No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Switch from on-premises relay to cloud based relay

This question has suggested answer(s) This question has suggested answer(s)

Hello everyone,


Having a fully working Hybrid Deployment with Exchange 2010 and decentralized on-premises based relay (MX points to on-premises). What would be the steps to switch to cloud-based relay (MX points to cloud)?


I have seen the following page:


But I would like to confirm if these steps are for new deployments or are alse valid for switching from on-premsies MX to cloud MX.




All Replies
  • Hi Carlos,

    It doesn't matter if it's a new deployment or not. As long as all the required configuration have been set, you will be safe to point the MX record cloud.

    The key point is to check the deployment guide from Exchange Deployment Assistant, and compare it with your current configuration, to make sure your current configuration matches the guide. As the previous cloud-based relay guide is based on Exchange Deployment Assistant.

    Lester Zhang

  • Ok, the implementation has followed the EDA perfectly, so it should be a breeze to change the MX to the cloud and continue with the hybrid scenario. I will try the steps at non peak hours and report back to this thread :)

    Thank you!

  • Hi Carlos,

    Before changing the MX record, it's recommended to set the TTL value to a low number, like 5 minutes if it's possible.

    Hope everything will go well.

    Lester Zhang

  • Hi Carlos,

    I’m writing to follow up on the previous thread. How is switching going?

    Lester Zhang

  • Thanks for the follow up. The switch is scheduled for this Saturday. I think I'll be able to report back next week.

  • Finally, the change to the MX was made according to the instructions in

    Cloud-based users are receiving mail perfectly, but not on-premises users. If an email is sent to them, the message is returned with a NDR that shows the following error: #< #5.4.6 smtp;554 5.4.6 Hop count exceeded - possible mail loop> #SMTP#


    What could be wrong? It got to my attention that the 4 steps in the MX to Cloud guide doesn't seem to do nothing regarding mail transport from cloud to on-premises.

  • Hi Carlos,

    Did this get resolved. I'm about to make the same switch and would like to avoid this or other issues, of course.

    Thanks in advance.

  • I have the exact same problem. I followed the instructions and I'm receiving the same "hop count exceeded" NDR. Did you find any solution to this?

  • I was not able to solve the issue. I'm still experiencing "5.4.6 Hop count exceeded"

  • Run the following commands using Windows PowerShell:  (replace "domain" with your email domain)

    Set-AcceptedDomain domain -OutboundOnly $true

    Set-AcceptedDomain domain -OutboundOnly $false

  • So, how is everyone making this work if you can't edit the Hybrid Mail Flow connectors in FOPE?

    Are you just removing the hybrid connectors and recreating them by hand with the needed changes?

  • Yes. I actually found that the connectors created by the Hybrid Configuration Wizard weren't actually enforced in FOPE, so they weren't applied to any domains. I initially configured the hybrid deployment with Exchange 2010 SP1 and then "upgraded" the deployment with the Hybrid Configuration Wizard, so that may have caused a problem.


    To get cloud-based relay to work, I made sure the Hybrid Mail Flow connectors weren't applied anywhere, and then I created a new Outbound Connector:

    Recipient Domains: (all domains that exist in the on-premises Exchange environment)

    Message delivery settings: My multi-smtp profile (the multi-smtp profile contains the IP addresses that Office 365 will use to send e-mail to Exchange on-premises. You can't use DNS names here, you need IPs).

    TLS Settings: Forced TLS, certificate matches domain


    I enforced it so that it applies to all domains in the tenant. I didn't create an Inbound Connector, because e-mail from my Exchange on-premises organization is being sent directly to the internet. If you want to take advantage of FOPE outbound scanning or policy-based encryption, you would need an Inbound Connector.

    I also configured my network firewall to block all SMTP traffic that doesn't originate from FOPE servers. You can find FOPE's outbound IP addresses if you go to the Information tab and then click on Configuration. This step helps to eliminate a lot of spam if you had an MX record previously pointing to the IPs that Exchange is using.

    1 out of 1 people found this post helpful.