Configuring Microsoft Office 365 for MailRoute takes a few steps. But it's important that they be done in order. This article makes it look like it's a lot, but we've tried to be very complete and show you each and every step along the way. It's not really that difficult.
The first step is to configure MailRoute for your inbound email flow. If you're a new customer, we may have already done this for you. If you are changing from another service or an in-house server, you may need to do this yourself (or ask us to help!)
Then we will set up Transports to handle inbound and outbound email flow, and a rule that prevents anyone from bypassing MailRoute and sending email directly to Microsoft.
Microsoft talks about some of this stuff in their article Managing mail flow using a third-party cloud service with Exchange Online
We're going to do these things in order:
- Configure MailRoute with your Inbound Email Server
- Change your MX record to mail.mailroute.net
- Add your SPF, DKIM, DMARC, and ADSP records to your DNS server
- Create Inbound and Outbound Connectors to allow Microsoft to identify that your incoming mail is coming from a trusted partner and that they should relay your outbound mail out there too.
Step 1. (Which we may have already done for you!) - Configure Inbound Email Server in MailRoute Control Panel
- Locate your Office 365 mailserver hostname in the Microsoft 365 Admin Center: https://admin.microsoft.com/#/Domains
- Select your domain, and then click DNS records. You'll find your inbound Office 365 mailserver listed in the MX record under Microsoft Exchange. It will look something like this: example-com02c.mail.protection.outlook.com
- Visit the MailRoute Admin center at https://admin.mailroute.net, and select Domains at the top, and then click on your domain in the list
-
- Then Choose Inbound Servers from the menu at the left, and then click the Add button:
- Enter in the Office 365 Mailserver, and set the priority to 10, and click Save:
- Set your Server Type by clicking the edit button, and then setting the Type to Office 365 and then clicking Save.
- Select your domain, and then click DNS records. You'll find your inbound Office 365 mailserver listed in the MX record under Microsoft Exchange. It will look something like this: example-com02c.mail.protection.outlook.com
Note: MailRoute will automatically recognize that you are relaying email out from Microsoft, so there is no need to set up an Outbound server in the MailRoute Control Panel for your outbound mail.
Step 2. Change your MX Record to mail.mailroute.net
This will start the flow of email through MailRoute!
We have articles on how to do this for many common DNS providers at https://support.mailroute.net/hc/en-us/sections/205311968-Changing-MX-Records
Step 3. Add SPF, DKIM, DMARC, and ADSP records
To properly protect your outbound mail, add your SPF, DKIM, DMARC, and ADSP records while you're in there changing your MX record.
We have a primer on what all these are for, if you're interested here: https://support.mailroute.net/hc/en-us/articles/360061128614-Email-Authentication-An-Explanation-and-Exploration
We have a Knowledge Base articles for each of these:
- https://support.mailroute.net/hc/en-us/articles/360021568194-Setting-Your-SPF
- https://support.mailroute.net/hc/en-us/articles/115009100687-Implementing-DKIM
- https://support.mailroute.net/hc/en-us/articles/360062946093-Implementing-DMARC-for-the-MailRoute-Outbound-SmartHost-Service
Step 4. Configure Inbound and Outbound Connectors
- Install PowerShell if you don't already have it.
- Windows:
https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4
For Windows 11 and later:
Install from the Microsoft Store, or you can try:
winget install --id Microsoft.PowerShell --source winget
For other versions of Windows, see the above article.
- Mac and Linux:
https://github.com/PowerShell/PowerShell/releases/tag/v7.4.5
- Windows:
Install-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName tj@mailroutecompliance.net -ExchangeEnvironmentName O365USGovGCCHigh
New-InboundConnector -Name "MailRoute Inbound" -ConnectorType Partner -SenderDomains * -RestrictDomainsToCertificate $true -TlsSenderCertificateName *.mailroute.net -RequireTls $true -EFSkipIPS 199.89.0.0/21
New-OutboundConnector -Name "MailRoute Outbound" -ConnectorType Partner -RecipientDomains * -SmartHosts outbound.mailroute.net -UseMXRecord $false -TlsSettings DomainValidation -TlsDomain mailroute.net
PowerShell mailroute.pwsh
pwsh mailroute.pwsh
Step-by-step Directions:
Create a new Inbound Connector using PowerShell
- If you have an old MailRoute Inbound Connector, delete it. Visit https://admin.exchange.microsoft.com/#/connectors, select the connector, and then select the small trashcan icon in the detail panel on the right to delete the connector.
- Install PowerShell if you don't already have it.
- Windows:
https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4
For Windows 11 and later:
Install from the Microsoft Store, or you can try:
winget install --id Microsoft.PowerShell --source winget
For other versions of Windows, see the above article.
- Mac and Linux:
https://github.com/PowerShell/PowerShell/releases/tag/v7.4.5
- Windows:
- Run powershell
- Windows:
In a Windows command shell, type "PowerShell"
- Mac and Linux:
In a terminal window, type "pwsh"
- Windows:
- In your bright, shiny new powershell window, install the Exchange Online powershell cmdlets and install a new connector:
-
Install-Module ExchangeOnlineManagement
-
- Authenticate to Exchange Online:
-
Connect-ExchangeOnline -UserPrincipalName <your exchange admin login>
This will open a browser window so you can login to your Exchange Online account. When you complete logging in, you can close the browser window and return to your powershell window.
Note: If you are in Germany, China, or using GCC High or GCC DOD, you must also specify your ExchangeEnvironmentName, like this (this is not required for regular Office365 of Office 465 GCC)
Connect-ExchangeOnline -UserPrincipalName <your exchange admin login> -ExchangeEnvironmentName O365USGovGCCHigh
The choices for ExchangeEnvironmentName are:
Microsoft 365 or Microsoft 365 GCC: <Not required>
Office 365 Germany: O365GermanyCloud
Office 365 operated by 21Vianet: O365China
Microsoft 365 GCC High: O365USGovGCCHigh
Microsoft 365 DoD: O365USGovDoD
- Now create a new connector:
New-InboundConnector -Name "MailRoute Inbound" -ConnectorType Partner -SenderDomains * -RestrictDomainsToCertificate $true -TlsSenderCertificateName *.mailroute.net -RequireTls $true -EFSkipIPS 199.89.0.0/21
This connector will only accept mail from servers that are encrypted with TLS and that come from servers with the MailRoute TLS certificates, preventing other sites from connecting directly to MS Exchange Online and transferring mail to you, bypassing your filtering. This also sets up the "Advanced Filtering" for Microsoft Defender.
This can take a minute or two to run.
- Verify that the connector is in place and looks correct:
Get-InboundConnector -Identity "MailRoute Inbound" | Format-List *
Enabled : True
ConnectorType : Partner
ConnectorSource : Default
...
SenderDomains : {smtp:*;1}
...
RequireTls : True
RestrictDomainsToIPAddresses : False
RestrictDomainsToCertificate : True
TlsSenderCertificateName : *.mailroute.net
...
...
Name : MailRoute Inbound
...
-
Step 5. Configure Outbound Connector
Creating Outbound Connector using PowerShell
Since you may already be in powershell, you can create your outbound connector from here:
-
New-OutboundConnector -Name "MailRoute Outbound" -ConnectorType Partner -RecipientDomains * -SmartHosts outbound.mailroute.net -UseMXRecord $false -TlsSettings DomainValidation -TlsDomain *.mailroute.net
This creates an outbound connector that will route all your traffic out to outbound.mailroute.net, and requires that the server have a valid mailroute.net TLS certificate
If you hate powershell, and want to do it by hand, you can do this from the online webadmin:
Creating Outbound Connector using the Exchange Online webadmin
- If you're not still there, visit https://admin.exchange.microsoft.com/#/connectors to manage your connectors.
- Click Add a connector
- In the New connector window, choose Connection from Office 365 and Connection to Partner organization, and click Next:
- Give your connector a name like MailRoute Outbound, be sure Turn it on is selected, and then click Next:
- In Use of connector, choose Only when email messages are sent to these domains. Then enter * in the text field and click the + (plus) icon to add this sender domain:
- After it's added, click Next:
- On the Routing window, choose Route email through these smart hosts, enter outbound.mailroute.net into the text field and click the + (plus) icon to add this SmartHost:
- Now that it's been added, click Next:
- Under Security restrictions, choose Always use Transport Layer Security..., and then Issued by a trusted certificate authority (CA) and Add the subject name or subject alternative name (SAN) matches the domain name and enter *.mailroute.net into the text field, and click Next:
- in Validation email, enter an email address that is outside your own domain for testing. You can use the same one as we do here, if you would like (test@mailroute.net). Enter the email address into the text field, and then click + (the plus symbol) to add the address:
- Then click Validate and wait a bit for the test to run.
- Once it's done, and it shows that it's successful, click Next:
- In Review connector, make sure it all looks good, and hit Create connector, and then press Next to finish this up!
And you're done!
Start a free 30-day trial today.
Contact sales@mailroute.net or support@mailroute.net for more information.
Comments
0 comments
Please sign in to leave a comment.