2026 Exchange Online playbook: HVE GA, SMTP AUTH Basic Auth retirement timeline, DMARC enforcement, connector architecture, transport rules and Defender for Office 365 baseline.

Exchange Online mail flow is not just about making email work. It is about deciding which messages should be trusted, blocked, routed, modified, quarantined or inspected. This guide gives you an interactive decision builder, recommended patterns for 16 real-world scenarios, a practical SMTP AUTH / HVE / Graph / ACS comparison, dangerous bypass rules to fix, connector review checklists, and the operational advice I use when reviewing mail flow in production tenants.

Transport rules have been in Exchange since the on-prem days. Microsoft keeps adding newer policy engines, but mail flow rules remain the workhorse for anything those engines do not cover. This article covers the baseline rules most tenants need, external sender tagging (custom vs native), disclaimers, security-focused patterns, encryption triggers, the AND/OR condition logic trap, rule priority and stop processing, where transport rules overlap with Purview DLP and Defender, PowerShell management patterns, limits and constraints, and a 14-point audit checklist.