Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=sophos-email-monitoring-system-m365-configuration

Configure journaling for M365

Find out how to configure journaling in Microsoft 365 to send copies of emails to Sophos EMS (Email Monitoring System).

Journaling sends a copy of all inbound and outbound emails to Sophos EMS for scanning. In Microsoft 365, you can enable journaling by creating a journal rule in Microsoft Purview.

To learn more about journaling, see Journaling in Exchange Online.

If you're using another email security solution, configure connectors or transport rules to integrate it with Sophos EMS.

Important

If your Microsoft 365 tenant uses a third-party email security gateway (for example, Barracuda), journal messages must be sent directly from Microsoft 365 to Sophos EMS.

Don't relay journal messages through the gateway. If they're relayed, Sophos EMS receives them from the gateway IP addresses instead of Microsoft 365. This can lead to journal delivery failures, missing Message History data, or issues with header-based detection.

Before you start

Make sure you have the following accounts:

  • Microsoft Purview admin account
  • Microsoft 365 admin account

Set up Sophos EMS with Microsoft 365

The key steps to set up Sophos EMS with Microsoft 365 are as follows:

Create journal rules in Microsoft Purview

You must create a journal rule in Microsoft Purview to route inbound emails to Sophos EMS.

To create a journal rule, do as follows:

  1. Sign in to Sophos Central.
  2. Go to My Products > Email Security > Settings > EMS Domain Settings/Status.
  3. Select your domain and click Configure External Dependencies.

  4. On the M365 tab, in Step 1, copy the provided email addresses and save them for later use.

    These email addresses are used to send journal reports to Sophos EMS. One address is for undeliverable journal reports, and the other is for regular journal reports. Each address serves a different purpose and must be configured separately to ensure complete journal delivery.

  5. Sign in to Microsoft Purview.

  6. Go to Settings > Data Lifecycle Management > Exchange (legacy).

  7. Under Send undeliverable journal reports to, click Replace, enter the email address for the undeliverable journal reports that you've copied from Sophos Central, then click Save.

    Note

    Only set Send undeliverable journal reports to if it's empty. Don't change an already existing address. Proceed to the next step.

    When journaled emails can't be delivered to the intended destination, the mailbox receives a non-delivery report (NDR).

  8. Go to Solutions > Data Lifecycle Management > Exchange (legacy) > Journal rules, then click New rule to create a new journal rule.

  9. In Send journal reports to, enter the email address for the regular journal reports that you've copied from Sophos Central.

  10. In Journal rule name, enter a name for the journal rule.

    For example: EMS scan for external emails.

  11. In Journal messages sent or received from, select one of the following options:

    • Everyone: If all M365 domains are onboarded in Sophos EMS.
    • A specific user or group: If you want Sophos EMS to scan only for selected users and domains.

    Note

    If you select A specific user or group, make sure the user or group exists in Microsoft 365.

  12. In Type of message to journal, select External messages only.

  13. Click Next, review the settings, and click Submit.

You've created the journal rule for Microsoft 365.

After you've completed the journaling configuration in Microsoft Purview, go back to Sophos Central to finish your onboarding process. See Add a domain.

After configuration, confirm the following conditions:

  • Journal messages are delivered directly from Microsoft 365 to Sophos EMS.
  • The source IP address shown in Message History belongs to Microsoft 365, not a third-party gateway.
  • The SMTP From (envelope sender) and the From header values aren't modified.

Integrate Sophos EMS with third-party email security

This section applies to regular inbound and outbound mail flow only.

You can integrate Sophos EMS with a third-party email security solution based on how your email is processed.

Choose the method that matches your setup.

Note

Microsoft 365 journal messages follow a separate delivery path and must always be sent directly from Microsoft 365 to Sophos EMS. They mustn't pass through a third-party gateway.

If journaling is turned on and you use a gateway, you must configure a separate connector for journal delivery.

Note

When integrating Sophos EMS with a third-party email security solution, always create a new connector or rule. Don't edit or reuse an existing connector or rule, as this can disrupt mail flow.

Gateway-based solution

Use this if your email passes through a third-party email security gateway.

Configure connector for inbound mail flow

This procedure applies only if your third-party email security solution is gateway-based.

You must create a secure connector between Sophos EMS and Microsoft 365 as follows:

  1. Sign in to Sophos Central and configure your third-party email security solution as follows:

    1. Go to My Products > Email Security > Settings > EMS Domain Settings/Status.
    2. Select your domain and click Configure External Dependencies.
    3. Make sure you're in the M365 tab.
    4. Under My email security is Gateway, prepare the IP addresses or IP ranges from your email security solution.

  2. Sign in to your Microsoft Exchange admin center and create the secure connector as follows:

    Note

    Use this procedure to configure connectors for regular inbound mail flow through a third-party email security gateway.

    For journal message delivery, see Journal message delivery.

    1. Go to Mail flow > Connectors, then click Add a connector.
    2. In Connection from, select Partner organization, then click Next.

    3. Enter a name for the connector.

      For example: Accept email from third-party mail filtering solution.

    4. Select Turn it on and click Next.

    5. Select By verifying that IP address of the sending server matches one of the following IP addresses, which belong to your partner organization, add the inbound delivery IP addresses, then click Next.
    6. (Optional) Select Reject email messages if they aren’t over TLS, only if your email security solution sends all emails to M365 over TLS.
    7. Click Next, review the connector settings, and click Create connector.
    8. Click Done.

  3. Sign in to Microsoft Defender and implement skip listing as follows:

    1. Select the connector you created.
    2. Select Skip these IP addresses that are associated with the connector.
    3. Add the inbound delivery IP addresses.

    4. Press Enter after each IP address to ensure it's added to the list.

      Note

      If you don't press Enter , the IP address won't be saved, even if you click Save.

    5. In Apply to these users, select Apply to entire organization.

    6. Click Save.

The connector now has enhanced filtering turned on.

Journal message delivery

If journaling is turned on, you must configure a separate connector to ensure journal messages bypass the third-party gateway.

This configuration routes journal messages directly from Microsoft 365 to Sophos EMS.

To configure this, do as follows:

  • Create a connector in Microsoft 365 that routes journal messages directly to the Sophos EMS journal domain.
  • Configure the connector to apply only to the EMS journal domain (for example, use2.external.sophosems.com).
  • Make sure the routing bypasses the third-party gateway.

Warning

Don't route journal messages through the third-party gateway. This can cause delivery failures or header-based detection issues.

Warning

We don't recommend adding third-party gateway IP addresses under Custom Gateway in EMS Domain Settings/Status.

Although this configuration allows journal delivery, it can cause header-based detection issues, such as header anomaly failures.

Mail-flow-based solution

Use this if your email is processed using Microsoft 365 mail flow rules.

Create transport rules for a mail-flow-based solution

This procedure applies only if your third-party email security solution is mail-flow-based.

Click the tab for step-by-step instructions on creating inbound and outbound transport rules.

To create an inbound transport rule, do as follows:

  1. Sign in to Sophos Central and configure your third-party email security solution as follows:

    1. Go to My Products > Email Security > Settings > EMS Domain Settings/Status.
    2. Select your domain and click Configure External Dependencies.
    3. Make sure you're in the M365 tab.
    4. Under My email security is based on M365 mailflow, prepare the IP addresses or IP ranges from your email security solution.
    5. Turn on Enable M365 mailflow configuration and copy the values of Header name and Header value for later use.
    6. Click Save.

  2. Sign in to your Microsoft Exchange admin center and create the inbound transport rule as follows:

    1. Go to Mail flow > Rules, click Add a rule, then select Create a new rule.

    2. Enter a name for the inbound transport rule.

      For example: Add header for EMS scan for inbound emails.

    3. Under Apply this rule if, select The recipient and is external/internal, make sure Inside the organization is selected, then click Save.

    4. Click the plus icon to add a second condition.
    5. Select The recipient and domain is, add the domain used by your email security solution, then click Save.
    6. Click the plus icon to add a third condition.
    7. Select The sender and IP address is in any of these ranges or exactly matches, add the inbound delivery IP addresses used by your email security solution, then click Save.
    8. Under Do the following, select Modify the message properties and set a message header.
    9. Click the first Enter text link, enter the value of Header name from the Configure External Dependencies page, then click Save.
    10. Click the second Enter text link, enter the value of Header value from the Configure External Dependencies page, then click Save.
    11. Click Next.
    12. In Set rule settings, make sure that Rule mode is set to Enforce and Match sender address in message is set to Header.
    13. Click Next, review the inbound transport rule settings, and click Finish.

  3. Turn on the inbound transport rule as follows:

    1. Select the inbound transport rule and turn it on.
    2. Click Edit rule settings, set Priority to 0, and click Save.
    3. Click Done.

Your inbound transport rule is now enforced.

To create an outbound transport rule, do as follows:

  1. Sign in to Sophos Central and configure your third-party email security solution as follows:

    1. Go to My Products > Email Security > Settings > EMS Domain Settings/Status.
    2. Select your domain and click Configure External Dependencies.
    3. Make sure you're in the M365 tab.
    4. Under My email security is based on M365 mailflow, prepare the IP addresses or IP ranges from your email security solution.
    5. Turn on Enable M365 mailflow configuration and copy the values of Header name and Header value for later use.
    6. Click Save.

  2. Sign in to your Microsoft Exchange admin center and create the outbound transport rule as follows:

    1. Go to Mail flow > Rules, click Add a rule, then select Create a new rule.

    2. Enter a name for the outbound transport rule.

      For example: Add header for EMS scan for outbound emails.

    3. Under Apply this rule if, select The recipient and is external/internal, select Outside the organization, then click Save.

    4. Click the plus icon to add a second condition.
    5. Select The sender and domain is, add the domain used by your email security solution, then click Save.
    6. Click the plus icon to add a third condition.
    7. Select The sender and IP address is in any of these ranges or exactly matches, add the outbound delivery IP addresses used by your email security solution, then click Save.
    8. Under Do the following, select Modify the message properties and set a message header.
    9. Click the first Enter text link, enter the value of Header name from the Configure External Dependencies page, then click Save.
    10. Click the second Enter text link, enter the value of Header value from the Configure External Dependencies page, then click Save.
    11. Click Next.
    12. In Set rule settings, make sure that Rule mode is set to Enforce and Match sender address in message is set to Header.
    13. Click Next, review the outbound transport rule settings, and click Finish.

  3. Turn on the outbound transport rule as follows:

    1. Select the outbound transport rule and turn it on.
    2. Click Edit rule settings, set Priority to 1, and click Save.
    3. Click Done.

Your outbound transport rule is now enforced.