Skip to content

Configure journaling for M365

Find out how to configure journaling in Microsoft 365 to send copies of emails to Sophos EMS (Email Monitoring System).

Journaling sends a copy of all inbound and outbound emails to Sophos EMS for scanning. In Microsoft 365, you can enable journaling by creating a journal rule in Microsoft Purview.

To learn more about journaling, see Journaling in Exchange Online.

If you're already using another email security solution and want to connect it with Sophos EMS, you must create a secure connector or transport rules between them.

The key steps to set up Sophos EMS with Microsoft 365 are as follows:

Before you start

Make sure you have the following accounts:

  • Microsoft Purview admin account
  • Microsoft 365 admin account

Create journal rules in Microsoft Purview

You must create a journal rule in Microsoft Purview to route inbound emails to Sophos EMS.

To create a journal rule, do as follows:

  1. Sign in to Sophos Central.
  2. Go to My Products > Email Protection > Settings > EMS Domain Settings/Status.
  3. Select your domain and click Configure External Dependencies.
  4. On the M365 tab, in Step 1, copy the provided email addresses and save them for later use.

    These email addresses are used to send journal reports to Sophos EMS: One address is for undeliverable journal reports, and the other is for regular journal reports. Each address serves a different purpose and must be configured separately to ensure complete journal delivery.

  5. Sign in to Microsoft Purview.

  6. Go to Settings > Data Lifecycle Management > Exchange (legacy).
  7. Under Send undeliverable journal reports to, click Replace, enter the email address for the undeliverable journal reports that you've copied from Sophos Central, then click Save.

    Note

    Only set Send undeliverable journal reports to if it's empty. Don't change an already existing address. Proceed to the next step.

    When journaled emails can't be delivered to the intended destination, the mailbox receives a non-delivery report (NDR).

  8. Go to Solutions > Data Lifecycle Management > Exchange (legacy) > Journal rules, then click New rule to create a new journal rule.

  9. In Send journal reports to, enter the email address for the regular journal reports that you've copied from Sophos Central.
  10. In Journal rule name, enter a name for the journal rule.

    For example: EMS scan for external emails.

  11. In Journal messages sent or received from, select one of the following options:

    • Everyone: If all M365 domains are onboarded in Sophos EMS.
    • A specific user or group: If you want Sophos EMS to scan only for selected users and domains.

    Note

    If you select A specific user or group, make sure the user or group exists in Microsoft 365.

  12. In Type of message to journal, select External messages only.

  13. Click Next, review the settings, and click Submit.

You've created the journal rule for Microsoft 365.

After you've completed the journaling configuration in Microsoft Purview, go back to Sophos Central to finish your onboarding process. See Add a domain.

Integrate Sophos EMS with third-party email security

You can integrate Sophos EMS with an third-party email security solution, either gateway-based or mailflow-based. Configure this section only if you're using one of those methods. Otherwise, Sophos EMS might not behave the way you expect.

Choose the method that best matches your setup:

Create a secure connector for a gateway-based solution

This procedure applies only if your third-party email security solution is gateway-based.

You can create a secure connector between Sophos EMS and Microsoft 365 as follows:

  1. Sign in to Sophos Central and configure your third-party email security solution as follows:

    1. Go to My Products > Email Protection > Settings > EMS Domain Settings/Status.
    2. Select your domain and click Configure External Dependencies.
    3. Make sure you're in the M365 tab.
    4. Under My email security is Gateway, prepare the IP addresses or IP ranges from your email security solution.
  2. Sign in to your Microsoft Exchange admin center and create the secure connector as follows:

    1. Go to Mailflow > Connectors, then click Add a connector.
    2. In Connection from, select Partner organization, then click Next.
    3. Enter a name for the connector.

      For example: Accept email from third-party mail filtering solution.

    4. Select Turn it on and click Next.

    5. Select By verifying that IP address of the sending server matches one of the following IP addresses, which belong to your partner organization, add the inbound delivery IP addresses, then click Next.
    6. (Optional) Select Reject email messages if they aren’t over TLS, only if your email security solution sends all emails to M365 over TLS.
    7. Click Next, review the connector settings, and click Create connector.
    8. Click Done.
  3. Sign in to Microsoft Defender and implement skip listing as follows:

    1. Select the connector you created.
    2. Select Skip these IP addresses that are associated with the connector.
    3. Add the inbound delivery IP addresses.
    4. In Apply to these users, select Apply to entire organization.
    5. Click Save.

The connector now has enhanced filtering turned on.

Create transport rules for a mailflow-based solution

This procedure applies only if your third-party email security solution is mailflow-based.

Click the tab for step-by-step instructions on creating inbound and outbound transport rules.

To create an inbound transport rule, do as follows:

  1. Sign in to Sophos Central and configure your third-party email security solution as follows:

    1. Go to My Products > Email Protection > Settings > EMS Domain Settings/Status.
    2. Select your domain and click Configure External Dependencies.
    3. Make sure you're in the M365 tab.
    4. Under My email security is based on M365 mailflow, prepare the IP addresses or IP ranges from your email security solution.
    5. Turn on Enable M365 mailflow configuration and copy the values of Header name and Header value for later use.
    6. Click Save.
  2. Sign in to your Microsoft Exchange admin center and create the inbound transport rule as follows:

    1. Go to Mailflow > Rules, click Add a rule, then select Create a new rule.
    2. Enter a name for the inbound transport rule.

      For example: Add header for EMS scan for inbound emails.

    3. Under Apply this rule if, select The recipient and is external/internal, make sure Inside the organization is selected, then click Save.

    4. Click the plus icon to add a second condition.
    5. Select The recipient and domain is, add the domain used by your email security solution, then click Save.
    6. Click the plus icon to add a third condition.
    7. Select The sender and IP address is in any of these ranges or exactly matches, add the inbound delivery IP addresses used by your email security solution, then click Save.
    8. Under Do the following, select Modify the message properties and set a message header.
    9. Click the first Enter text link, enter the value of Header name from the Configure External Dependencies page, then click Save.
    10. Click the second Enter text link, enter the value of Header value from the Configure External Dependencies page, then click Save.
    11. Click Next.
    12. In Set rule settings, make sure that Rule mode is set to Enforce and Match sender address in message is set to Header.
    13. Click Next, review the inbound transport rule settings, and click Finish.
  3. Turn on the inbound transport rule as follows:

    1. Select the inbound transport rule and turn it on.
    2. Click Edit rule settings, set Priority to 0, and click Save.
    3. Click Done.

Your inbound transport rule is now enforced.

To create an outbound transport rule, do as follows:

  1. Sign in to Sophos Central and configure your third-party email security solution as follows:

    1. Go to My Products > Email Protection > Settings > EMS Domain Settings/Status.
    2. Select your domain and click Configure External Dependencies.
    3. Make sure you're in the M365 tab.
    4. Under My email security is based on M365 mailflow, prepare the IP addresses or IP ranges from your email security solution.
    5. Turn on Enable M365 mailflow configuration and copy the values of Header name and Header value for later use.
    6. Click Save.
  2. Sign in to your Microsoft Exchange admin center and create the outbound transport rule as follows:

    1. Go to Mailflow > Rules, click Add a rule, then select Create a new rule.
    2. Enter a name for the outbound transport rule.

      For example: Add header for EMS scan for outbound emails.

    3. Under Apply this rule if, select The recipient and is external/internal, select Outside the organization, then click Save.

    4. Click the plus icon to add a second condition.
    5. Select The sender and domain is, add the domain used by your email security solution, then click Save.
    6. Click the plus icon to add a third condition.
    7. Select The sender and IP address is in any of these ranges or exactly matches, add the outbound delivery IP addresses used by your email security solution, then click Save.
    8. Under Do the following, select Modify the message properties and set a message header.
    9. Click the first Enter text link, enter the value of Header name from the Configure External Dependencies page, then click Save.
    10. Click the second Enter text link, enter the value of Header value from the Configure External Dependencies page, then click Save.
    11. Click Next.
    12. In Set rule settings, make sure that Rule mode is set to Enforce and Match sender address in message is set to Header.
    13. Click Next, review the outbound transport rule settings, and click Finish.
  3. Turn on the outbound transport rule as follows:

    1. Select the outbound transport rule and turn it on.
    2. Click Edit rule settings, set Priority to 1, and click Save.
    3. Click Done.

Your outbound transport rule is now enforced.