The 20 checks I run on Exchange Online mail flow before any change: SPF / DKIM / DMARC, connectors, transport rules, anti-spam, SMTP AUTH, Message Trace baseline.

2026 Exchange Online playbook: HVE GA, SMTP AUTH Basic Auth retirement timeline, DMARC enforcement, connector architecture, transport rules and Defender for Office 365 baseline.

Exchange Online mail flow is not just about making email work. It is about deciding which messages should be trusted, blocked, routed, modified, quarantined or inspected. This guide gives you an interactive decision builder, recommended patterns for 16 real-world scenarios, a practical SMTP AUTH / HVE / Graph / ACS comparison, dangerous bypass rules to fix, connector review checklists, and the operational advice I use when reviewing mail flow in production tenants.