This article contains recommendations and best practices for using MXGuardian with Microsoft 365, also known as Office 365 or Exchange Online.
Step 1: Create a receive connector
- Login to the Microsoft 365 Exchange Admin Center at https://admin.exchange.microsoft.com/
- Under Mail flow, click Connectors.
- Click Add a connector
- In the Connection From box select Partner Organization and click Next
- In the Name box, type "MXGuardian inbound connector"
- Check the box labeled Turn it on and click Next
- Select By verifying that the IP address of the sending server...
- Add all the MXGuardian IP addresses which can be found at https://www.mxguardian.net/ips. You need to add each address one at a time.
- Type (or copy & paste) the first IP address
- Click the Plus (+) icon to add it to the list
- Repeat steps 1-2 for each IP address
- When finished, click Next
- On the security restrictions page, accept the defaults by clicking Next
- On the confirmation page, click Create Connector
Step 2: Trusted ARC Sealers
MXGuardian adds an ARC signature to all incoming messages. In this step, we tell Microsoft to trust the MXGuardian signature so that we can modify messages without breaking the sender's DKIM signature.
- Login to the Microsoft Defender home page at: https://security.microsoft.com/
- Under Email & Collaboration, click Policies & Rules.
- Click Threat Policies
- Under Rules, click Email authentication settings
- Under Trusted ARC Sealers, click Add
- In the box, type "mxguardian.net" and click Save
Step 3: Configure Enhanced Filtering for Connectors
Enhanced Filtering for Connectors, also known as "skip listing", allows Microsoft to determine the actual source IP of incoming messages that arrive via MXGuardian. This will prevent false positives due to SPF failure.
- Return to Microsoft Defender > Policies & Rules > Threat Policies
- Under Rules, click Enhanced Filtering
- Locate the inbound connector that you created in Step 1 and click on the connector name (Note: do not click the checkbox)
- Select Automatically detect and skip the last IP address
- Click Save
Now your Microsoft 365 environment is ready to receive mail from MXGuardian.
MX Records and Microsoft 365
When you setup your domain in Microsoft 365, Microsoft will provide you with a new MX record. Usually it is something like "example-com.mail.protection.outlook.com". They will instruct you to point your MX record to this new value. However, if you do that your mail will not go through MXGuardian. Instead you'll need to use this value as your "Primary mail server" in MXGuardian on the "Domain Settings" tab.
This tells us where to send your mail after filtering.
Please note that since your MX record will be pointing to MXGuardian, you may see an error in your Microsoft 365 console stating that your MX record is misconfigured. You can safely ignore this warning.
Comments
0 comments
Please sign in to leave a comment.