1. Knowledge Base
  2. Copiers & Printers
  3. Scan to Email Guidelines for Microsoft's Deprecation of SMTP Auth

Setting up an Unauthenticated Mail Relay

Upcoming Microsoft 365 changes are anticipated to break MFP scan-to-email functionality beginning March 1, 2026. Learn more and next steps in setting up an unauthenticated mail relay.

If you are reading this article, you have likely read our Blog Post describing changes to the Microsoft O365 environment for authentication that deprecates Basic Auth methods used in scan-to-email functions before March 1, 2026.

As of summer 2025, an SMTP mail relay is the middle ground solution between usability and security that allows organizations to continue to utilize the email functions of their multifunction devices. Continue reading for key facts and instructions on setting up the relay.

Key Facts About Unauthenticated SMTP Relay:

  • Security Considerations: Despite being called “unauthenticated,” this relay method is still secure because it only allows access from explicitly permitted IP addresses. It only accepts mail from known internal systems, and all transmissions use TLS encryption to safeguard the data during delivery.
  • Support for Legacy Devices: Using this method allows devices like multi-function printers (MFPs) to keep using scan-to-email features, even after Microsoft disables basic authentication for Office 365.
  • How It Works: A device or application inside your network sends messages using an SMTP connector that routes mail through Microsoft 365 to recipients within your organization.
  • Authentication Method: Rather than authenticating with a username and password, the connector verifies senders based on their IP address, effectively whitelisting approved systems.
  • Licensing: This approach does not require a Microsoft 365 or Office 365 mailbox license to send messages.
  • Delivery Risks: If your sending IP is added to a spam blacklist, email delivery may fail or be delayed.
  • Network Requirements: You need to use static, dedicated public IP addresses that are not shared with other organizations.

Setting up a MFP for Direct Send to M365 Exchange Online 

Here are the prerequisites needed:

  • Access to the SMTP configuration page on the copier.
  • DNS MX record or delivery address for your email domain.
  • Public NAT IP address the copier will use to access the delivery address.
  • Ability to modify the public DNS SPF record for your domain, OR add the public NAT IP of your copier to an allow list on your mail server or mail filter.

Follow these steps:

  1. Log in to the copier as an administrator or other user with permission to make configuration changes.
  2. Navigate to the SMTP settings for the copier’s scan-to-email feature.
  3. Under “SMTP server”, enter the address of your public DNS MX record. This information can be found in your public DNS zone or by using the tool at DNStoolbox.com.
    1. The address will usually be something like “ASPMX.L.GOOGLE.com” or “mail.protection.outlook.com”  
    2. If you have a spam filtering service, it may be something like: “d267sd17a.ess.barracudanetworks.com”
  4. Remove any selections from any fields or checkboxes regarding SMTP authentication, including “pop before SMTP”.
  5. Do one of the following:
    1. Access your public DNS settings and add your copier’s public NAT IP address to the SPF record for the zone that the copier’s sending email address belongs to.
    2. Log in to your Mail hosting configuration and add the copier’s public NAT IP address to the global allow list.
  6. NOTE: If outbound connection blocking is enabled on your Local Area Network (LAN), you may need to configure your firewall to allow the copier to make outbound TCP port 25 connections. 

Resources

Microsoft Article - Exchange Online to Retire Basic Auth for Client Submission (SMTP AUTH)

Microsoft Article - Deprecation of Basic Authentication in Exchange Online