Configure Incoming Filtering with Exchange Online (Microsoft 365)

In order to configure incoming filtering for Exchange Online/Microsoft 365 follow these steps:

Step 1 - Add the domain in SpamExperts

Domains can be added in two ways:

To add the domain manually:

  1. Login to SpamExperts as an Admin Level user
  2. Navigate to General > Add Domain
  3. Enter your fully qualified domain name and click Continue

  4. Add your Destination Route hostname where incoming mail is being routed through after filtering

    5. If you do not have a specific destination server route to add from the start, SpamExperts will automatically fill in a suggested destination route for you (this route is detected from the domain's existing MX records if present), with a default destination port 25.

    For more information on how to find your Destination server address, see Find Destination Server Hostname

    Add multiple routes here for load balancing purposes.

    Once you have set your destination route(s) here, they will be displayed in the Incoming > Destinations page - see Manage Destinations.

  5. To keep message logs and quarantine storage within a specific geographic region, choose the territory from the Region dropdown:
    • Global
    • Europe
    • APAC

    This does not affect the mail-flow into and out of the domain. Specific Geographic MX records and relay servers must be used to alter mail-flow locations.

    We recommend using the default Global region to make optimal use of our globally distributed cloud and infrastructure redundancy. When selected, our Global data centers are used for email filtering, logging and quarantine.

  6. Choose to enable Email Scout Reports - This will automatically enable Email Scout Reports so that they are sent to each recipient in your domain, up to 3 times a day
  7. Click Next
  8. Confirm the details of the domain to add and click Add and configure, which will take you into the domain to continue configuration, or Add and go to overview, which will take you to the Domain Overview page where you will see the new domain added to the Domains list
  1. Login to SpamExperts as an Admin Level user

    This should be the domains parent admin (the admin to which the domain is assigned)

  2. Click on General > Add Domain
  3. Select Upload CSV file

  4. You will now be taken to the Upload CSV file page. From here, use browse to navigate to the files location on the local computer

  5. Select Upload to import the domains

    6. Any issue identified with the file are reported in the "Upload CSV file" section. For example it was not a CSV file.

Step 2 - Create a partner connector and rule in Exchange Online to accept filtered mail

For further details about creating a partner connector and rule in either the Classic EAC or the New EAC in Microsoft 365, and to ensure you fully read the Microsoft documentation page.

Before beginning, ensure you are a member of the Organization Management role groups in the Microsoft 365 defender portal and Exchange Online.

Step 2:1 - Create the Partner Connector in the Exchange Admin Center

  1. Log in to the Exchange Admin Center with Organization Management admin credentials
  2. Click on Mail Flow > Connectors
  3. Click the + button to add a connector
  4. Choose the following:
    1. Connection From - Partner organization
    2. Connection To - Microsoft 365
  5. Click Next
  6. Give the connector a Name you will recognize in Step 2:2 #5 and optionally, provide a description
  7. Ensure the What do you want to do after connector is saved setting, Turn it On is selected
  8. Click Next
  9. Choose By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization
    1. Add the following SpamExperts delivery IP ranges one at a time and click the + symbol:
      • 130.117.251.9/25
      • 185.201.16.0/24
      • 185.201.17.0/24
      • 185.201.18.0/24
      • 185.201.19.0/24
      • 199.115.117.7/32
      • 46.165.223.16/32
      • 94.75.244.176/32
  10. Click Next
  11. Ensure that Reject email messages if they aren't sent over TLS is ticked and click Next
  12. Verify the settings and click Create Connector
  13. Click Done

Step 2:2 - Create the Rule in the Microsoft 365 Defender Security Portal

  1. Login to the Microsoft 365 defender security portal with Organization Management admin credentials
  2. Under the Email & Collaboration section of the left-hand menu, select Policies & Rules
  3. Click Threat Policies
  4. Scroll to the Rules section and select Enhanced Filtering
  5. Select the Connector Name as created in step 2:1
  6. Select Skip these IP addresses and input the following:
    • 185.201.16.0/22
    • 130.117.251.9/25

      Once added, this IP address may update to 130.117.251.0/25. This is acceptable behavior as both IP's fall under the same subnet.

    • 199.115.117.7/32
    • 46.165.223.16/32
    • 94.75.244.176/32

    You must click the IP address that matches what is typed in order for it to be added successfully:

  7. Under Apply to these users, select Apply to Entire Organization
  8. Click Save

Failing to setup the partner connector correctly will cause messages to be incorrectly rejected by the Microsoft systems.

Step 3 - Change MX record for the domain to point to incoming servers

Once you have verified configuration as above, update the domain's MX records to route mail through SpamExperts. For full details on MX records (including region specific MX records), see Hosted Cloud MX Records.

Step 4 - Disable Safe Links Processing to permit Email Scout Reports and Protection Reports

When using SpamExperts and Microsoft 365, Microsoft Advanced Threat Protection scans all links within messages, including the links within Email Scout Reports and Protection Reports and triggers the links to release or release and train messages.

Disable this by:

  1. Log in to the Exchange Admin Center with Organization Management admin credentials
  2. Go to Mail flow > Rules
    1. Select Add a rule
    2. Select Create a new rule
  3. In the Set rule conditions dialogue box, name the rule Mail Assure ATP ESR bypass or a similar descriptive name of your choice
  4. Select the conditions and actions for this rule:
    1. For Apply this rule if…, select the condition:
      1. Select The message headers
      2. Select Includes any of these words
        1. In the first enter text field enter List-Unsubscribe
        2. In the second enter text field enter lazaretto
    2. In Do the following…
      1. Select Modify the message properties
      2. Select Set a message header
        1. In the first enter text field enter X-MS-Exchange-Organization-SkipSafeLinksProcessing
        2. In the second enter text field enter 1
    3. Leave the Except if fields blank
    4. Select Next
  5. Set the rule settings as appropriate for your environment
    1. Select Next
  6. Review the summary of the settings, and select Next

Once this rule is created, Microsoft will no longer scan (and trigger) the links within Email Scout Reports.