Exchange Online Mail Flow Architecture 2026: HVE, SMTP AUTH retirement, and the modern connector playbook

The 2026 mail flow timeline: what changed, what is coming

Three concurrent regulatory and platform changes have made 2026 the year mail flow architecture re-enters the planning cycle. The Microsoft side has shipped HVE, accelerated the SMTP AUTH retirement clock, and made external forwarding off by default. The receiver-side ecosystem (Outlook, Gmail, Yahoo) has standardised on hard sender requirements. Tenants that ran on inertia until 2024 are now hitting friction.

The five supported sending patterns in 2026

The Microsoft 365 sending surface in 2026 has five viable patterns — some are classical SMTP relay paths (SMTP AUTH, connector relay, Direct Send), some are purpose-built sending services (HVE, Azure Communication Services Email). Picking the right one for each sender is the single most important architecture decision. The wrong pattern is the source of "it worked last week and now it doesn't" tickets after preset security policies are rolled out, after SMTP AUTH is disabled, or after Outlook tightens its DMARC enforcement on a specific receiving domain.

The most common mismatch in production: applications still configured for SMTP AUTH (Basic) sending to internal recipients, often migrated from on-premises Exchange years ago, with no plan for retirement. The 2026 mapping is: if the sender is internal-only and high-volume, HVE. If the sender is internal-only and low-volume, Direct Send. If the sender is external-bound and high-volume, ACS. If the sender is a modern app sending as a specific user, SMTP AUTH with OAuth (or Microsoft Graph sendMail if the app can leave SMTP altogether). If the sender is a legacy device with a static IP, certificate-based or IP-based connector.

Mail flow decision tree

The same five methods, framed as a question-driven decision tree. Useful in design reviews when categorising each sender against the 2026 architecture.

High Volume Email: what it is, what it replaces, what it does not do

High Volume Email is the new Microsoft 365 mail flow surface for line-of-business applications that need to send substantial volumes of internal email reliably. It became generally available on 31 March 2026 after roughly two years of preview. The design point is: take applications that previously had to either run a 10,000-recipient-per-day rotation across multiple service accounts, or smuggle email through a third-party relay, and give them a purpose-built path that does not consume mailbox quota and does not collide with the per-user sending ceilings.

The most important constraint is what HVE deliberately is not. Microsoft scoped HVE to internal recipients only in June 2025 and confirmed that scope at general availability. External high-volume sending — newsletters, customer notifications, OTPs, transactional traffic to customers — is explicitly out of scope. Azure Communication Services Email is the recommended path for those workloads. Trying to use HVE for external traffic in 2026 is a planning error that surfaces fast: the messages do not deliver.

SMTP AUTH Basic Auth retirement: the 2026 migration playbook

SMTP AUTH (also called Client Submission) is the path where an application authenticates against smtp.office365.com on port 587 with username and password, then submits messages as a specific user mailbox. It is the path that broke when Microsoft removed Basic Authentication for most workloads in 2022. SMTP AUTH was given a temporary reprieve at that time because the alternatives for legacy senders were not mature. In 2026 those alternatives are mature, and the reprieve has an end date.

Microsoft's January 2026 update to the timeline confirms the retirement track: SMTP AUTH Basic Auth is disabled by default on existing tenants in late December 2026, with Microsoft expected to announce the final removal date in H2 2027. The "disable by default" event in late December 2026 is the operational deadline; the final removal will arrive later, on a date Microsoft will announce. HVE retains a separate Basic Auth exception until September 2028 to give specific device classes (older MFPs, scanners, niche industrial equipment) an extended runway. The realistic position for a 2026 admin is: every SMTP AUTH Basic sender needs a plan that ends before late December 2026.

Phase 1: inventory every SMTP AUTH sender

The first deliverable is a list. Without inventory there is no migration plan; with inventory the migration is a matter of routing each sender to the right 2026 method. The Exchange Online message trace and audit log are the primary sources. Filter for SMTP AUTH (Client Submission) sends and group by sending application and source IP.

For each identified sender, the question is: which method should this become in 2026? The decision tree is short.

• Modern application that supports OAuth 2.0 — reconfigure for SMTP AUTH with OAuth. Stays on SMTP AUTH path, just with modern auth.
• Internal-only LOB application with high volume — migrate to HVE.
• Internal-only application or device with low volume — migrate to Direct Send.
• Legacy device (MFP, scanner) with a static public IP — migrate to a certificate-based connector relay.
• External-bound transactional traffic — migrate to Azure Communication Services Email.
• Vendor-managed SaaS sender (CRM, ticketing, marketing automation) — check vendor documentation; most modern SaaS senders now support OAuth or have their own external sending paths.

Phase 2: modernise the authentication path

Phase 2 is the technical migration where the cleanest decision is made: should this sender continue to use SMTP at all? There are two distinct modernisation paths that are often conflated, and they are not interchangeable.

SMTP AUTH retirement is also an opportunity

The retirement is not only a protocol migration. It is also an opportunity to ask whether the application should still use SMTP at all. For custom applications that can be modified, Microsoft Graph sendMail is often a better long-term target than SMTP AUTH OAuth. SMTP remains useful for compatibility, devices and mail-flow-style relay. Graph is usually cleaner for application-native sending, permission scoping, auditing and future-proofing. The "do not migrate every SMTP sender to another SMTP sender" rule is the most under-applied design heuristic in this phase.

Phase 3: migrate to HVE / Direct Send / connector / ACS where OAuth is not the right answer

Some senders should leave the SMTP AUTH path entirely. The mapping decisions from Phase 1 drive Phase 3. The work is mostly operational: stand up the destination, validate the sender works, switch the sender configuration, monitor.

• HVE migration: create an HVE account, assign a Microsoft 365 PAYG billing policy to it (HVE accounts cannot send without one), configure the LOB application with the HVE account credentials (OAuth where supported; Basic Auth available for HVE specifically until September 2028), validate internal delivery. Monitor message trace and billing telemetry.
• Direct Send migration: point the application at the tenant MX endpoint on port 25 and validate internal delivery only. Do not design Direct Send as an external relay path. Direct Send is internal-only by design; if the application must send externally, use OAuth SMTP AUTH, connector relay, or Azure Communication Services Email depending on the scenario. The control that makes Direct Send safe is recipient scope and source governance, not SPF alignment.
• Certificate-based connector migration: preferred where the device or relay host supports clean TLS with a certificate. Issue a certificate with subject name matching an accepted domain, install on the device, create an inbound connector in Exchange Online with the certificate restriction, validate end-to-end.
• IP-based connector migration: for older MFPs, scanners and legacy devices that do not support certificate-based TLS cleanly. Place the device behind a controlled static public IP, create an inbound connector restricted to that IP, validate end-to-end. In both certificate and IP patterns, restrict source, monitor usage, and avoid using a user mailbox as the relay identity.
• ACS migration: provision an Azure Communication Services Email resource, register the sender domain (with DNS verification), reconfigure the application to use the ACS REST endpoint or SMTP with the ACS connection string, validate external delivery and bounce handling.

Phase 4: validate, then control SMTP AUTH carefully

The final step is the cleanest in intent but the most delicate in execution. Once every identified sender is on a non-Basic path, validate via message trace that no SMTP AUTH Basic Auth submissions remain. Then control SMTP AUTH carefully — not bluntly. The Exchange Online PowerShell command Set-TransportConfig -SmtpClientAuthenticationDisabled $true is widely repeated as the way to disable SMTP AUTH Basic Auth, but the actual effect is broader than that.

The mature 2026 pattern: disable per-mailbox aggressively (the default for any new mailbox is to not need SMTP AUTH at all), keep tenant-wide SMTP AUTH available for the explicit OAuth scenarios, and review the small list of "SMTP AUTH allowed" mailboxes periodically.

Connector architecture decisions

Mail flow connectors in Exchange Online are the configurable routing points where mail enters or leaves the tenant outside the default MX path. They are also the source of more "why did this mail get rejected?" tickets than any other Exchange Online feature, because connectors carry assumptions about IP space, certificates, partner orgs and security gateways that drift over time.

The 2026 connector architecture decisions break down into four common scenarios. Each has a recommended pattern and a set of common anti-patterns to avoid.

Transport rules (mail flow rules) patterns that work in 2026

Transport rules are the Swiss Army knife of Exchange Online mail flow. They handle disclaimers, conditional routing, security overrides, DLP integration, signatures, label-based encryption and a dozen other use cases. They also accumulate fast, conflict with each other, and produce results that are hard to debug. The 2026 mature pattern is: keep transport rules to a small number of well-named rules with explicit priority order, separate security rules from content rules, and audit periodically.

DMARC, DKIM and SPF: the 2026 enforcement state

The receiver-side enforcement of email authentication moved decisively in 2025. Outlook's May 2025 sender requirements pushed SPF, DKIM and DMARC alignment as a prerequisite for senders above 5,000 messages per day to Microsoft consumer mail domains. Gmail and Yahoo had moved earlier in 2024. The cumulative effect is that domains with no DMARC record, or with long-term permissive DMARC (p=none) in production, increasingly receive lower trust treatment from major receivers and are harder to defend during spoofing incidents. Outbound DMARC posture is now an admin responsibility, not a "we will get to it" item.

The realistic 2026 target for active production sending domains is DMARC p=reject, reached through phased rollout and reporting. Parked, defensive or non-sending domains may need a different pattern: usually a strict SPF (v=spf1 -all with no mechanisms) and a DMARC record aligned to the domain's purpose (p=reject with no sp exception, or with an explicit policy that signals "this domain does not send mail"). The phased rollout for active sending domains exists because moving directly to reject from no DMARC record routinely breaks legitimate mail flows that nobody knew existed — a printer using the domain, a SaaS service sending on behalf of the tenant without proper SPF inclusion, a shared mailbox used by a partner.

External auto-forwarding: secure by default, with controlled exceptions

The Microsoft 365 default outbound spam policy now treats "Automatic - System-controlled" as Off. External auto-forwarding rules set by users (via Outlook, mail flow rules on the mailbox, or Power Automate flows) are blocked at the gateway. The change closed a long-standing data exfiltration path and aligned Microsoft 365 with the broader secure-by-default posture across the platform.

The operational consequence: tenants where users were used to setting personal forwards (to a Gmail account, to a phone-based mail aggregator, to a partner organisation) experienced a wave of "my forwarding stopped working" tickets. The correct response is not to flip the global setting to On. The correct response is a scoped exception via a dedicated outbound spam policy applied to a specific group, with documented justification and periodic review.

• Default position: external auto-forwarding Off via the default outbound spam policy. No tenant-wide override.
• Documented exceptions: a custom outbound spam policy applied to an Entra ID security group ("AllowExternalForwarding") with the external forwarding control set to On. Membership is reviewed at defined intervals.
• Monitoring: any user with external forwarding On appears in audit logs and message trace. Microsoft Purview Insider Risk Management policies can flag patterns that suggest exfiltration via the exception.
• Communication: the exception process is documented in the help-desk knowledge base, so users requesting external forwarding follow a known path.

Defender for Office 365 integration: preset policies, ZAP, and rule interaction

Defender for Office 365 is the security layer that sits on top of the Exchange Online mail flow surface. The 2026 mature pattern is: Defender for Office 365 Standard or Strict preset security policies as the baseline, custom policies only where the tenant genuinely needs deviation, and explicit awareness of how presets interact with transport rules.

The preset security policies bundle anti-spam, anti-phishing, anti-malware, Safe Attachments and Safe Links at recommended values. Standard preset security policies are the default baseline for most users; Strict is usually better reserved for high-risk populations such as executives, finance, privileged admins, and users frequently targeted by phishing. Custom policies exist for legitimate edge cases: a tenant that must allow specific sender patterns flagged by Strict, a regulated industry with specific signature or attachment requirements.

The interaction with transport rules deserves a specific note. Transport rules evaluate before Defender for Office 365 anti-spam / anti-phishing for some actions, after for others, and bypass for explicit overrides. The common production failure is a transport rule that bypasses spam filtering for a specific connector or sender pattern, which then defeats the preset policy that was supposed to catch the malicious content. The mature pattern is: avoid blanket bypasses; if a bypass is required, scope it tightly (specific sender + specific subject + specific recipient) and review periodically.

Pre-migration validation checklist (12 items)

The checklist below collects the highest-impact actions a Microsoft 365 admin or architect can take in the second half of 2026 to land safely against the SMTP AUTH retirement date, the DMARC enforcement baseline, and the mature mail flow architecture.

• Inventory every SMTP AUTH Basic Auth sender in the tenant.Use Exchange Online message trace and audit log filtered for SMTP AUTH (Client Submission). Group by sending application and source IP. The deliverable is a list with current owner and target 2026 method per sender.
• Map each SMTP AUTH sender to its 2026 method.OAuth SMTP AUTH (modern apps), HVE (internal LOB high volume), Direct Send (internal low volume), certificate-based connector (legacy devices with static IP), Azure Communication Services Email (external high volume).
• Pilot one modern authentication migration path.If the app must remain on SMTP, pilot SMTP AUTH with OAuth/XOAUTH2 against smtp.office365.com:587 using the supported SMTP permission model. If the app can leave SMTP, pilot Microsoft Graph sendMail with the appropriate delegated or application Mail.Send permission. Document which path was chosen and why.
• Stand up HVE for one internal LOB sender.Create the HVE account, configure the sender (OAuth recommended; Basic Auth available for HVE specifically until September 2028), validate internal delivery and message trace. Confirm HVE limits and licensing model against current Microsoft Learn.
• Audit certificate-based and IP-based connectors.Validate that inbound connectors from third-party security gateways have Enhanced Filtering for Connectors enabled. Validate that outbound connectors to partners use TLS enforcement and trusted certificate verification, not IP whitelisting alone. Remove connectors for decommissioned senders.
• Publish DMARC p=none with reporting on every active sending domain.SPF complete and within the 10 lookup limit. DKIM signing enabled. rua reporting address configured. Aggregate reports collected and parsed (vendor tool or internal parser).
• Identify every legitimate sender from DMARC aggregate reports.Fix SPF to include them. Set up DKIM signing where possible. Identify and decommission rogue senders. This is the phase that prevents legitimate mail flow breakage when moving to quarantine and reject.
• Move DMARC to p=quarantine then p=reject with percentage rollout.Use pct=10, pct=25, pct=100 as the progression. Continue aggregate report review between steps. Final target: p=reject; pct=100 for every active sending domain. Parked, defensive or non-sending domains may need a different pattern; assess them separately.
• Apply Defender for Office 365 Standard or Strict preset security policies.Standard preset security policies are the default baseline for most users. Strict is usually better reserved for high-risk populations such as executives, finance, privileged admins, and users frequently targeted by phishing. Built-in Protection covers users without an assigned preset but is narrower in scope; do not treat it as a substitute for explicit Standard/Strict assignment.
• Configure the outbound spam policy explicitly.Preset security policies do not cover outbound spam. Validate external auto-forwarding control is Off in the default outbound spam policy. Create a scoped exception policy only where a specific business justification requires it, applied to a controlled group with periodic review.
• Audit transport rules for anti-patterns.Blanket bypasses for whole connector traffic. Disclaimer rules that affect auto-replies. Journal-all rules. Over-broad keyword regex. TLS-enforcement on every outbound. Remove or scope tightly. Order rules: security → compliance → routing → content.
• Control SMTP AUTH carefully after the migration completes.Be careful with Set-TransportConfig -SmtpClientAuthenticationDisabled $true — it disables SMTP AUTH at tenant level, not only Basic Auth. Use it only if no sender still needs SMTP AUTH. If modern OAuth SMTP AUTH remains required for selected applications, control SMTP AUTH at mailbox level via Set-CASMailbox -SmtpClientAuthenticationDisabled $true/$false and keep only the required mailboxes enabled.

Monitoring after cutover

The checklist captures the migration work. After cutover, the work shifts to validation. The pattern below is the post-migration monitoring window that catches the issues which are silent until they are not.

Common mistakes

1. Treating HVE as a general-purpose high-volume engine.HVE is internal-only since June 2025 and uses Microsoft 365 pay-as-you-go billing through an Azure subscription. Designing for external high-volume traffic with HVE, or planning HVE as "free mail flow", are both fast failures. Use Azure Communication Services Email for external transactional traffic; plan billing ownership for HVE.
2. Planning around the original SMTP AUTH retirement date or assuming H2 2027 is a hard cut-off.Microsoft has moved the dates more than once. The January 2026 timeline disables Basic Auth by default in late December 2026; Microsoft is expected to announce the final removal date in H2 2027 (not necessarily remove on that date). Treat late December 2026 as the operational deadline.
3. Assuming Direct Send is going away with SMTP AUTH, or using it for external delivery.Direct Send (port 25, unauthenticated, MX endpoint) is a separate path not affected by the SMTP AUTH Basic Auth retirement. It is also internal-only. Many internal-only legacy devices can move to Direct Send safely; do not design it as an external relay.
4. Putting a third-party security gateway in front of EOP without Enhanced Filtering for Connectors.Without EFC, EOP authenticates against the gateway IP instead of the real sender. SPF, DKIM and DMARC checks break for legitimate external senders. Configure EFC on every connector receiving mail from a gateway.
5. Running Set-TransportConfig -SmtpClientAuthenticationDisabled $true as a routine "disable Basic Auth" step.The command disables SMTP AUTH at tenant level, not only Basic Auth — including OAuth SMTP AUTH. Use it only when no sender still requires SMTP client submission. For per-mailbox control of SMTP AUTH availability, use Set-CASMailbox.
6. Moving DMARC straight to p=reject without phased rollout.Routinely breaks legitimate mail flows that nobody knew existed. The phased rollout (none → quarantine → reject with percentage steps) exists to catch and remediate before legitimate mail is rejected. Treat parked and non-sending domains separately.
7. Re-enabling external auto-forwarding tenant-wide to fix a forwarding ticket.Re-opens a major data exfiltration path. The correct response is a scoped exception policy applied to a specific reviewed group, not a global toggle.
8. Migrating every SMTP sender to another SMTP sender.SMTP AUTH retirement is also an opportunity to ask whether the application should still use SMTP at all. For custom applications that can be modernised, Microsoft Graph sendMail is often a better long-term target than SMTP AUTH OAuth. Do not confuse the two: SMTP AUTH OAuth speaks SMTP/XOAUTH2; Graph sendMail uses the Graph API.

References & further reading