Configure Incoming Filtering with Exchange Online (Microsoft 365)

In order to configure incoming filtering for Exchange Online/Microsoft 365 follow these steps:

Step 1 - Add the domain in Mail Assure

We recommend Adding Domains and Mailboxes via Microsoft 365 sync.

Domains can be added in two ways:

To add the domain manually:

  1. Login to Mail Assure as an Admin Level user
  2. Navigate to General > Domains Overview
  3. Click Add Domain

  4. Select Setup Manually

  5. Enter the domain name and assign the domain to an Admin and click Next

    Assigning a domain dictates the ownership of a domain. The only users who can access this domain will be the top level Tenant user and the Sub-Admin to which it has been assigned.

    6. If the domain entered returns a destination of onmicrosoft.com or outlook, a prompt will be given which will either take you to Configure Microsoft 365 Sync for the domain, or to continue adding the domain manually.

  6. To keep message logs and quarantine storage within a specific geographic region, choose the territory from the Region dropdown:
    • Global (recommended)
    • United States
    • European Union
    • United Kingdom
    • Asia-Pacific
    • South Africa

    This does not affect the mail-flow into and out of the domain. Specific Geographic MX records and relay servers must be used to alter mail-flow locations.

    We recommend using the default Global region to make optimal use of our globally distributed cloud and infrastructure redundancy. When selected, our Global data centers are used for email filtering, logging and quarantine.

    We then validate the entered destination and port information. For example, ensure it resolves to a valid IP address and attempt to query the domain's MX records. Where we detect an issue this is displayed in the dialog for review.

  7. In the Destination route hostnames fields, add the mail server address (IP or FQDN) along with the Port incoming mail is to be routed through after filtering

    Click + Add route to include additional routes and ports for the domain. Use the drag and drop feature to reorder the destinations and ports. Adding multiple routes here is preferable for load balancing purposes or if an alternative route is needed in case of failover.

    For more information on how to find your Destination server address, see Find Destination Server Hostname

    If you do not have a specific destination server route to add from the start, Mail Assure will automatically fill in a suggested destination route for you (this route is detected from the domain's existing MX records), with a default destination port 25.

    Once you have set your destination route(s) here, they will be displayed in the Incoming > Destinations page - see Manage Destinations

  8. Click Next
  9. You will now be presented with the Domain Verification instructions. Follow the steps provided here to verify ownership of the domain you are adding

    This step is mandatory, either now or after the domain has been added.

    Cross-domain aliases will be disabled for this domain until you verify ownership

  10. After Verification, you will see the Settings tab.

    On this page, configure the Default settings for the domain:

    • Incoming Filtering - If enabled, all inbound email will be filtered
    • Email Scout Reports - If enabled, Email Scout Reports will be automatically enabled so that they are sent to each recipient in your domain, up to 3 times a day
    • Only accept email to your defined mailboxes - If enabled, inbound mail will only be accepted to mailboxes that appear in Mail Assure
    • Email archiving - If enabled, a backup of all your organizations mail will be taken
    • Default Private Portal Policies - If enabled, four policies will be created automatically every time the sync runs, to send emails that match the criteria to the Private Portal:
      • Messages where the subject contains 'Private'
      • Messages where the subject contains 'Confidential'
      • Messages where the subject contains sensitive data
      • Messages where the subject contains the padlock emoji (unicode character "U+1f512", or shortcodes ":lock:", "(locked)" or ":locked:")

        Please check with your provider for how to add this

    • Timezone - Set the timezone the domain is based in
    • Date format - Select a date format
    • Time Format - Select a time format

  11. Click Finish and configure mailboxes

    The summary page will also advise to update your MX records and configure Firewalls once the domain has been added. These steps must be completed

  1. Login to Mail Assure as an Admin Level user
  2. Navigate to General > Domains Overview
  3. Click Add domain

  4. Select Import from CSV and click Next

  5. Drag and drop the CSV file into the upload section of the dialog or use browse to navigate to its location on the local computer

    You may download an example CSV file by clicking this button to confirm the file format used in your own CSV is correct

  6. Select Import to import the file

    Any issue identified with the file are reported in the "Upload CSV file" section. For example it was not a CSV file

    If the domain entered returns a destination of onmicrosoft.com or outlook, a prompt will be given which will either take you to Configure Microsoft 365 Sync for the domain, or to continue adding the domain manually.

  7. You will see the Settings tab

    Here you can configure the Default settings for the imported domains:

    • Incoming Filtering - If enabled, all inbound email will be filtered
    • Email Scout Reports - If enabled, Email Scout Reports will be automatically enabled so that they are sent to each recipient in your domain, up to 3 times a day
    • Only accept email to your defined mailboxes - If enabled, inbound mail will only be accepted to mailboxes that appear in Mail Assure
    • Email archiving - If enabled, a backup of all your organizations mail will be taken
    • Default Private Portal Policies - If enabled, four policies will be created automatically every time the sync runs, to send emails that match the criteria to the Private Portal:
      • Messages where the subject contains 'Private'
      • Messages where the subject contains 'Confidential'
      • Messages where the subject contains sensitive data
      • Messages where the subject contains the padlock emoji (unicode character "U+1f512", or shortcodes ":lock:", "(locked)" or ":locked:")

        Please check with your provider for how to add this

    • Timezone - Set the timezone the domain is based in
    • Date format - Select a date format
    • Time Format - Select a time format
  8. Click Finish and configure mailboxes

    The summary page will also advise to update your MX records and configure Firewalls once the domain has been added. These steps must be completed

Step 2 - Create a partner connector and rule in Exchange Online to accept filtered mail

For further details about creating a partner connector and rule in either the Classic EAC or the New EAC in Microsoft 365, and to ensure you fully read the Microsoft documentation page.

Before beginning, ensure you are a member of the Organization Management role groups in the Microsoft 365 defender portal and Exchange Online.

Step 2:1 - Create the Partner Connector in the Exchange Admin Center

  1. Log in to the Exchange Admin Center with Organization Management admin credentials
  2. Click on Mail Flow > Connectors
  3. Click the + button to add a connector
  4. Choose the following:
    1. Connection From - Partner organization
    2. Connection To - Microsoft 365
  5. Click Next
  6. Give the connector a Name you will recognize in Step 2:2 #5 and optionally, provide a description
  7. Ensure the What do you want to do after connector is saved setting, Turn it On is selected
  8. Click Next
  9. Choose By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization
    1. Add the following Mail Assure delivery IP ranges one at a time and click the + symbol:
      • 130.117.251.9/25
      • 185.201.16.0/24
      • 185.201.17.0/24
      • 185.201.18.0/24
      • 185.201.19.0/24
  10. Click Next
  11. Ensure that Reject email messages if they aren't sent over TLS is ticked and click Next
  12. Verify the settings and click Create Connector
  13. Click Done

Step 2:2 - Create the Rule in the Microsoft 365 Defender Security Portal

  1. Login to the Microsoft 365 defender security portal with Organization Management admin credentials
  2. Under the Email & Collaboration section of the left-hand menu, select Policies & Rules
  3. Click Threat Policies
  4. Scroll to the Rules section and select Enhanced Filtering
  5. Select the Connector Name as created in step 2:1
  6. Select Skip these IP addresses:
    • 130.117.251.9/25
    • 185.201.16.0/22
  7. For Apply to these users, select Apply to Entire Organization
  8. Click Save

Failing to setup the partner connector correctly will cause messages to be incorrectly rejected by the Microsoft systems.

Step 3 - Change MX record for the domain to point to incoming servers

Once you have verified configuration as above, update the domain's MX records to route mail through Mail Assure. For full details on MX records (including region specific MX records), see MX Records.