Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=onboarding-email

Sophos Email onboarding

  • Welcome to Sophos

    We've created this getting started guide to help you get up and running with Sophos Email. It takes you through setting up your environment, installing Sophos Email, and adding some of the most common customizations.

    Tip

    Our Professional Services offer several solutions to speed up and streamline the deployment. More information.

  • Sophos onboarding webinars

    Join us for an exclusive live webinar, where we'll guide you through the key milestones outlined on this onboarding page. Register today, and if you can't attend, you’ll receive access to the webinar recording. See Sophos Email Webinar.

Checklist

  • [ ] Setup Sophos Email and synchronize mailboxes

    • [ ] Deploy Sophos Email on your environment
    • [ ] Synchronize mailboxes

  • [ ] Configure Email Security and Data Control

    • [ ] Configure Sophos Email security policies

  • [ ] Mail management

    • [ ] Mail history
    • [ ] Report scheduling
    • [ ] Quarantine management

Setup Sophos Email and synchronize mailboxes

Deploy Sophos Email on your environment

The deployment type depends on your environment. Choose the appropriate platform below:

Sophos Mailflow uses Microsoft APIs to create mail flow rules in your Microsoft 365 environment, routing emails to Sophos and back to Microsoft without modifying your DNS and MX records.

Some Microsoft 365 subscriptions don't support inbound connectors. Before you begin, make sure your subscription allows you to create inbound connectors.

Important

To avoid problems, don't configure both email processing modes, Sophos Mailflow and Sophos Gateway, for the same domain.

In-product workflow

Sophos Gateway mode uses the traditional method to send and receive messages through Sophos Email. All inbound emails will first route to Sophos and then to Microsoft 365 for delivery you will need to modify your existing DNS and your MX records.

In-product workflow

To ensure emails do not get stopped by Microsoft after delivery, you will need to add exchange online protection bypasses for Sophos Emails to ensure smooth delivery:

  • Configure Microsoft 365
  • Outbound email for Microsoft 365
  • If you choose to send outbound emails through Sophos, you must update your SPF, DKIM, and DMARC records. Use the quick reference in the next section for more details.

  • (Optional) Sophos email provides Microsoft 365 customers the ability to clawback emails after they have been delivered. See Post delivery protection.

    In-product workflow

    Important

    To avoid email disruption during setup, only update your domains MX record when configuration steps and policies are completed. This should be the final step.

If you're using Google Workspace as a mailserver provider, you need to add your domain. See Configure Google Workspace.

If you wish to scan outbound emails, see Outbound email for Google Workspace.

If you choose to send outbound email through Sophos Email, you must update your SPF, DKIM, and DMARC. Use the quick reference in the next section for more details.

Important

To avoid email disruption during setup, only update your domains MX record when configuration steps and policies are completed. This should be the final step.

Follow the steps below if you are using on-premise Microsoft Exchange or any other 3rd party mailservers/clients that are not listed.

Ensure your mailserver accepts inbound email from Sophos delivery IPs using the instructions below:

If you choose to send outbound email through Sophos, configure your mailservers to deliver to the respective Sophos region IPs. See Outbound email for Exchange and other clients.

If you choose to send outbound email through Sophos Email, you must update your SPF, DKIM, and DMARC. Use the quick reference in the next section for more details.

Important

To avoid email disruption during setup, only update your domains MX record when configuration steps and policies are completed. This should be the final step.

Synchronize mailboxes

You may skip this step if you followed the previous videos, which included directory syncs. For Sophos Email to process inbound or outbound emails through the system, you must synchronize all mailboxes, including aliases, distribution lists, and public folders. If a mailbox does not exist, emails will be rejected. Sophos offers a variety of synchronization methods based on your environment.

In-product workflow

In-product workflow

In-product workflow

In-product workflow

Quick reference to delivery IPs/SPF/MX

Info

Skip this step if you’re using Microsoft 365 mailflow

Use the following reference guide to configure your relevant SPF, MX, and Sophos delivery IPs based on your Sophos Central region. To confirm your account region, go to Email Protection > Settings > Domain Settings/status > Configure External Dependencies.

If you deliver outbound emails, use the following guide page to update your SPF records according to your region.

Note

If you have other systems that send email directly outbound and bypass Sophos Email (ie ticketing or print systems), append the Sophos SPF record to your existing record.

Configure Email Security and Data Control

We recommend configuring the following features based on your environment's needs and requirements. For more information on additional features. See Email Security policy and Data control policy or subscribe to the release notes for the latest updates.

Configure common policies

As everyone's needs differ, we recommend you go through the following email security policy settings. See Email Security policy.

  • Using the "Spam Slider", you can choose how aggressive your spam tolerance is and how to handle spam and malware. See Spam and malware handling.
  • Add a banner to inbound emails to allow your users to identify externally sourced mail, report spam, or make end-user allow/blocks. See Smart banners.
  • Notify end-users when an email is quarantined for their mailbox. See Quarantine summary.
  • Adjust how you wish to handle inbound sender checks, such as SPF, DKIM, or DMARC. See Sender Checks (Authentication checks).

  • Help prevent spear phishing emails by adding commonly abused emails (CEO, HR, Finance, and so on) in your organization. See Impersonation protection.

  • Add a layer of protection with Time of Click protection. See URL Protection.

Configure optional data control and encryption policies

  • Data control rules allow for a wide range of options for filtering and even preventing sensitive data leaks. Create policies based on predefined content control lists (CCLs), File types, Keywords, and more. See Data control policy.

  • Encryption policy

    If you require specific encryption standards for compliance and security, you may optionally configure encryption policies for individuals or everyone in your organization.

    In-product workflow

Troubleshooting and mail management

When you’ve completed your initial setup the next section will cover maintenance, reporting, and mail tracking to alleviate administrative tasks.

Mail history

Review the various filtering options available to identify mail delivery statuses and diagnose potential delivery issues. Using the given DSN code can help identify where the issue is within the delivery flow.

In-product workflow

Report scheduling

You can set up, generate, and save reports for your Sophos Email activities. To get started, customize or use one of the predefined policies.

Quarantine management

Sophos Email employs a multilayer approach to protect your inbox and combat spam. Administrators can manage those emails for the whole organization, while end-users can manage their own messages through the Self-Service Portal (SSP) to free up administrative tasks.

As an admin, you can release, report, or review any emails quarantined within your organization. See Quarantined Messages.

Email samples and submissions

After setting up Sophos Email, you can submit false negative or false positive emails directly through smart banners, Message History report, or Self Service Portal.

Fine-tuning your policies

By creating the necessary exceptions or individualized rules, you can further fine-tune your policies to align with your business needs.

  • Community resources

    Sophos has an active community with numerous self-help articles that can include guidance not typically provided by Sophos Support. On each of the product-specific pages, you can find:

    • Blogs: Product Managers publish information and guidance to our customers regarding new and upcoming product and feature releases. We recommend that customers subscribe to blogs about the products they're most interested in.
    • Recommended Reads: Self-help articles.
    • Discussion threads: Sophos Community members looking for assistance can find Developers, Product Managers, Sophos Staff, and Sophos Community members commenting and interacting to find solutions.
    • Events and webinars: Join us live and ask us questions about relevant event topics.

  • Additional resources