Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=sophos-email-monitoring-system-onboarding

Set up Sophos EMS

Use Sophos EMS (Email Monitoring System) to connect Sophos Central with third-party email services, such as Microsoft Defender or Google Workspace Security. EMS only monitors email traffic and reporting data. It doesn't apply protection or enforce any policies on the messages.

Instead, EMS gives you observation-only verdicts, showing what Sophos Email would have done if it handled those messages. EMS scans both inbound and outbound email, logs what it sees, and updates reports without taking any action. These verdicts help you see how Sophos Email policies work without changing how your current email service handles things.

When used with Microsoft 365, EMS also supports manual email clawback through API integration.

Sophos EMS also complements Sophos MDR and Sophos XDR by sending email-related data to the Sophos Data Lake. For MDR and XDR customers, this adds valuable context for threat detection and enhances incident response capabilities.

Before you start

It's important to understand the following points before you set up Sophos EMS.

  • Sophos EMS license

    Sophos EMS is a separate product and an alternative to Sophos Email Advanced. You can't use both at the same time.

    EMS is for monitoring only. It scans and logs emails but doesn't take action.

  • Sophos EMS mode

    When EMS mode is turned on, you'll see a warning banner on some pages in Sophos Central stating that emails are only being monitored and no actions are applied.

  • Non-configurable settings and policies

    When EMS mode is turned on, some settings and features are disabled, including SMTP Routing, Time of Click, Self Service Portal, and so on. EMS works on a journal copy of emails, so it doesn't support encryption.

    The Secure Message policies are also not available. You can configure Email Security and Data Control policies, but the actions configured are only for reporting purposes and won't be applied to the emails.

To set up Sophos EMS, do as follows:

Check that EMS mode is turned on

When you add your Sophos EMS license to your account, EMS mode is turned on by default. To use Sophos EMS, you need to make sure that the EMS mode is turned on.

To do this, do as follows:

  1. Sign in to Sophos Central.
  2. Click your Profile icon Profile icon., then click Account preferences.

  3. In Sophos Email Monitoring System (EMS), make sure Monitor Only mode (EMS) is turned on.

    If EMS mode is turned off, turn it on.

    For information about EMS mode, see Sophos Email Monitoring System (EMS).

  4. Click Save.

EMS mode is now active for Sophos Central.

Add mailboxes

You can add mailboxes to Sophos Central when you're in EMS mode.

You can add mailboxes in the following ways:

  • Automatically, using a directory service. You can use either AD sync or Microsoft Entra ID sync. For instructions on how to set up a directory service, see Directory service.
  • Manually in the user interface.
  • Manually by importing data from a CSV file.

Add a domain

You can add your domain and integrate it with Sophos EMS as follows:

  1. In Sophos Central, go to My Products > Email Protection > Settings > EMS Domain Settings/Status.
  2. Click Add Domain.

  3. In Email Domain, enter your email domain. For example: example.com.

    You must verify domain ownership before email can be delivered. To do this, add a TXT record to your domain. Adding this record won't affect your email or other services.

  4. Click Verify Domain Ownership.

  5. Use the details listed in Verify Domain Ownership to add the TXT record to your DNS configuration.

    Note

    Domain ownership verification may take up to ten minutes to take effect.

  6. Click Verify.

    Warning

    You can't save an unverified domain. You must correct any issues with the domain ownership verification.

  7. Select the direction from the following options:

    • Inbound Only
    • Inbound and Outbound

  8. Select your journal source IP range from the following options:

    • Microsoft Office 365
    • Google Apps Gmail
    • Custom Gateway

    You can set up one or more mail servers to send journaled outbound emails for the same domain.

    If you select Custom Gateway, you must enter at least one IP address and CIDR (subnet range). Click Add after each entry. You can add multiple IP addresses or ranges.

  9. Click Save to validate your settings.

    The Configure External Dependencies dialog appears.

  10. In Configure External Dependencies, configure journaling in your third-party mail service:

    As part of the domain configuration, you must configure journaling in your mail service. This establishes communication between your mail service and EMS, allowing EMS to receive a copy of each email for scanning. You must complete this step for EMS to work correctly.

    After you've completed the journaling configurations, return here to finish the setup process.

  11. Click Close.

Your domain is now onboarded to Sophos EMS. You can add additional domains at any time.

Configure policies and settings

To manage your policies, go to My Products > Email Protection > Policies.

In EMS mode, only Email Security and Data Control policies are available for configuration. These policies don't enforce actions but are used to generate reporting verdicts. To ensure accurate results, configure them to align with the policies in your current email environment.

To manage your email security settings, go to My Products > General Settings > Email Security.

Test and confirm mail flow

After you've onboarded your domain, created your journal rules, and configured policies and settings, send a test email to any of your mailboxes from an address outside your email domain.

The email should be delivered to the journal mailbox. Similarly, the mailbox address you've configured should receive a copy of the mail.

After doing the above processes, you can test the journal rules by sending inbound and outbound emails to the users you have applied the rule to.

To confirm the email flowed through Sophos EMS, view the Message History report.

To access the Message History report, do as follows:

  1. Sign in to Sophos Central.
  2. Go to My Products > Email Protection > Reports > Message History.

If mails are flowing through the system, you see entries in this report.

If mail isn't flowing, you aren't receiving email to your test inbox. Take the following steps:

  1. Verify that you set up the Sophos Delivery IPs correctly.
  2. Verify that the mailbox you're sending to exists in Sophos Email Security.

If you've taken all these steps and mail still isn't flowing for your domain, contact Sophos Support.

Manage M365 domains

You must be a Super Admin to use this feature.

If you've added M365 tenant domains, you can do the following actions:

  • Connect the tenant domain to allow M365 Security to run.

  • Turn on the post-delivery protection feature for your M365 users.

    Note

    Sophos EMS only supports the on-demand clawback feature in post-delivery protection. The auto search and remediate feature doesn't work in EMS. Configure post-delivery protection before using on-demand clawback. See Post-delivery protection.

  • Disconnect the tenant domain.

Edit a domain

To edit a domain, click the domain name in the list, make your changes, and click Save.

Delete a domain

To delete a domain, click the Delete icon Delete icon. to the right of the domain you want to delete.