A warning to never daisy-chain services is bad advice meant to avoid a Microsoft product’s weakness.
Sure, trying the same in the cloud should not be encouraged because of the number of hops the email would have to make from one daisy-chained cloud to another. But does that mean you shouldn’t daisy-chain ever? I don’t think so.
The article includes a scenario where a person wanted to test Exchange Online Protection (EOP) by simply turning off third-party services in their daisy-chained filter. Because EOP can evaluate only the connecting IP address, it won’t see the originating IP address, so it will miss spam from those outside IP addresses.
But if your intent is to test EOP (which is built into Exchange Online), it would not make sense to continue using a daisy-chained service in front of it. You’re better off moving your MX records to perform a proper test, rather than turning off your third-party filter but still allowing mail to flow through it.
The article says “daisy-chaining is always discouraged as it will not show a complete picture of EOP’s spam-detection capabilities.” I believe the article should have said “is always discouraged if you are trying to legitimately evaluate EOP.”
To say it’s always discouraged, then conclude with the direct command “don’t daisy-chain” as an ostensible best practice shows a real lack of real-world experience.
The fact is that EOP isn’t the only protection option available, and it lacks enterprise-grade features like link protection to protect against spear phishing. Yes, Microsoft says “time of click” and “zero-day” protection functionality is on the release road map for a year or so from now to protect you from spear phishing.
But if spear phishing is a concern for you today (as it should be), you need a better option than EOP in place. A non-EOP solution — such as antimalware filtering — requires daisy-chaining at least one service in front of Exchange Online.
Although I don’t encourage that you daisy-chain multiple filtering services, it’s not only common to have one service bolted onto Exchange, it’s actually necessary in many real-world situations.
Exchange MVP Steve Goodman concurs: “Some proponents of an Office 365-only option might suggest otherwise, but it is perfectly fine to front Exchange Online with another service.”
At a time when IT admins are leery to jump all in with Office 365, they need more options and greater flexibility available to them, not fewer.