MFP Scan-to-Email Solutions for Microsoft's Deprecation of SMTP AUTH

Microsoft announced they are deprecating SMTP AUTH.  This guide will go over what this change means and how it will affect scanning with MFPs in a business environment, and outlines replacement options such as unauthenticated mail relay and configuring OAuth for outbound mail.

What is SMTP AUTH?

SMTP AUTH is a process that allows only authorized users to send email to an SMTP server. It’s a mechanism built into the SMTP protocol that requires the user to authenticate before sending messages, in this context, it would be the MFP emailing scanned documents (PDFs) via SMTP. The MFP connects to the SMTP server, provides the credentials (username and password), the server checks the credentials against its database of authorized users. If authentication is successful, the SMTP server allows the email to be sent. If authentication fails, the server rejects the request.

Why Does SMTP AUTH Matter to Me?

Many companies use SMTP AUTH to authenticate to their email server, which allows the MFP to send scanned documents to email destinations.

Am I Affected by This Change?

Companies that use BASIC AUTH with Microsoft Exchange Online to send email from an MFP are affected by this change. Review the SMTP settings on your MFP, to see how it’s configured.

• SMTP Server is Microsoft-based, such as:
  • smtp-mail.outlook.com
  • smtp-office365.com
  • smtp.protection.outlook.com
• SMTP Authentication is enabled.
• Username and Password are entered for SMTP authentication.

Additionally, you may check your Entra ID activity logs. If you have MFPs authenticating using Basic AUTH, that activity will be listed there.

• Log into the Azure Administration Portal (portal.azure.com)
• Click Microsoft Entra ID
• Expand "Monitoring”, and select “Sign-in logs”, review for some things listed below:
  • Authentication requirement: Basic Authentication
  • Display Name: MFP Printer Name
  • Authentication method: Basic
  • Protocol: SMTP
  • IP Address: Compare against your list of MFPs

If these factors are present, your configuration will be impacted by Microsoft's changes.

What Will Happen September 2025?

Beginning in early 2023, Microsoft began retiring basic authentication with client submission (SMTP AUTH). Applications and devices using SMTP AUTH have slowly stopped working, including MFPs. This change will continue, and by September 2025 will be fully and permanently disabled.

How Will This Affect MFP Scan-to-Email?

After Basic Authentication is disabled, devices configured to use this login method will no longer be able to authenticate and send emails, causing the scan job to fail.

Available Options in Place of SMTP AUTH

There are three options to address this change to SMTP AUTH. Here is an overview of each option, the details are provided further in this guide.

• Option 1 (Recommended): SMTP Relay through Office 365
  • This option requires no authentication at the MFP level and is secured through TLS and IP based authentication.  Once the relay is configured, the same configuration is used on each MFP.
• Option 2: OAuth-Based Authentication
  • OAuth based authentication set on each individual MFP – This option requires a compatible MFP (not all MFPs support OAuth) and is configured on each MFP individually, not centrally managed.

• Option 3: Alternative Solutions (No SMTP Required)
  • We offer solutions that eliminate the need for SMTP altogether Contact our sales team to explore tailored options.

Action Plan

1. Assess whether you’re affected (see Am I affected by this change?)
2. If you’re affected, decide which option you will use
   1. If using Option 1, Unauthenticated mail relay:
      1. Configure mail relay per instructions below
      2. Configure MFPs to use mail relay
   2. If using Option 2, OAuth configuration:
      1. Assess the MFP models in your environment.
      2. On compatible models, configure OAuth per details below
      3. If you have any unsupported MFP models, please reach out to your Ubeo Account Manager to discuss upgrade options.
   3. If using option 3, Contact our sales team to discuss alternative solutions that eliminate the need for SMTP and ensure seamless communication.
3. Test configurations before Basic Auth is disabled by Microsoft.  

Option 1: Unauthenticated Mail Relay (Recommended)

Things to know about Unauthenticated Mail Relay:

• Note on Security: Although this method is listed as “unauthenticated”, it remains secure because the relay is restricted to approved IP addresses, preventing unauthorized use. Messages are only accepted from trusted internal sources, and TLS encryption is used, to ensure that emails remain protected in transit. Read more information here.
• Using an unauthenticated relay can allow MFPs to continue to use scan-to-email functions when Microsoft removes the ability to use basic authentication when connecting to Office 365.
• The application or device in your organization's network uses a connector for SMTP relay to send emails to recipients in your organization.
• The Microsoft 365 or Office 365 connector you configure authenticates your device or application with Microsoft 365 or Office 365 using an IP address. 
• Microsoft 365 or Office 365 SMTP relay doesn't require the use of a licensed Microsoft 365 or Office 365 mailbox to send emails.
• Sent mail can be disrupted if your IP addresses are blocked by a spam list.
• Requires static unshared external IP addresses

To Set up the SMTP relay, follow these steps:

1. Obtain the public (static) IP address(es) that the device or application will send from. A dynamic IP address is not supported or allowed. Make a note of this IP address for later.  Multiple public static IP addresses are supported.
2. Sign in to the Mircosoft 365 admin center (admin.microsoft.com).
3. Go to Settings > Domains, select your domain (for example, contoso-com), and find the MX record
   1. The MX record will have a Points to address or value that looks likecontoso-com.mail.protection.outlook.com

   2. Make a note of the MX record Points to Address value, which we refer to as your MX endpoint

4. In Microsoft 365 or Office 365, select Admin and then Exchange to go to the Exchange admin center
   
5. In the Exchange admin center, go to Mail flow > Connectors
   
6. Check the list of connectors set up for your organization. If there is no connector listed from your organization's email server to Microsoft 365 or Office 365, create one:
   
   1. To start the wizard, click the plus symbol +
      
   2. On the first screen, choose the options that are depicted in the following screenshot:
      
      1. From: Your organization’s email server
         
      2. To: Office 365
         
         
   3. Click Next and give the connector a name
   4. On the next screen choose the option By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization and add the IP address(es) from step 1
   5. Leave all the other fields with their default values and select Save
7. Now that you are done with configuring your Microsoft 365 or Office 365 settings, go to your domain registrar's website to update your DNS records
   1. Edit your SPF record. Include the IP address(es) that you noted in step 1
   2. The finished string should look like to this: v=spf1 ip4:x.x.x.x include:spf.protection.outlook.com ~all
   3. The ipv4 address listed (x.x.x.x) is your public IP address
   4. Skipping this step can cause email traffic to arrive in a junk mail folder
8. The configuration is complete - Send the MX Record you noted on step 3 to send to RMC to be used by the copiers or software application

Option 2: OAuth

OAuth provides modern authentication protocols, offering enhanced security by eliminating the need to store usernames and passwords directly on the devices.  Each manufacturer offers specific instructions for enabling OAuth on their devices, if available.  Below you’ll find a brief overview for some of the more common brands, along with links to more detailed technical documentation, if available.

Some general guidelines for setting up OAuth:

• Configuration of OAuth authentication requires a licensed mailbox/account in the O365 tenant. This account will be used as the sender for email sent from the MFP.
• Ensure you have the credentials for the licensed account.
• The licensed account must have Authenticated SMTP enabled in the O365 admin center.
• If not using an O365 tenant and/or no licensed mailbox/account is available, create a Microsoft Outlook account for this purpose here: https://signup.live.com  

OAuth setup for specific devices:

• Canon MFP: Canon MFP must be on unified Firmware Platform (uFP) v3.18 or higher. For more support view Canon instructions here.

• HP MFP: To use OAuth on HP MFPs, please be sure to upgrade your firmware to HP FutureSmart 5.7 or newer.

• Ricoh/Savin/Lanier MFP(s): Currently Ricoh has limited support for using OAuth authentication. An unauthenticated relay (Option 1 above) is recommended for Ricoh MFPs.
• Lexmark MFP: Lexmark printers support OAuth 2.0 authentication starting with the FW24 firmware. For more support view Lexmark instructions here.
• Xerox MFP: Currently Xerox doesn’t support modern authentication like OAuth 2.0. An unauthenticated relay (Option 1 above) is recommended for Xerox MFPs. For more support view Xerox instructions here.
• Sharp MFP: Many of the newer Sharp models do include support for OAuth however older models may not. Please reference the documentation for your model to determine OAuth support. For more support view Sharp instructions here.
• Konica-Minolta MFP: Konica-Minolta has limited support for OAuth using a special firmware GP4-Q6, however detailed information is limited. Using Option 1, an unauthenticated relay would be the best option for Konica-Minolta. OAuth may be supported with production firmware in the future.

Option 3: No SMTP Required Solution

In some cases, SMTP authentication and OAuth are not required. UBEO offers solutions that simplify communication without setting up an email relay or adjust any SMTP settings in your environment. Please reach out to our sales team and learn more about the solutions offered by UBEO Business Services.

Resources

Glossary:

• SMTP: Simple Mail Transfer Protocol
• MX Record: Mail Exchange Record
• Exchange Online: Microsoft Email Server (cloud)
• Exchange Server: Microsoft Email Server (on-prem)
• Mail Connectors: A tool or configuration setting used to enable communication between a multifunction printer (MFP), and an email server.
• MFD / MFP: Multi-Function Device / Multi-Function Printer
• OAuth: An open standard for secure authorization that allows applications to access resources on a server without exposing user credentials. It uses tokens to grant limited access, enhancing security and enabling seamless integration with services like email servers.
• Relay: The process of forwarding email through an SMTP server, often used to route messages securely from devices like MFPs to recipient mail servers.
• Email Domain: The part of an email address after the "@" symbol, representing the mail server handling the email (e.g., gmail.com)

Support & Reference Links:

• Microsoft – Exchange Online Retiring Basic Auth
• Microsoft - Send Email Using MS365