You can set up Office 365 to apply security restrictions so that mail from your organization will only be accepted if it comes through MailRoute servers.
*Before you begin the configuration/lockdown steps, make sure your o365 mailserver/host name is listed in our inbound server tab and change your MX records if they are not already pointing to mail.mailroute.net. Once mail is flowing, begin the lockdown instructions detailed below.
*To find your Office 365 mailserver/host name, login to your Microsoft Admin Center. Choose Domains or if there's a different setup choose Settings>Domains. Select your Domain, then select MX Value. You can find your host name under MX Value. It will look something like:
*Change the Server type in the inbound server section to use our o365 sync (use the edit icon to switch to o365). Authorize MailRoute to access your o365 user lists which will enable our API-level integration that will let you sync so all your user lists, aliases, and distribution lists are automatically updated on our end whenever you change things in o365.
- Go to: https://outlook.office365.com/ecp/
- Choose "rules" under the "mail flow" category.
- Click the "+" symbol to add a new rule, and choose "Bypass spam filtering…"
- Give the new rule a descriptive name like "Bypass Spam Filtering for mail that came through MailRoute".
- Under "Apply this rule if...", choose "The Sender..." -> "IP address is in any of these ranges or exactly matches
- Enter in the MailRoute IP address block 22.214.171.124/21, and click the "+" sign to add the address range, and click "OK", and then click "Save" to save this rule.
- Choose "Rules" under the "Mail Flow" category
- Click the "+" symbol and choose "Create a new rule"
- Give the rule a descriptive name, like "Reject email that bypasses MailRoute"
- Choose "The Sender is located..." under "Apply this rule if..."
- Choose "Outside the Organization" from the "select sender location" dialog that pops up, and then click "OK"
- Choose "Reject the message with the explanation" from the "Do the following..." menu.
- Enter in some explanatory text for the rejection message, like "Your email is attempting to bypass our security services. Please verify that your DNS is working properly and try again." and click "OK"
- Click "More Options...." and then click "add exception”
- Choose "The sender is..." -> "the ip address is in any of these ranges or exactly matches..."
- Enter in the MailRoute block of IP Addresses: 126.96.36.199/21 and then click "+" to add this to the exception list. Then click "ok"
- Choose "Stop processing more rules".
- Under "Match sender address in message:", choose "Envelope"
- Then click "Save" to save the rule.
- Bypass spam filtering for email that comes through MailRoute
- Reject email that bypasses MailRoute.
- Choose "mail flow" from the left side menu, and the "connectors" from the top menu.
- Click "+" to add a new rule.
- In the "From:" pulldown, choose "Office 365".
- In the "To:" pulldown, choose "Partner Organization"
- Click "Next"
- Give this a name and a useful description (optional), and then click "Next”.
- Check the checkbox that says "What do you want to do after the Connector is saved?" Check to "Turn it On"
- Select the "Only when emails are sent to these domains" radio button, and then click "+"
- Enter a "*" (a single asterisk), and click “OK"
- Click "Next"
- Choose "Route email through these smart hosts", and click the "+" button
- Click "Next"
- Select the checkbox "Always use Transport Layer Security (TLS) to secure the connection (recommended)", and the option "Any digital certificate, including self-signed certificates", and then click "Next"
- Click "Next”
- Now we need to validate that the connector is working. Click the "+" sign and enter an email address for testing, and click "ok”
- Enter in an email address at a different domain from your own.
- Then click "Validate"
- If all is successful, you'll see the message "Done! You've completed the operation."
- Click "Close"
- And then click "Save”
* You must now disable SPF hard fail checks:
The setting is located at Exchange admin Center > protection > spam filter > double click Default > advanced options > set SPF record: hard fail: off
Note: MailRoute will automatically recognize that you are using Office 365 for your outbound service, so you do not need to enter an outbound mailserver in the MailRoute Control Panel.
It can take Microsoft 45-60 minutes to apply the changes you just made to your configuration.