Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-domains-settings

Domains Settings/Status

Configure and manage email domains protected by Sophos Gateway.

To do this, go to My Products > General Settings > Domains Settings/Status.

Note

Domains Settings/Status supports multiple domains, but you'll need to verify ownership of each domain.

Add a domain

Tip

Instructions on how to set up your Sophos Gateway domain for common providers are available online. For example, Microsoft 365 (formerly Office 365).

To view the instructions:

  1. Expand Configure External Dependencies.
  2. Under Inbound Settings, click the link for your chosen provider.
  3. Use the information to help you configure your email domain.
  4. Click Outbound Settings to view your outbound relay host.

To add a domain, do as follows:

  1. Go to My Products > General Settings > Domains Settings/Status.
  2. Click Add Domain.

  3. In Email Domain, enter your email domain. Example: example.com.

    Domain ownership must be verified before email can be delivered through Sophos Central. To verify domain ownership, you must add a TXT record to your domain. Adding this record won't affect your email or other services.

  4. Click Verify Domain Ownership.

  5. Use the details listed in Verify Domain Ownership to add the TXT record to your Domain Name Server (DNS).

    Note

    This can take up to ten minutes to take effect.

  6. Click Verify.

    Warning

    You can't save an unverified domain. You must correct any issues with the domain ownership verification.

  7. Select the direction for which you want to configure the domain. Choose Inbound Only or Inbound and Outbound.

  8. For your inbound destination, select whether you wish to use a mail host or a mail exchange (MX) record in the Inbound destination drop-down list.

    Note

    You must use a mail exchange record to use multiple destinations.

    • If you selected Mail Host, enter an IP address or a fully-qualified domain name (FQDN) in IP/FQDN. Example: 111.111.11.111 or example.com.
    • If you selected MX, enter an FQDN in MX. Example: example.com.

  9. Enter the port number for your email domain.

  10. If you selected Inbound and Outbound, you need to choose one or more outbound gateways from the following:

    • Microsoft 365
    • Google Apps Gateway
    • Custom Gateway

    You can set up one or more email servers to send outbound messages for the same domain.

    If you select Custom Gateway, at least one IP address and CIDR (subnet range) is required. Enter the IP address and CIDR and click Add. You can add multiple IP addresses or ranges.

    You can also set up destinations for your outbound messages. See Custom SMTP Routing.

  11. Optional: Turn on BATV Enabled and select one of the following actions:

    • Quarantine: The message is held in quarantine. You can review and release quarantined messages when you're sure they're safe.
    • Deliver: The message is delivered to the recipient.

    • Delete: The message is deleted immediately.

      Warning

      We don't recommend selecting the Delete action because all bounce messages are expected to have tags. However, since outbound messages aren't tagged before Bounce Address Tag Validation (BATV) is turned on, their bounces don't have tags either. For the first seven days after turning on this feature, we suggest setting the failure action to Deliver, Tag subject line, or Quarantine.

    • Tag subject line: The message is tagged and delivered to the user. The tag appears at the start of the subject line. You can customize the tag using up to 30 characters.

    When Bounce Address Tag Validation (BATV) is turned on, all outbound email messages must be sent through Sophos Email to accurately determine illegitimate bounce messages. The tag will be applied to all messages to which this policy applies. For more information about BATV, see Bounce Address Tag Validation (BATV).

    You can also choose to send messages to End User Quarantine. See End User Quarantine.

  12. Optional: Turn on Apply BATV to a message marked bounce by SophosLabs heuristics.

    When the Apply BATV to a message marked bounce by SophosLabs heuristics option is turned on, every email identified by SophosLabs as automatically generated responses is treated as a bounce message.

  13. Click Save to validate your settings.

  14. In Configure External Dependencies, make a note of the appropriate settings and make sure that you configure your incoming and outgoing mail flow for Sophos Email.

    The Inbound Settings tab shows the MX record values and Sophos delivery IP addresses used to configure mail flow for your region.

  15. Click Close to add the domain.

  16. Click the Base Policy link to configure spam protection.

Note

By default, spam protection applies to all protected mailboxes. You must review the settings to make sure that they're appropriate for your organization's email policies and security requirements.

You can add extra domains at any time.

Delete a domain

To delete a domain, click the cross on the right of the domain you wish to remove.

Edit a domain

To edit a domain, click the domain name in the list, change the settings, and click Save.

Bounce Address Tag Validation (BATV)

Bounce Address Tag Validation (BATV) checks incoming messages for valid bounce address tags. If a tag is missing, it takes the action you specify.

When you turn on BATV and configure an action for existing domains, BATV applies that action to bounces received for messages sent before it was turned on. To avoid deleting valid bounces, we recommend you set Quarantine, not Delete, as the action for the first week after you turn on BATV. You should also do this if BATV is turned off and later turned back on.

BATV protection applies to every inbound bounce message. A bounce message is a message with no sender shown in the SMTP From field and contains content-type: multipart/report; report-type=delivery-status.

Click a domain in the Domains Settings/Status page to see its BATV status.

Manage Microsoft 365 domains

If you've added Microsoft 365 (formerly Office 365) tenant domains, you can do the following:

  • Connect your tenant domain to allow Microsoft 365 Security to run.

    Note

    Only Super Admins can set up an M365 connection for any domain.

  • Disconnect your tenant domain.

  • Click Configure Post Delivery to turn on Auto search and remediate and On demand clawback for your Microsoft Office 365 users.

To find out how to set up Auto search and remediate and On demand clawback, see M365 Security.

Use Auto search and remediate to move messages from your users' inboxes to post delivery quarantine, when they turn malicious.

Use On demand clawback to manually retract delivered messages from the mailboxes of one or more recipients into post delivery quarantine if you consider the message unsuitable for the recipient.

You can view, delete, or release messages from Quarantined Messages.