How to configure Sophos Email for Office 365
This topic explains how to set up Microsoft Office 365 to route email through Sophos Email.
Add your domain and verify ownership
You need to add your domain.
- Your email domain name
- Your mail delivery destination host as a Fully Qualified Domain Name (FQDN) or IP address
- The port number used to listen for SMTP traffic on the mail delivery destination host
To find your FQDN for Office 365:
- Log into the Office portal.
- Select Domains.
- Copy the value displayed for the expected MX record.Note The format is normally
<yourdomain-com>.mail.protection.outlook.com
To add a domain in Sophos Central, do as follows:
Once the DNS update with the correct TXT value is propagated, a message is returned indicating that domain verification was successful.
If the DNS update has not yet propagated, or if the value entered is incorrect, a failure message is returned. Confirm that the value entered is correct.
Add mailboxes to Email Gateway
You can add mailboxes to Email Gateway.
You can add mailboxes in the following ways:
- Automatically, using a directory service. You can use either AD sync or Azure AD sync. For more information and instructions on how to set up a directory service, see Directory service.
- Manually, using the UI.
- Manually, importing a .csv file.
Add a mailbox manually
Sophos Email allows you to add single mailboxes manually via the user interface.
To add a mailbox manually, do as follows:
Import Mailboxes
Sophos Email allows you to import mailboxes in bulk.
To import mailboxes, do as follows:
To verify mailbox creation, you can search for new users in Mailboxes section for Distribution Lists and Public Folders.
or browse the list of mailboxes under theBypass Exchange Online Protection in Office 365
If you are using Sophos Email for your spam filtering and clean email is delivered to Office 365, you need to bypass Exchange Online Protection (EOP) to ensure smooth delivery of your mail.
To bypass Exchange Online Protection:
- Log in to the office portal.
- Under Admin Centers, choose Exchange.
- Under Mailflow, select Rules.
- Click the + to add a new rule and choose Bypass Spam Filtering from the menu.
-
Set the following values:
Option Description Name
Sophos Central EOP Bypass
Apply this rule if
Apply to all messages
Do the following
Set the spam confidence level (SCL) to...
Audit this rule with severity level
Low
Choose a mode for this rule
Enforce
- Click Save to add the rule.
Restrict delivery to Sophos IP addresses
You can configure the connection to your mail host to only use our delivery IPs.
Restricting delivery IPs adds additional security to the integration between Sophos Email and your mail host.
The specific delivery IP you need to use depends on the region where your Sophos Central account is hosted. When you created your Sophos Central account, you chose to store your data in the United States, Germany, or Ireland.
Region |
IPs |
---|---|
US (West) |
52.41.236.76 50.112.39.248 |
US (East) |
18.220.12.142 18.216.7.10 |
Germany |
52.58.166.242 52.29.100.147 |
Ireland |
52.208.126.243 52.31.106.198 |
Configure a Secure Connector between Office 365 and Sophos Email
You need to configure a secure connector to Sophos Email.
To configure the secure connector:
Change your MX records to point to Sophos Email
Changing your domain's MX records to point to Sophos Email is crucial to successful deployment and ensures all email is filtered and delivered.
If you can't make these changes yourself, contact your IT department, hosting provider, ISP, or Domain Name Service provider and arrange for the MX records for your domains to be modified.
When you created your Sophos Central account, you selected a region where you wanted to store your data. Your MX records are dependent on this region.
Change your MX records to include the record names associated with the region where you chose to store your data.
Region |
MX Records |
---|---|
United States (West) |
10, mx-01-us-west-2.prod.hydra.sophos.com 20, mx-02-us-west-2.prod.hydra.sophos.com |
United States (East) |
10, mx-01-us-east-2.prod.hydra.sophos.com 20, mx-02-us-east-2.prod.hydra.sophos.com |
Germany |
10, mx-01-eu-central-1.prod.hydra.sophos.com 20, mx-02-eu-central-1.prod.hydra.sophos.com |
Ireland |
10, mx-01-eu-west-1.prod.hydra.sophos.com 20, mx-02-eu-west-1.prod.hydra.sophos.com |
Notes
Take care with all options to ensure that the spelling and numbers are correct.
Using MX record names other than those provided prevents mail from flowing correctly.
When changing DNS entries like MX records, we recommend lowering the TTL (to 600 ms or less) well in advance of updating the entries. This allows the change to propagate quickly and provides a quick way to revert changes, if any issues arise during testing.
Test and confirm mail flow
Once you have updated your MX records, send a test message to any of your mailboxes protected by Sophos Email. For a true test, you should send your test message from an address outside of your email domain.
To confirm that the message flowed through Sophos Email, you can view the Message History Report.
To access the report:
- In Sophos Central, click Logs and Reports.
- Click Message History.
If messages are flowing through the system, you will see entries in this report.
If mail is not flowing, meaning you are not receiving email to your test inbox, take the following steps:
- Verify that your MX records are correct for your region.
- Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall or connector.
- Verify that the mailbox that you are sending to exists in Sophos Email.
If you have taken all these steps and mail is still not flowing for your domain, you should contact Sophos Email Support.