Skip to content

Configure Exchange and all other clients

This topic explains how to set up Microsoft Exchange and all other email clients to route email through Sophos Gateway.

Add your domain and verify ownership

You need to add your domain details.

You need to provide the following information when configuring Sophos Gateway to process and deliver email for your domain:

  • Your email domain name
  • Your mail delivery destination host as a Fully Qualified Domain Name (FQDN) or IP address
  • The port number that is used to listen for SMTP traffic on the mail delivery destination host

To add a domain in Sophos Central, do as follows:

  1. Sign in to Sophos Central.
  2. Go to My Products > General Settings > Domain Settings / Status.
  3. Click Add Domain.
  4. Enter your email domain details, direction of traffic, and delivery destination details.
  5. Click Verify Domain Ownership.
  6. Copy the TXT value presented in the Verify Domain Ownership dialog.

    This value is specific to your email domain.

  7. Create a TXT DNS record in the root level of the domain name you entered earlier and paste the TXT value that you copied earlier. You can give it the same TXT name as shown or use @.

  8. Once the new TXT DNS record entry has been saved, click Verify.

Once the DNS update with the correct TXT value has been propagated, a message is returned indicating that the domain verification was successful.

If the DNS update has not yet propagated, or if the value entered is incorrect, a failure message is returned. Confirm that the value entered is correct.


The domain verification process may take some time to complete.

Add mailboxes

You can now add mailboxes to Sophos Email Security. See Add mailboxes.

When you have added your mailboxes, continue with configuring your email environment.

Restrict delivery to Sophos IP addresses

You can configure the connection to your mail host to only use our delivery IP addresses.

Restricting delivery IP addresses adds additional security to the integration between Sophos Gateway and your mail host.


Before you proceed, we strongly recommend testing email traffic and domain configuration in a non-production or test environment before making any changes to your organization's email configuration.

The specific delivery IP address you need to use depends on the region where your Sophos Central account is hosted. When you created your Sophos Central account, you chose which country to store your data in.


You must also add the Sophos IP addresses to the IP allow list for your mail server. If you don't, your users won't receive their emails.

To find out which IP addresses to use, see Sophos email gateway IP addresses.


Using an IP address other than the one specified for your region prevents mail from flowing correctly.

Change your MX records to point to Sophos Gateway

Changing your domain's MX records to point to Sophos Gateway is crucial to successful deployment and ensures all email is filtered and delivered.

If you can't make these changes yourself, contact your IT department, hosting provider, ISP, or Domain Name Service provider and arrange for the MX records for your domains to be modified.

When you created your Sophos Central account, you selected a region where you wanted to store your data. Your MX records are dependent on this region.

Change your MX records to include the record names associated with the region where you chose to store your data.

To find out which MX records to use, see Sophos MX records.


Take care with all options to ensure that the spelling and numbers are correct.

Using MX record names other than those provided prevents mail from flowing correctly.

When changing DNS entries like MX records, we recommend lowering the TTL (to 600 ms or less) well in advance of updating the entries. This allows the change to propagate quickly and provides a quick way to revert changes, if any issues arise during testing.

Test and confirm mail flow

Once you've updated your MX records, send a test message to any of your mailboxes protected by Sophos Gateway. Send your test message from an address outside your email domain.

To confirm the message flowed through Sophos Gateway, you can view the Message History report.

To access the report, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Reports > Message History.

    If messages are flowing through the system, you see entries in this report.

If mail isn't flowing, you aren't receiving email to your test inbox. Take the following steps:

  1. Verify that your MX records are correct for your region.
  2. Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall, or connector.
  3. Verify that the mailbox you're sending to exists in Sophos Email Security.

If you've taken all these steps and mail still isn't flowing for your domain, contact Sophos Support.