Configure Microsoft 365 with SpamExperts Local Cloud

The details on this page relate to SpamExperts Local Cloud only. For information on configuring for SpamExperts Hosted Cloud, see:

As the majority of this is documented by Microsoft for their system, please see the Microsoft documentation for setting up a third-party spam filter

Incoming filtering

Basic steps to protect your domain:

  1. Add a domain via the SpamExperts web interface, ensure the destination route is set to the MX record hostname provided by Microsoft 365
  2. Follow the Microsoft documentation for setting up a third-party spam filter
    • For Step #3: IP Addresses to Skip in the "Use the Microsoft 365 Defender portal to configure Enhanced Filtering for Connectors on an inbound connector" section of the above Microsoft documentation, ensure you add the IP address ranges of your cluster
  3. Change the MX records of the domain in the DNS to point to the MX records used for the incoming filter

Outgoing filtering per domain configuration

Step 1: Create Outgoing User/Authentication Method in SpamExperts

  1. Log in to the SpamExperts control panel as an admin
  2. Select General > Domains Overview then click on the relevant domain to open the Domain Level Control Panel
  3. Select Outgoing > Manage Users
  4. Select the Authenticating Domain tab and ensure that the domain you are using with Exchange Online is shown
  5. Enter a secure password and click Add and configure
  6. The secure password is only required to complete the configuration process. Once set, it is no longer needed.

  7. Configure the Authentication method as required, ensuring that Re-authentication permitted is enabled

  8. Click Save

For full details on Authentication methods, see Outgoing Users/Authentication Methods

Step 2: Set up a Transport Rule in Exchange Online

For full details on configuring this in either the Classic EAC or the New EAC, see the Microsoft documentation to set up connectors for secure mail flow.

When enabling Route messages through these smart hosts, ensure you provide hostname for the IP address configured for outbound filtering on port:25 e.g.

smtpout25.yourdomain.invalid

Cluster Configuration for Outbound filtering for Microsoft 365

You must have outbound filtering configured on a dedicated IP to listen for connections on port:25. Using existing IPs will cause traffic to be treated as Inbound. If you do not have this configured, Please contact our support team by through N-AbleMe.

For this to work successfully the following is needed:

  • A minimum of 2 public IPs on a node

    This is required as Microsoft 365 (Exchange Online) needs to be able to contact the local filter notes on an additional public interface listening for outbound connections on port 25.

  • The secondary public IP configured to use port 25 for outgoing usage. Please contact SpamExperts support to have this enabled on a secondary IP
  • Microsoft 365 IP's (from Microsoft's current published list) added to a controlled authenticating domain as authenticating users (IP addresses) - 1 user per IP address range from Microsoft
    • Make sure that you add these IP Addresses with the option to Re-authenticate as sending domain enabled

    We recommend setting this on a domain specifically for this purpose. All mail which does not successfully re-authenticate will be logged against the domain with the IP outbound users listed.

As Microsoft 365 can sometimes change their IPs without notice, its advised to periodically check and update the existing IPs added

Email archiving

Basic steps to archive your domain's email:

  1. Ensure that archiving is enabled on the domain in SpamExperts("Status" page in the "Archive" section)
  2. Any incoming/outgoing email passing the domain will automatically be archived by default
  3. Set up a filter rule to also archive the Microsoft 365 internal message using a mail rule, or for archive-only, set a rule to archive all email
    1. Go to the domain dashboard, enable the archiving service on the "Status" page in the "Archive" section
    2. By default, all incoming/outgoing email processed by the filtering servers for the domain will now be archived

    3. Optionally restrict which recipients should be archived on the "Archived recipients" page
    4. Login to the Microsoft 365 "Exchange admin center"
    5. In the dashboard, go to journal rules in the compliance management section
    6. First choose "select address" for "Send undeliverable journal reports to:". This should be a valid recipient to be informed in case of journal failures
    7. Next add a journal rule:
      • Send journal reports to: You can find the Global journal address which is unique for your domain on the Archiving > Status page in SpamExperts

        E.g. "47034d58-47e0-451a-bf64-25327148361d-demo-domain.invalid@MX-record-hostname" where you must replace "MX-record-hostname" with the primary MX record for your inbound filter

      • Name: SpamExperts journal archive rule
      • If the message is sent to or received from: [Apply to all messages]
      • Journal the following messages: Internal messages only (in case you use protection), all messages (this would cause duplicate archiving if you also archive via the protection service)