Configuring Amazon DNS/SES to work with Microsoft Business Exchange when Amazon is NOT using WORKMAIL

Configure Amazon SES to work with Microsoft Exchange (for business)

If you have an EC2 instance running SES, and you require system emails like admin@mydomain.com, postmaster@, abuse@ and so on, and you do not have a formal Mail service like WorkMail, you may wish to add MS Business Email (Exchange) as a separate service for client emails, rather than using Amazon’s WorkMail. Your MS Exchange service could have a single license for a mailbox such as admin@mydomain.onmicrosoft.com. If you have the one license, you need to remember to add your Tax ABN to the MS account details.

Once you have this, you add a remote domain, e.g. mydomain.com. Then you can add an alias to the mailbox, such as user@mydomain.com to the single license.

MS Exchange will give you DNS records that you add to Amazon’s Route53.

These are self explanatory, but it is possible to host all the DNS on Amazon, as the controlling DNS service, or to point the DNS to another party that you use as the controlling DNS service. You would put the DNS records with whoever controls it.

One may note however, as an aside, that if your DNS service does not provide CAA records, the most you would get for an SSL certificate for your website is a B rating. (The most you want is an A rating, not an A+ rating.)

Here is an example of some of the DNS records – you will have others, and with different values to these:
(I uses xxxxxx for values I don’t want you to see. Note: Microsoft will say to use higher TTL values, but we will stick with Amazon’s defaults of 300 seconds or 5 minutes.)

mydomain.com MX Simple TTL 300 – 0 mydomain-com.mail.protection.outlook.com.
10 inbound-smtp.us-west-2.amazonaws.com.
mydomain.com TXT Simple TTL 300 – “v=spf1 include:amazonses.com include:spf.protection.outlook.com ~all”
“MS=msxxxxxx”
“google-site-verification=xxxxxx”
autodiscover.mydomain.com CNAME Simple TTL 300 – autodiscover.outlook.com.

Note the critical values for outlook’s mail.protection above, the way we include the SPF record (the existing Amazon SPF record will only be there is you already setup SPF on Amazon previously, which you may not have done) and the MS= record.

Your service may take care of the dots after each record for you, but you need to be aware of how to add records correctly.

Now, here is the thing. Emails will no longer be processed by Amazon. They will go to Microsoft (or whoever your Exchange provider is, for instance, RackSpace, or someone else.)

If you had previously set up Amazon to handle basic SES emails, with S3 bucket(s) and Lambda functions, these are OK, but they will no longer be accessed as the ensuing emails are processed. You can verify this is the case by looking as CloudWatch logs or your S3 bucket(s) that used to handle basic emails.

Once emails go to Exchange, it can only accept from the world any that use your alias of user@mydomain.com. What happens with admin@ ?

This is tricky, as there is lack of examples or documentation on the Internet to help us work this out, but it is all available to us.

Needless to say, all the many Admin and Exchange screens are difficult to find, so you just have to search around and find them once logged in.

Keep in mind that the MS Account top right user icon can be clicked on to take you to your account and deal with payments.

But prior to your alias being set up, you would log into MS with your initial account name, e.g. admin@mydomain.onmicrosoft.com.

Once the alias is setup, you log in with the alias as the account name.

You will need to set up M2 factor and a mobile number at some stage within 14 days.

However, find the license and set up your alias.

In the Admin Exchange admin center, find “mail flow” and under the accepted domains, (you would need to already have configured your domain in remote domains), you will see these two entries for accepted domains:

mydomain.com (default domain)
mydomain.onmicrosoft.com

Edit BOTH of these to change the Domain Type to Internal relay. This will allow for external emails other than your alias.

Find your Exchange admin center, and under Mail Flow click on Rules.

Here is where you add rules for each external email address, such as postmaster@ and so on.

This is tricky. What you must end up with are these values: (I will show postmaster@ for the example. You may want to include admin@, abuse@, noreply@, webmaster@.)

If the message…
Is sent to ‘postmaster@mydomain.com’
and Is received from ‘Outside the organization’
Do the following…
Set the spam confidence level (SCL) to ‘-1’
and Redirect the message to ‘MYEMAIL@gmail.com’
Rule mode
Enforce

You can get tricked up if you have sent and received entries mixed up.

The redirect is anywhere you want. As a website administrator, you may possibly use admin@mydomain.com with a redirect to an administrative Gmail address you use for that client.

This method does not use “connectors”.

If you get the configurations wrong, MS Exchange will send you an error report.

Now, it is possible to go into the Outlook web application, and configure email forwarding if you need that, or other details.

You can configure your mobile phone or PC by requesting configurations for Microsoft Exchange, rather than working through individual SMTP settings – if you want that manual configuration you can get values from one of the Exchange admin screens – somewhere!

However, when configuring your mobile phone, you may get an error when trying to select the Microsoft account, so you can then manually enter the account login, e.g. user@mydomain.com. You will of course need the password to that account.

MS Clients no longer appear to allow you to move emails between other services. So, your PC MS Outlook application may let you configure Gmail as one service, and Outlook as another, but you can’t drag and drop between the two.

MS Outlook no longer permits local PC folders either. Everything is in the Cloud. You can get 3rd part apps like eM Client that do allow local folders and drag and drop.

Note: your system generated emails, such as using crontab or shell scripts, will still work with postfix. The emails still go to Microsoft, without any processing by SES/Cloudwatch logs etc.

Some things to keep in mind about MS Outlook

When you have a single license with MS Exchange, this is not the Outlook app. You still need a license for Outlook, which you probably have.

Do not use Windows 10 MAIL app as it does not have sufficient functions.

Outlook will allow you to have multiple accounts, and local PC folders it you wish, and ability to drag and drop between accounts or the local folder(s).

These are some notes from Microsoft support on using local folders:

What this is basically saying is that you import any .pst (or .olm) file (you can create one) and then edit that data file to be anything you want for your local folders.