Configuring Office 365 for Spambrella

Configuring Microsoft 365 for Spambrella

Situation – You want to configure Microsoft 365 to use with Spambrella as your email gateway.
Summary –See below for information on:

  • Pre-requisite information to begin
  • What to do with your Spambrella account before setting up
  • How to setup in Microsoft 365, including:
  • Setting up inbound mail flow
  • Bypass spam filtering in Microsoft 365
  • Creating an inbound connector
  • Setting up outbound mail flow
  • Cutting over mailflow
  • Enable and test domains

This article explains how to configure Microsoft 365 to use Spambrella as your email gateway.

Note: Office 365 / O365 has been rebranded as Microsoft 365.

What Is Microsoft Office 365?

Office 365 is a cloud-based solution from Microsoft which offers email, messaging, security, archiving and other capabilities delivered from Microsoft’s worldwide network of cloud data centers. For more information please see: https://products.office.com/en-us/business/office

Before You Start…

Before continuing with the provisioning and configuration of the Spambrella service, it is recommended that you have the information listed below.

INFORMATION NEEDED FOR CONFIGURING SPAMBRELLA

  • MX record(s) for domain(s) you are configuring

INFORMATION NEEDED FOR CONFIGURING OFFICE 365

Microsoft 365 Tenant

The instructions on this KB presume that you are setting up all your domains in your tenant with Spambrella. If you are splitting your mail routing, you may need to consult Microsoft on creating the necessary custom rules based on our documentation.


SPAMBRELLA SIDE

Prior to the below set-up for Office 365, please ensure to do this with the Spambrella side.

DNS TTLs

For ease of DNS changes, turning down your TTLs on the DNS, specifically, MX and TXT records will help in the above domain verification, and later MX cut-over.


Microsoft 365 Tenant SIDE

Setup Inbound Mail Flow

Spambrella is deployed between the customer’s Office 365 environment and the Internet. Inbound mail is routed to Spambrella by changing the customer’s MX records. After the email is processed by Spambrella it is routed to Office 365.

Locate your MX record for the domain in Office 365…

  • Sign-In to the Office 365 Admin center.
  • Click on Settings > Domains
  • Click on the domain you wish to manage.
  1. Under Exchange Online, locate the MX row in the table from the Points to address or value column (i.e.,mybusiness.com.mail.protection.outlook.com)
These values will be necessary when you add your domains to Spambrella

 

Adding domain(s) to Spambrella…

  • Sign-in to the Spambrella user interface.
  • Navigate to the ‘Administration‘ section and click Account Management > Domains
  • Click on New Domain.
  • Enter the domain name you wish to configure.
  • Ensure “Relay” is selected for domain purposes.
  • Enter the delivery and failover destinations’ values.
  • Choose the method you wish to use for domain verification.
  • Click Verify Now if you wish to verify your domain at this stage or Verify Later.
Each Domain must be verified before it can be enabled.
  • Repeat if you are adding more than 1 domain.
The delivery and failover destinations refer to the “points to” values captured in the previous section.

 

CONFIGURE MICROSOFT 365…

Microsoft Office 365 limitation

Please note that Microsoft has a limitation of their allow list. It does not allow you to enter a large IP range. The maximum size of a range is a /24; it will not recognize larger ranges. Unfortunately, you have to enter in the IP ranges twice in this set-up documentation: Connection Details

Bypass Spam Filtering in Microsoft 365…

  • Sign-In to the Office 365 Admin portal.
  • Click on Admin > Exchange

This will launch the Exchange Admin Center (EAC).

  • In the EAC, go to Mail flow > Rules
  • Click Add + and then select Create a new rule
  • In the New rule page that opens, configure the following settings:
    • Name: Enter a unique, descriptive name for the rule.
    • Click More options
    • Apply this rule if: Select one or more conditions to identify messages. For more information, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.
    • Do the following: Select Modify the message properties > set the spam confidence level (SCL). In the Specify SCL dialog that appears, configure one of the following values:
    • Bypass spam filtering: The messages will skip spam filtering. High-confidence phishing messages are still filtered. Other features in EOP are not affected (for example, messages are always scanned for malware).

If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don’t use mail flow rules. See Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.

  • In the new rule window, complete the required fields:
    • Enter a value for Name (e.g. By-pass Spam filtering for Spambrella)
    • For Apply this rule if… select The senderIP address is in any of these ranges or exactly matches.
    • Add IP address to the IP address list.
      • Type in the address followed by the + icon.
      • Repeat for each IP address.
    • Ensure Set the spam confidence level (SCL) to is selected in the Do the following… menu
      • Do the following > Modify the message proprieties > set the spam confidence level > bypass spam filtering
  • Click Next
  • Select Enforce
  • Click Next
  • Review the info then click Finish

Optional steps if you need to disable Microsft 365’s Advanced Email Threat protection (Safelink rewrites)

Before clicking Save in the above step 6 do the following:

    1. Click Add Action.
    2. Select Modify the message properties..set a message header.
    3. Set the message header: X-MS-Exchange-Organization-SkipSafeLinksProcessing to the value: 1
    4. Click Save.

SCL Bypass

Due to major complaints, Proofpoint has opted to change to the format of ensuring Spambrella mail is not scored via the O365 system. This rule will allow external email to come in still but will follow O365 scoring. This is to ensure no mail is lost.

Select the IP addresses that correspond to the stack you are hosted on. You can determine this by looking at the URL in your browser. For example, if your URL is https://spambrella.cloud-protect.net than you are on stack “EU1”. Therefore look for that stack in the list of IP values. If you are unsure, please email support for clarification.

 

CREATE INBOUND CONNECTOR

An inbound connector is used to manage mail traffic between Office 365 and Spambrella.

  1. While accessing the Exchange Admin Center, click mail flow then connectors.
  2. Click + to launch control.
  3. For From select Partner Organization.
  4. For To select Office 365.
  5. Click Next.
  6. Enter a value for Name (e.g. Spambrella Inbound Connector).
  7. (Optional) Enter a value for Description (e.g. Inbound connector for Spambrella).
  8. Uncheck the turn it on setting. You will turn this inbound connector on once you are ready to cutover mailflow.
  9. Click Next.
  10. Select Use the sender’s IP address.
  11. Click Next.
  12. Click +.
  13. Add IP address to the IP address list.
    • Click +.
    • Type in the address followed by OK.
    • Repeat for each IP address.
  14. Click Next.
  15. Ensure Reject email messages if they aren’t over TLS is checked.
  16. Click Next.
  17. Click Save.

If your mail server has not been locked down to only accept mail from our IP’s. It is possible for senders to route directly to your mail system instead of following normal MX lookups to route through Proofpoint.

SETUP OUTBOUND MAIL FLOW

Spambrella is deployed between the customer’s Office 365 environment and the Internet. Outbound mail is routed to Spambrella by configuring an outbound mail gateway.

Outbound instructions set-up for all mail-in tenant

Please note that these instructions are for all mail within in the tenant. If you custom routing, or extra outbound mail flow, other outbound routing and/or rules will be required to set-up.

CONFIGURE SPAMBRELLA

Enable Outbound Relaying

  1. Sign-in to the Spambrella user interface.
  2. Navigate to ‘Administration‘  and click Account Management > Features
  3. Check Enable Outbound Relaying.
  4. Click Save.

Add Service IP addresses to your Inbound Gateway

  1. While logged into the Spambrella user interface, navigate to ‘Administration‘ and click Account Management > Domains
  2. Click Managed Hosted Services.
  3. Choose Office 365.
  4. Click Save.

CONFIGURE OFFICE 365

Create Outbound Connector

  1. Sign-In to the O365 365 Admin portal.
  2. Navigate to Admin > Exchange.

This will launch Exchange Admin Center

  1. Click Mail Flow > Connectors.
  2. Click + to access menu.
  3. For From select Office 365.
  4. For To select Partner Organization.
  5. Click Next.
  6. Enter a value for Name (e.g. Spambrella).
  7. Enter a value for Description (e.g. Outbound connector for Spambrella).
  8. Uncheck the turn it on setting. You will turn this outbound connector on once you are ready to cutover mailflow.
  9. Click Next.
  10. For When do you want to use this connector? select Only when email messages are sent to these domains.
  11. Click +.
  12. Enter * to specify all domains.
  13. Click OK.
  14. Click Next.
  15. For How do you want to route email messages? select Route email through these smart hosts.
  16. Click + and enter your Spambrella smart host value (i.e., outbound-us1.ppe-hosted.com).
  17. Click Save.
  18. Click Next.
  19. For How should Office 365 connect to your partner organization’s email server? choose your preferred approach.
    • If you choose Always use Transport Layer Security (TLS) to secure the connection, please choose Any digital certificate, including self-signed certificates.
  20. Click Next.
  21. Click Next.
  22. Click + icon and enter an email address for validation.
  23. Click OK.
  24. Click Validate.
  25. Click Save.

If you are using Spambrella Professional service package and the Email Archive, you will need to create an additional outbound connector. Please refer to Configuring Journaling for Office 365 for additional steps.

If you are using another archiving service, you will need to create an additional outbound connector to ensure journal emailed is not sent to Spambrella. If it is sent to Spambrella it will be subject to outbound rate-limiting policies. Please contact your archiving service provider for instructions.

External Recipients of distro-groups/Auto-forwarding

Please note that Spambrella does not explicitly support some types of auto-forwarding.

  • User-level forwarding – O365 support this for messages sent directly to the user
  • Distribution Groups with external Recipients – Spambrella does not support this outbound behavior. A custom rule will be required to allow these messages out by by-passing the Spambrella smarthost.
  • Distribution Groups with a user-level forward – Similar to external recipient, a by-pass rule will be required

Sending To Distribution Groups With External Domain Recipients

Sending to Distribution Groups with external domain recipients contains step-by-step instructions how to set it up. For auto-forwarding, same connector can be used and a rule will need to be created to match the auto-forward.

CUTTING OVER MAILFLOW

ENABLE & TEST DOMAIN(S)

  1. Sign-in to the Spambrella user interface.
  2. Navigate to ‘Administration‘ and click Account Management > Domains
  3. Click the relay control to enable the domain for relay.

Once the domain is turned on, you will need to wait for Spambrella MTAs to be updated. This occurs every half-hour. You should not proceed to the next step until you’ve waited for this change to be applied.

  1. Click the test domain (clipboard) icon to verify Spambrella can deliver to the specified SMTP destination

UPDATE YOUR MX RECORDS

You will need to add Spambrella MX records to your DNS record.

You may want to add the MX records with a low priority ahead of your cutover. Once ready, you can then increase the priority of the Spambrella MX records while decreasing the priority of your existing MX record.

Update Sender Policy Framework (SPF)

When sending outbound email through the Spambrella gateway, recipients receive mail sent from Spambrella rather than Office 365 mail servers. If the recipient’s mail service attempts to verify that the message came from your domain, it must confirm that the gateway server is an authorized mail server for your domain.

To enable this, you need to add the Spambrella MX records to your domain.

ENABLE INBOUND CONNECTOR

  1. Sign-In to the O365 Admin portal.
  2. Navigate to Admin > Exchange.
  3. Click Mail Flow > Connectors.
  4. Select the Inbound Connector and click edit (pencil icon).
  5. Check the turn it on checkbox.
  6. Click Next and move through the next 3 screens.
  7. Click Save.

ENABLE OUTBOUND CONNECTOR

  1. Sign-In to the O365 Admin portal.
  2. Navigate to Admin > Exchange.
  3. Click Mail Flow > Connectors.
  4. Select the outbound connector and click edit (pencil icon).
  5. Check the turn it on checkbox and click next through the remaining screens.
  6. Click Validate.
  7. Click Save.

ENABLE BY-PASS SPAM FILTERING RULE

  1. While accessing the Exchange Admin Center, click mail flow > rules.
  2. Check the checkbox next to the mail flow rule you created previously.

VERIFY INBOUND MAILFLOW

  1. While logged into the Spambrella user interface, click the Logs tab.
  2. Select Any from the Status drop-down and click Search.
  3. Look for new entries to be listed in the search results.

VERIFY OUTBOUND MAILFLOW

  1. Send a test message from an Office 365 mailbox to an external SMTP address.
  2. While logged into the Spambrella user interface, click the Logs tab.
  3. Select Outbound mail from the type drop-down.
  4. Select Any from the status drop-down and click Search.
  5. Look for the test message that was sent.

Top Viewed Articles Related to Office 365

Microsoft Office 365 Issues and Solutions

SPF Checking with Office 365