Using Your Own SMTP Provider
MyPass can send system emails, enrollment invitations, one-time passcodes, password reset confirmations, and administrative alerts through your own corporate email infrastructure. Rather than routing mail through a third-party relay, all outbound email originates from the MyPass Gateway Server that lives inside your own network and sends directly through your chosen SMTP provider.
How Email Flows Through Your Infrastructure
Because the MyPass Gateway Server sits inside your network perimeter, email never leaves your control. The Gateway authenticates with your SMTP provider, hands off the message, and your provider delivers it to the end user in the normal way.
The Gateway is the only component that ever contacts your SMTP provider - MyPass Cloud itself does not make outbound SMTP connections.
Allowing the Gateway as a Permitted Relay
Your SMTP provider or mail server will, by default, reject relay attempts from unknown senders. You must explicitly allow the MyPass Gateway Server's IP address or hostname as a permitted relay host before any email can be sent.
The exact configuration location varies by provider, but the principle is the same across all of them:
| Provider type | Where to add the relay permission |
|---|---|
| Microsoft Exchange (on-premises) | Receive Connector → permitted IP ranges |
| Microsoft 365 (Exchange Online) | Enhanced Filtering / Connector from on-premises |
| Google Workspace | SMTP relay service → allowed senders |
| Generic SMTP relay (e.g. SendGrid, Mailgun, Postfix) | IP allowlist or authenticated relay credentials |
Your MyPass implementation team will provide the static IP address or hostname of the Gateway Server during deployment. This is the only address that needs to be permitted.
The relay permission must be in place before testing email delivery. If the Gateway's IP is not on the allowlist, the SMTP provider will silently reject or bounce messages - this is the most common cause of email delivery failures during initial setup.
Connection and Authentication Details
To connect the MyPass Gateway to your SMTP provider, the following three parameters are required regardless of the authentication method used:
| Parameter | Description | Example |
|---|---|---|
| SMTP Endpoint | The hostname or IP address of your mail server or relay service | smtp.office365.com, mail.yourcompany.com |
| Port | Standard SMTP port - typically 587 (STARTTLS) or 465 (SSL) | 587 |
| Username | The account used to authenticate with the SMTP service | mypass-relay@yourcompany.com |
Basic Authentication
The simplest and most common configuration uses a username and password. You supply a dedicated mailbox or relay account, and the Gateway uses those credentials to authenticate each outbound connection.
We recommend creating a dedicated service account for MyPass email delivery rather than reusing a named user's mailbox. This makes it straightforward to rotate credentials and avoids disruption if an individual user account is modified or disabled.
Other Authentication Methods
MyPass is not limited to basic username/password authentication. The Gateway can work with any authentication mechanism your SMTP provider supports, including:
- OAuth 2.0 / Modern Authentication - required for Microsoft 365 when Basic Auth is disabled at the tenant level
- Certificate-based authentication - for providers that accept mutual TLS
- API key authentication - for cloud relay services such as SendGrid or Mailgun that issue provider-specific API keys in place of passwords
Your implementation team will work with you to configure whichever method your environment requires. If your provider has a specific onboarding or app-registration process (such as registering an Azure AD application for OAuth), those steps will be completed as part of the deployment engagement.
Sender Address Configuration
The From address that appears in the recipient's inbox is fully under your control. MyPass will use whatever sender address you specify, provided it is:
- A valid address within a domain your SMTP provider is authorised to send on behalf of
- Permitted by your SPF, DKIM, and DMARC records (so messages are not flagged as spam)
Common choices organisations use:
| Example address | Typical use |
|---|---|
no-reply@yourcompany.com | Clean, clearly automated - discourages users from replying to system mail |
mypass@yourcompany.com | Clearly branded to the product |
it-helpdesk@yourcompany.com | Associates self-service email with the IT team |
noreply@mail.yourcompany.com | Uses a dedicated mail subdomain |
The display name shown alongside the address (e.g. "MyPass Self-Service") can also be configured separately from the address itself.
If your organisation enforces strict DMARC policies, confirm with your email administrator that the chosen sender address and sending domain are covered by your SPF and DKIM configuration. Misconfigured DNS records are the second-most common cause of delivery failures after missing relay permissions.
What to Provide to Your Implementation Team
When you are ready to configure SMTP delivery, gather the following:
- Gateway IP/hostname: provided by MyPass; share with your email administrator to create the relay allowance
- SMTP endpoint and port: provided by your email administrator or SMTP vendor
- Authentication credentials: username and password (or OAuth client ID/secret, API key, etc.)
- Sender address: the From address you want end users to see
- Display name: the friendly name shown alongside the sender address
With these details in hand, SMTP configuration is completed during the deployment engagement and typically takes less than an hour to test and confirm end-to-end.