Outbound email for Exchange and other clients
This page guides you through the process of directing all outbound email via Sophos Gateway. For Exchange, this requires an SMTP Connector to be configured on your Exchange Server.
For help with Exchange see the following:
To set up outbound email handling, do as follows:
- To set up an SMTP connector, follow the instructions for your version of Exchange on Microsoft's website.
- When prompted, select Route mail through smart hosts and click + Add.
In the Add smart host dialog that appears, enter the corresponding smart host for your region.
- To find the smart host for your region, sign in to Sophos Central.
- Go to Email Security > Settings > Domain Settings > Configure External Dependencies.
- Click on the outbound settings tab. You will see the Outbound Relay Host associated with your account. (This depends on the region you chose when you signed up for Sophos Email Security.)
For a list of outbound relay hosts for every region, see Sophos email outbound relay.
Turn off or remove any other Outbound Send Connectors that were previously used for mail filtering.
Failure to do this means your outbound email will still use the older send connectors, and is not routed through Sophos Gateway. If in doubt, consult Sophos Support.
Updating the SPF record for your domain
If you authenticate outgoing email using an SPF record or DKIM, you may need to update your configuration.
Your organization should already have an SPF record for your domains registered with your existing email service. You need to update this record in the DNS zone for the relevant domain.
You can replace your existing SPF record or add to it, depending on your requirements.
It's normal to replace the record. However, if your outbound email is being routed through Sophos Gateway and your existing email service simultaneously for a period, you can add an include statement for Sophos Gateway to your existing SPF record.
You can use the
all parameter in different ways. You must understand how to do this and the implications of your choice.
You can use a dash (
-) before the
allparameter for a "hard fail". If your mail isn't sent from Sophos Gateway, and your recipients' mail servers carry out SPF checks, they'll reject your mail.
You can use a tilde (
~) before the
allparameter instead, for a "soft fail". The command doesn't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. If your recipients' mail servers carry out SPF checks, they won't reject your mail.
Sophos SPF domains
When you replace or add to your SPF record you must use one of the Sophos domains.
You can use
_spf.prod.hydra.sophos.com which is common to US (West), US (East), Germany and Ireland.
You can also use a specific domain for the Sophos data center for your region.
To find out which domain to use, see Sophos SPF domains.
You may get the error "SPF PermError: too many DNS lookups" after changing your SPF record. To solve this, use the specific domain for the Sophos data center for your region instead of
For more details, see Prevent SPF PermError: too many DNS lookups
Replacing your SPF record
If your outbound email is only routed through Sophos Gateway you can use the Sophos Gateway SPF record.
v=spf1 include:spf.protection.outlook.com –all.
If you're certain that you don't have any third parties sending mail on your behalf, and all your outbound mail is routed through Sophos Gateway, you can set your record to:
v=spf1 include:_spf.prod.hydra.sophos.com -all
If you aren't routing all your email through us, or you're unsure, use a soft fail:
v=spf1 include:_spf.prod.hydra.sophos.com ~all
Adding to your SPF record
If your outbound email is being routed through Sophos Gateway and your existing email service simultaneously for a period, you can leave the original SPF record, and add an include statement for Sophos Email.
To use an include statement to add the Sophos Gateway record to your existing record, do as follows:
v=spf1 include:spf.protection.outlook.com -all
Example with include:
SPF: v=spf1 include:spf.protection.outlook.com include:_spf.prod.hydra.sophos.com -all
We recommend you replace your include statement with the Sophos Gateway SPF record when all your outbound email is routed through us.
Confirm that outbound mail is flowing by sending an outbound mail to an external address.
To confirm that the email has been sent, do as follows:
- Sign in to Sophos Central.
- Go to Email Security > Logs and Reports > Message History.
- Change the direction to outbound.
- Refresh the screen until you can see the details of the test email you have sent.