M365 Mailflow Domain Settings/Status
Configure and manage M365 domains protected by Sophos Mailflow.
To do this, click the General Settings icon 
. Under Email Domain Setup, click M365 Mailflow Domain Settings/Status.
Accept Microsoft pop-ups
When you add and configure your domains, you must give permission for Sophos applications to access your Microsoft domains.
To do this, your browser must accept pop-ups from Microsoft. You might have to turn off pop-up blockers or make exceptions for Microsoft domains.
You must also be able to sign in to the correct domain. If your browser has stored sign-in credentials for a different domain, use an incognito or private browsing window.
Add and configure domains
The steps you take depend on whether you're already using Sophos Email Security or not.
If you don't have any Microsoft 365 domains set up for Sophos Gateway, do as follows:
- Click the General Settings icon .
- Under Email Domain Setup, click M365 Mailflow Domain Settings/Status.
- Click Setup Domains and Policies for M365 Mailflow.
- If you haven't synchronized your Active Directory, do it now. If you've already synchronized your users and mailboxes, click Proceed to Next Step.
-
In Add Domain, enter your domain details and click Setup M365 Mailflow.
Note
If you want to protect only a subset of mailboxes from the domain, create a new group in Microsoft 365 and add the mailboxes you want to protect. When you synchronize users and groups, this group is also imported. See Microsoft 365 email groups.
-
Follow the instructions to set up your domains and mail flow rules. After you add your domain, you're redirected to Microsoft for authentication and permission granting. You must grant these permissions to create the necessary applications and mail flow rules.
When the migration or addition of domains is complete, the M365 Mailflow Domain Settings/Status screen appears, showing your list of domains.
-
To set up mail flow rules for these domains, click Connect and follow the instructions.
You're redirected to Microsoft to authenticate your domains and grant permissions.
You must grant these permissions in order to create a Microsoft 365 connector and the necessary applications and mail flow rules in your Microsoft 365 environment.
Note
When you've granted the permissions, the connector creation process can take up to ten minutes.
If you already have mail flow rules set up on your Microsoft 365 domain, you see the Pre-existing Mailflow Rules Found message. To deal with this, see Fix conflicts with Microsoft 365 rules.
When your Mailflow protection is set up, a success message appears.
-
You can click Run a Quick Test to verify your Mailflow setup. Enter an email address to receive the test message. The test may take a few minutes.
Warning
After the connection is set up, Microsoft may continue to create other connections and resources in the background. If the quick test fails, wait at least 15 minutes and run it again before you start troubleshooting. See Troubleshoot Sophos Mailflow.
The domains appear in M365 Mailflow Domain Settings/Status with a green check mark.
If you're already using Sophos Gateway on your Microsoft 365 domains and want to set up Sophos Mailflow rules on a new domain, or migrate your existing domains to Sophos Mailflow, do as follows:
- In Sophos Central, click the General Settings icon .
- Under Email Domain Setup, click M365 Mailflow Domain Settings/Status.
-
In the next screen, do one of the following:
- If you're migrating a domain from Sophos Gateway to Sophos Mailflow, click Copy Existing M365 Domains. You confirm your choice, then we copy any Microsoft 365 domains we've detected.
- If you're adding a domain to use with Sophos Mailflow for the first time, click Setup Domains and Policies for M365 Mailflow and follow the instructions.
-
When the migration or addition of domains is complete, the M365 Mailflow Domain Settings/Status screen appears, with your list of domains.
-
To set up mail flow rules for these domains, click Connect and follow the instructions.
You're redirected to Microsoft to authenticate your domains and grant permissions.
You must grant these permissions in order to create a Microsoft 365 connector and the necessary applications and mail flow rules in your Microsoft 365 environment.
Note
When you've granted the permissions, the connector creation process can take up to ten minutes.
If you already have mail flow rules set up on your Microsoft 365 domain, you see the Pre-existing Mailflow Rules Found message. To deal with this, see Fix conflicts with Microsoft 365 rules.
When your Sophos Mailflow protection is set up, a Success! message appears.
-
You can click Run a Quick Test to verify your Sophos Mailflow setup. Enter an email address to receive the test message. The test may take a few minutes.
Warning
After the connection is set up, Microsoft may continue to create other connections and resources in the background. If the quick test fails, wait at least 15 minutes and run it again before you start troubleshooting. See Troubleshoot Sophos Mailflow.
The domains appear in M365 Mailflow Domain Settings/Status with a green check mark.
When the migration is complete, verify that your mailflow rules are working.
Delete Sophos Gateway connections
If you're an existing user and the domain you've connected to Sophos Mailflow was previously connected to Sophos Gateway, we recommend you delete the connection to Sophos Gateway as soon as possible. This might include removing MX records pointing to Sophos.
If you don't disconnect and delete the Sophos Gateway connection, your messages could be scanned twice. See Prevent duplicate scans.
Manage domains
If you've added Microsoft 365 mailflow domains, you can do the following:
- Connect or disconnect your domain to or from mailflow.
-
Connect or disconnect your domain to or from post-delivery protection.
Note
You must be a Super Admin of the corresponding domain to set up a connection.
-
Configure post-delivery protection features.
- Edit your domain.
- Delete your domain.