Configure Microsoft 365
This topic explains how to set up Microsoft 365 to route email through Sophos Gateway.
For help with Microsoft 365 (formerly Office 365), see Microsoft 365 documentation.
You can watch the following video for a step-by-step guide on how to configure Sophos Email external dependencies for M365. It covers configuration of inbound settings.
Add your domain and verify ownership
You need the following information when configuring Sophos Email Security to process and deliver email for your domain:
- Your email domain name.
- Your mail delivery destination host as a Fully Qualified Domain Name (FQDN) or IP address.
- The port number used to listen for SMTP traffic on the mail delivery destination host.
To find your FQDN for Office 365:
- Log into the Office portal.
- Select Domains.
-
Copy the value displayed for the expected MX record.
Note
The format is normally
<yourdomain-com>.mail.protection.outlook.com
.
To add a domain in Sophos Central, do as follows:
- Sign in to Sophos Central.
- Go to My Products > General Settings > Domain Settings / Status.
- Click Add Domain.
- Enter your email domain details, the direction of traffic, and delivery destination details.
- Click Verify Domain Ownership.
-
Copy the TXT value presented in the Verify Domain Ownership dialog.
This value is specific to your email domain.
-
Create a TXT DNS record in the root level of the domain name you entered earlier and paste the TXT value that you copied earlier. You can give it the same TXT name as shown or use
@
. If you're not sure how to do this, contact the organization that registered your domain name. - Once the new TXT DNS record entry is saved, click Verify.
Once the DNS update with the correct TXT value is propagated, a message is returned indicating that domain verification was successful.
If the DNS update has not yet propagated, or if the value entered is incorrect, a failure message is returned. Confirm that the value entered is correct.
Note
The domain verification process may take some time to complete.
Add mailboxes
You can now add mailboxes to Sophos Email Security. See Add mailboxes.
When you have added your mailboxes, continue with configuring your Microsoft 365 environment.
Bypass Exchange Online Protection in Microsoft 365
If you are using Sophos Gateway for your spam filtering and clean email is delivered to Microsoft 365 (formerly Office 365), you need to bypass Exchange Online Protection (EOP) to ensure smooth delivery of your mail.
To bypass Exchange Online Protection, do as follows:
- Log in to the Microsoft 365 administration.
- Under Admin Centers, choose Exchange.
- Under Mail flow, select Rules.
- Click the + to add a new rule and select Modify messages.
-
In Set rule conditions, set the following values:
- Name: Enter
Sophos Central EOP Bypass
. - Apply this rule if: Select Apply to all messages.
-
Do the following: Select Modify the message properties and Set the spam confidence level (SCL).
Bypass spam filtering has a default value of -1, so make sure Set the spam confidence level (SCL) to '-1' appears in the menu.
-
Except if: Change nothing.
- Name: Enter
-
Click Next.
- In Set rule settings, select Enforce.
- Set Severity to Low.
- Click Next, then Finish to save the rule.
Make sure the rule is enabled.
Restrict delivery to Sophos IP addresses
You need to configure the connection to your mail host to only use our delivery IP addresses. This adds additional security to the integration between Sophos Gateway and your mail host.
Warning
Before you proceed, we strongly recommend testing email traffic and domain configuration in a non-production or test environment before making any changes to your organization's email configuration.
Use the Microsoft 365 Defender portal to add our IP addresses to your default connection filter policy. See Configure connection filtering.
To find out which IP addresses to use, see Sophos email gateway IP addresses.
Configure a secure connector between Microsoft 365 and Sophos Gateway
You need to configure a secure connector to Sophos Gateway.
These instructions are for connecting Sophos Gateway to Microsoft 365. For instructions on connecting Sophos Mailflow to Microsoft 365, see Set up Sophos Mailflow.
Note
The following instructions are taken from Microsoft's Set up connectors for secure mail flow with a partner organization in Exchange Online help page. We recommend you check Microsoft's help for updates before changing your email configuration. References to Office 365 may still exist as well as references to Microsoft 365.
To configure the secure connector:
- Log in to your Microsoft 365 (formerly Office 365) Admin Portal.
- Click Exchange then go to Exchange Admin Center.
- Click Mail flow then click Connectors. The Connectors screen appears.
- Click the + to add a new connector.
- Select Partner Organization in the From field.
- Select Office 365 in the To field.
- Click Next.
- Enter a name for the connector. We recommend Sophos Email Inbound Connector.
- (Optional) Enter a description.
- If you want to turn the connector on immediately after saving, leave Turn it on checked. Otherwise, uncheck the box to turn it on later.
- Click Next.
- Select Use the sender's domain.
- Click the + to add a sender domain.
- Enter * to apply the settings to all sender domains.
- Click Next.
- Select Reject email messages if they aren't sent over TLS and Reject email messages if they aren't sent from within this IP address range.
- Click the + to add sender IP addresses.
-
Enter the Sophos Email Security Delivery IP address for your region here.
To find out which IP address to use, see Sophos email gateway IP addresses.
-
Click Next.
- Verify the new connector settings and click Save.
When you configure a connector this way, only mail coming from Sophos Central IPs will be accepted by Office 365.
Change your MX records to point to Sophos Gateway
Changing your domain's MX records to point to Sophos Gateway is crucial to successful deployment and ensures all email is filtered and delivered.
If you can't make these changes yourself, contact your IT department, hosting provider, ISP, or Domain Name Service provider and arrange for the MX records for your domains to be modified.
When you created your Sophos Central account, you selected a region where you wanted to store your data. Your MX records are dependent on this region.
Change your MX records to include the record names associated with the region where you chose to store your data.
To find out which MX records to use, see Sophos MX records.
Notes on MX records
Take care with all options to ensure that the spelling and numbers are correct.
Using MX record names other than those provided prevents mail from flowing correctly.
When changing DNS entries like MX records, we recommend lowering the TTL (to 600 ms or less) well in advance of updating the entries. This allows the change to propagate quickly and provides a quick way to revert changes, if any issues arise during testing.
Test and confirm mail flow
Once you've updated your MX records, send a test message to any of your mailboxes protected by Sophos Gateway. Send your test message from an address outside your email domain.
To confirm the message flowed through Sophos Gateway, you can view the Message History report.
To access the report, do as follows:
- Sign in to Sophos Central.
-
Go to Reports > Message History.
If messages are flowing through the system, you see entries in this report.
If mail isn't flowing, you aren't receiving email to your test inbox. Take the following steps:
- Verify that your MX records are correct for your region.
- Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall, or connector.
- Verify that the mailbox you're sending to exists in Sophos Email Security.
If you've taken all these steps and mail still isn't flowing for your domain, contact Sophos Support.
More resources
You can watch the following videos that take you through setting up Sophos Email Security: