Hybrid/EOP Send Connector Requirements
I haven't received an alert or email about this from Microsoft as yet, so I'm whipping up a quick post in case I'm not the only one.
Starting on 05-Jul-2017, customers with hybrid Exchange deployments (or EOP) won't be able to relay mail through Exchange Online / EOP, unless their configured send connector(s) meet the requirements set forth in a recent Exchange team blog post and a corresponding support KB.
The KB is more clear, but the short version is that you should configure your hybrid/EOP send connector(s) to authenticate via TLS certificate(s). As the KB points out, you can meet a base level of functionality simply by registering the domain(s) in question within Office 365.
However, you probably use relay today in ways which aren't supported by default in O365, such as sending NDRs, forwarding via rules, or sending from domains which you haven't added to O365. After July 5th, these scenarios will require TLS certificate authentication. Both the KB and the post include the procedure for configuring your connector(s), along with links to procedures for installing your certificate(s) and setting up mail relay.