Will LE let us install an SSL cert on a domain on our server, whilst the mail is hosted with Office365?
With Google pushing for everyone to have an SSL cert, some clients will have the email and hosting in separate locations, and therefore this will be a perennial issue.
We have a new client asking the above question before they move to our hosting platform, so were hoping to have a de facto answer.
Your description of the situation wasn’t enough for me to be sure of the answer, but hopefully the below facts will help you (and others interested) figure it out for yourself or ask questions that get more into the details
Let’s Encrypt is willing to issue certificates for any Fully Qualified Domain Names you can prove you control on the Internet. At a high level the proofs (for Let’s Encrypt specifically) are in the form of controlling a HTTP (port 80) web server with that name on the Internet OR controlling an HTTPS (port 443) web server with that name on the Internet, OR being able to modify the DNS records for that name. If you can do any of those three things you should be able to obtain certificates from Let’s Encrypt.
Where you install the certificates is up to you, with the caveat that the private keys associated with certificates issued by Let’s Encrypt need to remain under your control. This most often comes up with either test systems whose keys get mistakenly uploaded somewhere or mass-produced products designed to be sold to an end user where lots of end users will end up with the same private key. Obviously that’s no good for security, so Let’s Encrypt prohibits this. It doesn’t sound like you’re doing either of those things so you just need to take ordinary care of your private keys.
Google doesn't care if you encrypt your mail traffic at all, it just focuses on encrypted http (https). Whether or not you have outsourced your mail services does not have an effect on the webhosting of any domain.
Actually the G in GMail stands for “Google”. Gmail marks email participants whose main server seems not to encrypt email in transit or accept encrypted email from GMail as being less secure. Google also publishes reports on the extent to which providers in different parts of the world are using encrypted mail transport as part of its Transparency Report.
So yes, as well as pushing for an encrypted Web actually Google are pushing for encrypted email too. While it’s true that most email encryption is opportunistic today, down the road we can hope that mandatory encryption will be practical and then it can become popular in turn.
Thanks for clarification. What I meant with "does not care" is, that there is no impact on search engine rank of a website if mail services belonging to the domain don't handle encrypted connections. At least I have not heard/read about that.
as @tialaramex pointed out the required steps to issue a certificate is validating you own the domain. Which can be done one of 3 ways. Email servers play no part in the verification process.
A further fact that nobody has mentioned in this thread yet is that you can have DNS A and MX records pointing to different servers. The A record is used by web browsers when connecting to a web site, while the MX record is used by mail servers when delivering incoming e-mail.
So for example, if you look at the DNS records for microsoft.com, there is a series of A records giving different IP addresses for microsoft.com which are used by your browser when you try to connect to https://microsoft.com/. There is also an MX record stating that the mail exchanger is microsoft-com.mail.protection.outlook.com., which in turn has different IP addresses from any of the microsoft.com IP addresses, and which is used by mail servers when they want to send e-mail to people @microsoft.com.
The independence of these two records means that if your “mail hosting” consists only of setting an MX record, it won’t affect your ability to obtain or deploy a certificate for your web site in any way.