In part one of the series, we explored, at a high level, the typical use cases for SMTP address rewrite. Then, in part two, we expanded the topic further by reviewing a real scenario and providing insights based on firsthand experience with our clients.
Now, in this final part, we will talk about the multi-brand scenario where a company might have a portfolio of products/services with different brands or names, all owned and managed by the same organisation. However, they still want to use one single SMTP domain name when communicating with the outside world.
This scenario addresses challenges such as:
Regulations regarding data residency
Long-term solution for communication using a unified email domain.
Ability to add custom DKIM and SPF entries to achieve enhanced security.
Lack of cross-tenant domain name sharing in Microsoft 365. Although Microsoft has plans to provide a native solution for cross-tenant email domain sharing, at the time of writing, a domain can be registered to one tenant only.
A common solution to the above challenges is to use a third-party email address rewrite service that enables partial domain sharing. There are multiple products on the market that can perform email rewrite on outbound messages, such as Proofpoint, Mimecast, or by using Exchange Edge Transport servers where certain limitations apply (check SMTP Addres Rewrite, Part II). These solutions require source-to-target mapping files for the email address translation.
Let us explore the domain rewrite functionality of the Quest On Demand Migration SaaS product. It makes it easy to enable users to communicate from a common email domain and, as such, addresses the single brand requirement. Quest On Demand intercepts messages in transit and modifies the headers so that emails appear to have been sent from an email address that is owned by a different tenant. In addition, it provides processing of calendar invites and performs rewrite actions for the sender and the message recipients.
A Common Scenario
Company XÂ is a global conglomerate managing a diverse portfolio of products and services under multiple brands. Each brand operates semi-autonomously, maintaining its unique identity on the market. However, Company XÂ wants to streamline its email communication by using a single SMTP domain name across all brands when interacting with external stakeholders without rushing into lengthy consolidation process. The solution is to leverage Quest On Demand Email Rewrite Services to achieve this seamless integration.
Objectives
Unified email communication across all M365 tenants: Ensure that all outgoing emails from any brand use a single corporate SMTP domain.
Brand identity preservation: Maintain individual brand identities internally while presenting a unified corporate identity externally. It is easy to select which domain to share and which users send and receive emails from common domains.
Minimised disruption and enhanced security:Â Ensure secure message handling with zero delays in delivery.
Granular control and simplified future migration as needed: Eliminate manual work and complex tasks like loading mapping files or setting up routing configuration. All is handled automatically via the user interface. When the time comes for a full or partial consolidation, it is achieved easily due to the native integration with Quest On Demand migration tools.
Solution Overview
The Address Rewrite Service is designed to establish a coexistence environment for domains, ensuring that all emails from the source or target mail domain appear to originate from the unified mail domain based on specified settings. This service handles the creation and management of necessary connectors, mail flow rules, and mail-enabled users and groups within the Exchange Online environment. Administrators are responsible for adding or removing source mail users from this coexistence environment and for activating or deactivating the Address Rewrite Service as needed.
Deployment of the Address Rewrite Service goes through the following steps:
Scenario for address rewriting.
Provision Address Rewrite Service.
Add mailboxes to address rewriting.
Add Address Rewrite Service's IP address to the target DNS SPF record.
Activate address rewriting. It can be deactivated at any time or turned off for individual mailboxes.
Implementation and Key Considerations
The Address Rewrite Service requires careful assessment and planning prior to implementation, followed by extensive testing and validation post-deployment. Detailed documentation from Quest is available that can guide you through each step; therefore, we won’t spend much time on it here. Instead, we are going to highlight the most important aspects that must be considered.
We use the following terms:
Target tenant: the environment where the unified SMTP domain name is registered and will be used for rewriting for outbound emails.
Source tenant: the home tenant for each individual brand.
Key considerations:
Address Rewrite Service creates custom coexistence groups, connectors, and rules in source and target tenants which should not be altered as it may cause the service to fail.
Address Rewrite Service only works with accounts that have pairs in the target tenant. An account should be matched to an existing user before being added to address rewriting. This requires a GAL synchronisation between tenants.
The address is only rewritten in emails that are sent to recipients outside of the sending organisation. Internal users receive the email with the original email address.
"Automatic forwarding" must be set to "On" in the "Outbound spam filter policy" in the target tenant. M365 Advanced Threat Protection default settings can prevent the service from functioning correctly.
Consider adding Address Rewrite Service's IP address to SPF records in the target tenant's DNS.
Consider activating or deactivating the service for individual mailboxes depending on the scenario.
How the rewriting process works:
When a user sends an email as user@source.domain, it is redirected to the Address Rewrite Service server if it is addressed to external recipients.
Then the Address Rewrite Service validates user eligibility for address rewriting and processes it by rewriting @source.domain to @target.domain for every user found in the coexistence space. The addresses in the "From," "To," and "Cc" fields of the email message are rewritten for all external recipients. Then the Address Rewrite Service passes the processed email message to the target Exchange Online. Internal recipients that reside in the source receive this email message with unchanged addresses.
Exchange Online at the target sends the message to external recipients as if it were sent by user@target.domain, and all addresses of the users added to the coexistence scope in "From," "To," and "Cc" are rewritten for external recipients.
External recipients are not aware of @source.domain and reply (or create a new email) to user@target.domain.
When the reply or a new email arrives at the target mail domain, it will be forwarded to the source. The source recipient gets the message as if it were forwarded from the target Exchange Online from user@target.domain.
Conclusion
Quest On Demand Address Rewrite Service is an effective tool for complex email management scenarios in a multi-brand environment. However, it has its own limitations, such as:
The need to purchase and maintain additional licenses.
Lack of Global Address List (GAL) synchronisation between tenants requires other mechanisms/products to be considered.
At Nuwey, we deliver tenant migration and consolidation projects regularly. Feel free to contact us whenever you need help with M365 or Quest On Demand.
Kommentare