Hybrid Email with Microsoft 365 and Mailcow: Complete Guide + Checklist

Why a Mailcow + Microsoft 365 hybrid setup is better than the classic approach

In today’s business world, email isn’t just a tool—it’s the backbone of communication. Companies often face a dilemma: full control and flexibility with their own mail server like Mailcow, or the security, reliability, and top deliverability of cloud giants like Microsoft 365?

Why not combine the best of both worlds?

Microsoft 365 (Exchange Online Protection) acts as a powerful gateway for all email traffic, filtering spam and threats and ensuring a spotless sender reputation.

Mailcow serves as a reliable, cost-effective mailbox store for all mailboxes and gives you full data sovereignty on your own server.

Why is the hybrid system the ideal solution?

This approach offers unique advantages, especially for European—and particularly German—companies.

GDPR compliance and data control
For many companies in Germany and the EU, storing data on local servers is not just a preference but a legal requirement (GDPR). In our hybrid model, Microsoft 365 serves only as a transit hub—it filters and forwards emails but does not store them. All messages, contacts, and calendars reside physically on your Mailcow server, either with your hosting provider or on your company premises, ensuring full data sovereignty and GDPR compliance.
Cost efficiency
You don’t need to buy expensive Microsoft 365 licenses for every employee. A basic license with Exchange Online Protection (EOP) is enough to handle all email traffic. The mailboxes themselves are created in Mailcow, which significantly reduces monthly costs.
World-class security
You get access to Microsoft Exchange Online Protection—one of the best filters in the world for protecting against spam, phishing, and malware. All incoming and outgoing emails pass through this reliable system.
Maximum deliverability
Emails sent via Microsoft servers—using their IP addresses and flawless DKIM—reliably land in the inbox instead of the spam folder.

Hybrid architecture and benefits

Diagram:

Internet → Microsoft 365 (EOP, inbound filtering) → Mailcow (mailboxes) → Microsoft 365 (EOP, outbound filtering) → Internet

Benefits:

GDPR & control — Emails are stored in Mailcow in your country or on-premises.
Cost savings — A basic Microsoft 365 license with EOP is sufficient.
Deliverability — Sending via Microsoft IPs with DKIM.
Security — Microsoft-grade protection for both inbound and outbound mail.

Step 1: DNS configuration

All DNS records in Cloudflare (or another DNS provider) should be set to “DNS only” (grey cloud).

Purpose	Type	Name	Value
Mail host	A	mail	203.0.113.10
Email receiving	MX	@
SPF	TXT	@	v=spf1 ip4:203.0.113.10 include:spf.protection.outlook.com -all
DMARC	TXT	_dmarc	v=DMARC1; p=quarantine; sp=quarantine; adkim=s; aspf=s; fo=1; pct=100; rua=mailto:[email protected]
DKIM	CNAME	selector1/2._domainkey	Microsoft 365 entries.

💡 Metzler IT tip: Don’t include IPv6 in SPF if it isn’t actively used.

Step 2: Microsoft 365 - Gateway Setup

2.1. Add the domain

Verify the domain in Microsoft 365.
In the EAC → Mail flow → Accepted domains → set it to Internal relay.

2.2. Connectoren

Inbound: 

Type: Microsoft 365 → Mailcow
Smart Host: mail.example.com
Require TLS, verify the certificate CN.

Outbound:

Type: Mailcow → Microsoft 365
Authenticate via IPv4 (203.0.113.10).
IPv6 is not supported.

Fix for error 550 5.7.64 Relay Access Denied:

In Mailcow → extra.cf: smtp_address_preference = ipv4

Restart Postfix: docker restart mailcowdockerized-postfix-mailcow-1

2.3. DKIM in Microsoft 365

Enable DKIM in the Defender portal.
Publish the selector1 and selector2 CNAME records in DNS.

Step 3: Mailcow as the central mailbox store.

3.1. Outbound mail flow via EOP.

In Routing → Sender-dependent transports: example.com → example-com.mail.protection.outlook.com:25

3.2. DKIM

It’s better to disable DKIM in Mailcow and use only Microsoft signatures.

Alternatively, enable dual signing and publish the TXT key.

3.3. Reputation improvement.

In extra.cf:

myhostname = mail.example.com

smtpd_banner = $myhostname ESMTP

smtp_helo_name = $myhostname

Step 4: Fine-tuning in Microsoft 365.

4.1. Reduce false positives.

In the EAC → Mail flow → Rules, create a rule:

If sender = Mailcow IP → set SCL = 0.

4.2. DMARC

Recommended record:

v=DMARC1; p=quarantine; sp=quarantine; adkim=s; aspf=s; fo=1; pct=100; rua=mailto:[email protected]

Testing and debugging.

Check DNS (Linux/macOS):

dig +short TXT example.com

dig +short CNAME selector1._domainkey.example.com

dig +short TXT _dmarc.example.com

dig +short MX example.com

Mailcow logs:

docker logs -f mailcowdockerized-postfix-mailcow-1

In Microsoft 365:

Message trace — check delivery.
Threat Explorer — analyze filtering.

Readiness checklist

Check / Verification	Status
MX points to *.mail.protection.outlook.com
Accepted domains → Internal relay
✅ Connectors set up
✅ DKIM enabled in Microsoft 365, CNAME records published
✅ SPF and DMARC correctly configured
✅ PTR points to mail.example.com
✅ Tests = spf=pass, dkim=pass, dmarc=pass

Common errors and solutions

Error	Solution
550 5.7.64 Relay Access Denied	Enable IPv4 in Mailcow.
DKIM=permerror	Disable DKIM in Mailcow or publish the key
Emails end up in Gmail spam	Write emails in HTML + plain text
Cloudflare proxy (orange cloud)	use only “DNS only”

FAQ — Frequently asked questions

What is hybrid email (Microsoft 365 + Mailcow)?

Microsoft 365 filters and sends, while Mailcow stores mailboxes locally. Benefits: Trusted Microsoft reputation + complete data control.

Why Hybrid instead of pure Microsoft 365?

Cost savings: a basic license with EOP is enough
GDPR compliance: mailboxes remain local
Flexibility: you manage Mailcow and integrate it into your infrastructure

How do I set up SPF, DKIM, DMARC?

SPF: ip4:your_IP include:spf.protection.outlook.com
DKIM: enable it in Microsoft 365 and add the CNAME to DNS
DMARC: start with p=quarantine, then tighten it to p=reject later.

Can IPv6 be used?

No, Microsoft 365 doesn’t accept IPv6 for IP-based connectors Use IPv4 instead For IPv6, mTLS via a certificate would be required.

Was tun, wenn Mails im Spam landen?

Check SPF, DKIM and DMARC
Send emails as HTML + plain text
Add a signature, contact details and a logo
Recipients should mark emails as “Not spam”

Does DKIM need to be enabled in Mailcow if it’s handled in Microsoft 365?

It’s best to leave only Microsoft DKIM enabled For dual signing, the Mailcow TXT key must be published.

Minimal DNS requirements for hybrid?

MX to `*.mail.protection.outlook.com`, A record `mail.example.com`, SPF/DKIM/DMARC valid, PTR correct.

How long does the setup take

With an existing Mailcow server: 2–4 hours.

With a full setup (including a DNS audit and tests): about 1 working day.

Summary

Hybrid email with Mailcow + Microsoft 365 is the perfect balance:

Microsoft filtering and reputation
full control and storage on your side,
GDPR compliance and cost savings

⚙️ With the correct setup of DNS, DKIM, and connectors, you get an enterprise-grade email system.

👉 Would you like to implement a hybrid setup in your organization?

The Metzler IT team supports you with:

DNS and connector configuration
SPF/DKIM/DMARC/ARC audit
final deliverability check

Schedule a strategic conversation now

in Guide

# Email

Sign in to leave a comment

Seamlessly integrate Gmail with Odoo – here's how