbox “IMAPIOfflineMgr is not available 
When exporting mailboxes you should be prompted for credentials. When you are prompted the option to Save Credentials must be selected. Other reasons this can occur are if you are unable to create an Outlook profile for the Administrator account on the server or the Administrator account specified on the Remote PowerShell connection screen does not have a mailbox in Office 365

Endpoint MRS Proxy
When performing a migration to Microsoft Exchange online you may find that if you are using the Microsoft Hybrid tool that upon trying to connect a Migration Endpoint MRS Proxy between infrastructures that it fails – this is likely to be due to either:

Your Exchange Server having the default setting to disable the MRS Proxy – if this is the case you can change my using the following command
Set-WebServicesVirtualDirectory -Identity “YourServer\EWS (Default Web Site)” -MRSProxyEnabled $true
The DNS name which is being used for your Endpoint hasn’t been published in your Public DNS (only been published on your internal DNS Server(s))
A local Firewall is blocking access which can be troubleshooted by the network administrator to check if ports 443 and port 80 are accessible

Migrating a Mailbox Invalid Target Address

When migrating a mailbox you may get an ‘Invalid Target Address’ error, this means that the User Account or Shared Mailbox which is being migrated doesn’t have a Target Address specified within its physical attribute.  You will need to go to AD and amend  the attribute to include a address.  The address should be in the format (e.g

Username within Office 365 doesn’t have the correct username
Typically this happens if you haven’t amended the User Principle Name within AD for the Synced Object.  This can be done by going to the account in question and clicking the Account Tab and next to the right of the user logon name is a dropbox which needs to be changed to reflext the correct address.  Should the User Principle Name not exist, it will need to be added before it will appear.

The most common reason for this error is that a user has the PST file open and the Office 365 Exchange Migration tool is unable to read from it (only one person can have a PST open at a time). The other reason this would occur if there is a slow disk and the Office 365 Exchange Migration tool can’t read to or write from the disk.

This can happen for a number of reasons. If you are trying to import a PST and there is an error code of ulContext: 805700609, then the likely cause is the PST file is password protected, you must remove the password from the PST

Migration of Hybrid Mailbox takes a long time
Even on a fast connection, the most you will be able to upload running a single instance of the Office 365 Exchange Migration tool is around 500 MB – 1 GB per hour. This is due to throttling imposed by Office 365. 
Some of my Emails haven’t been migrated
For a Hybrid Migration, the Message Size limit in Office 365 is 30 MB – in addition messages over 25MB can’t be uploaded. q1a2sThose messages are placed in a directory named OverSize which can be found within the log file directory