Usually Emails originated within Exchange Organization are considered “Internal” trusted emails. All other emails coming outside of Exchange organization are “External” emails and usually considered less trustworthy.
How to make the emails coming from internal application servers are trusted emails in On-Prem Exchange environment? Answer is understanding of how to setup the Exchange Receive Connector(s).
I would recommend you have separate receive connector with its own IP Address. What I mean is you assign additional IP address to the NIC on the Exchange Transport servers, specify this additional IP address in the Receive Connector to receive emails from Intranet servers and devices.
Open the Receive Connector properties window, go to Security. Enable Externally secured (for example, with IPsec) under Authentication settings, and enable Exchange Servers under Permission Groups as below.
Now for the keen people, the explanation for why we have to choose the above settings.
Externally Secured setting says the emails received to the connector are “External Authoritative” servers, so trust these emails. This is assuming the external servers are in physically controlled network and you know and trust the sources.
The ExternalAuthoritative authentication method requires the ExchangeServers permission group. This combination of authentication method and security group permits the resolution of anonymous sender email addresses for messages that are received through this connector. So this anonymous sender email address can have the domain names (e.g., DoNotReply@company.com) and Exchange will accept these emails.
Hope you had a clear idea after reading this blog. Leave me a “Hello” below.
Sources:
https://docs.microsoft.com/en-us/exchange/receive-connector-authentication-mechanisms-exchange-2013-help
https://docs.microsoft.com/en-us/Exchange/mail-flow/connectors/receive-connectors?view=exchserver-2019
Anand, the Architect 