Configure Incoming Filtering with Exchange Online (Microsoft 365)

In order to configure incoming filtering for Exchange Online/Microsoft 365 follow these steps:

• Step 1 - Add the domain in Mail Assure
• Step 2 - Create a partner connector and rule in Exchange Online to accept filtered mail
• Step 3 - Change MX record for the domain to point to incoming servers

Step 1 - Add the domain in Mail Assure

We recommend Adding Domains and Mailboxes via Microsoft 365 sync.

To add the domain manually:

1. Log in to the Mail Assure control panel as an admin
2. Click on General > Domains Overview
3. Select Add Domain
4. Select Setup Manually
5. Enter the domain name and assign the domain to an Admin
6. Click Continue
7. Under the Destination Routes Hostname enter the destination server IP/hostname, or use the auto-detected route if it is correct

   This may need to be changed as the automatically detected route is detected from the present MX records. Avoid using the filter addresses or any other filtered destination

8. Click Add route to add additional route hostnames

   Do not enter multiple hosts for the same destination route e.g. mail.example.invalid and 1.2.3.4 where 1.2.3.4 is the IP address for mail.example.invalid

9. Select the Region from the dropdown from the following selection
   1. Global (Recommended)

      We strongly recommend using the Global region to provide maximum redundancy

   2. United States
   3. European Union
   4. United Kingdom
   5. Canada
   6. Australia
   7. South Africa
10. Click Next
11. Verify ownership of the domain by adding the provided TXT record to the DNS configuration of the domain and click Verify
12. Select the features to enable for the domain:
    1. Incoming Filtering
    2. Email Scout Reports
    3. Only accept email to your defined mailboxes
    4. Email Archiving
    5. Timezone
    6. Date Format
    7. Time Format
13. Click Next to view a summary of the domain configuration
14. Select Finish to close the wizard or Finish and Configure Mailboxes to close the wizard and open the domains Mailboxes Configuration page

Step 2 - Create a partner connector and rule in Exchange Online to accept filtered mail

For further details about creating a partner connector and rule in either the Classic EAC or the New EAC in Microsoft 365, and to ensure you fully read the Microsoft documentation page.

Before beginning, ensure you are a member of the Organization Management role groups in the Microsoft 365 defender portal and Exchange Online.

Step 2:1 - Create the Partner Connector in the Exchange Admin Center

1. Log in to the Exchange Admin Center with Organization Management admin credentials
2. Click on Mail Flow > Connectors
3. Click the + button to add a connector
4. Choose the following:
   1. Connection From - Partner organization
   2. Connection To - Microsoft 365
5. Click Next
6. Give the connector a Name you will recognize in Step 2:2 #5 and optionally, provide a description
7. Ensure the What do you want to do after connector is saved setting, Turn it On is selected
8. Click Next
9. Choose By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization
   1. Add the following Mail Assure delivery IP ranges one at a time and click the + symbol:
      • 130.117.251.9/25
      • 185.201.16.0/24
      • 185.201.17.0/24
      • 185.201.18.0/24
      • 185.201.19.0/24
10. Click Next
11. Ensure that Reject email messages if they aren't sent over TLS is ticked and click Next
12. Verify the settings and click Create Connector
13. Click Done

Step 2:2 - Create the Rule in the Microsoft 365 Defender Security Portal

1. Login to the Microsoft 365 defender security portal with Organization Management admin credentials
2. Under the Email & Collaboration section of the left-hand menu, select Policies & Rules
3. Click Threat Policies
4. Scroll to the Rules section and select Enhanced Filtering
5. Select the Connector Name as created in step 2:1
6. Select Skip these IP addresses:
   • 130.117.251.9/25
   • 185.201.16.0/22
7. For Apply to these users, select Apply to Entire Organization
8. Click Save

Failing to setup the partner connector correctly will cause messages to be incorrectly rejected by the Microsoft systems.

Step 3 - Change MX record for the domain to point to incoming servers

Once you have verified configuration as above, update the domain's MX records to route mail through Mail Assure. For full details on MX records (including region specific MX records), see MX Records.