Outbound email for Microsoft 365

This section describes how to set up outbound scanning with Sophos Gateway from your Microsoft 365 (formerly Office 365) account.

Configuring outbound routing

To configure Sophos Gateway to handle outbound routing for Microsoft 365, do as follows:

1. Sign in to Sophos Central.
2. Click Email Security > Settings > Domain Settings/Status.
3. Select your domain.
4. Select Inbound and Outbound as the direction under Configure Domain.
5. In the Outbound Gateway drop-down list, select Microsoft Office 365 and click Save.
6. Then click Configure External Dependencies.
7. Click Outbound Settings and copy the Outbound Relay Host address.
8. Log in to Office 365 Admin Center.
9. Select Admin > Exchange. The Exchange Admin Center is displayed.

10. Select Mail Flow > Connectors and create a new Connector:

    Option	Description
    From	Select Office 365 from the drop-down list.
    To	Select Partner Organization from the drop-down list.

11. Click Next.

12. Enter the following:

    Option	Description
    Name	Enter a name for the Connector.
    Description	Optionally, enter a description for the Connector.
    Turn It On	Select this option to turn on the Connector.

13. Click Next.

14. Select Only when email messages are sent to these domains.
15. Click the + icon to add the recipient domains that should use this connector.
16. Enter a value of * to route all outbound emails through Sophos.
17. Click OK and Next.
18. Select Route Email Through These Smart Hosts.
19. Click the + icon to add the smart hosts.
20. To retrieve the text you need to insert into the smart host, sign in to Sophos Central.
21. Click Email Security > Settings > Domain Settings/Status.
    1. Copy and paste the text in Outbound Relay Host. This is the text you will need to enter into the smart host webpage. For example, relay-us-east-2.prod.hydra.sophos.com.
    2. Paste the text into the field and click Save.
22. Click Next.
23. Select the following options:
    • Always use Transport Layer Security (TLS) to Secure the Connection
    • Any digital certificate, including self-signed certificates.
24. Click Next to verify your settings.
25. Click Next and add an email address of a recipient from a domain external to your organization.
26. Click Validate.
27. Once Office 365 has successfully validated your settings, click Save.

Disable or remove any other outbound Send connectors that were previously used. Failure to do this means your outbound email still uses these older Send connectors, and is not routed through Sophos Gateway. Any Send connectors used for other purposes (e.g archiving) may still need to be turned on. If in doubt, consult Sophos Support.

Updating the SPF record for your domain

Your organization should already have an SPF record for your domains registered with Microsoft 365 (formerly Office 365). You need to update this record in the DNS zone for the relevant domain.

You can replace your existing SPF record or add to it, depending on your requirements.

It's normal to replace the record. However, if your outbound email is being routed through Sophos Gateway and Microsoft 365 simultaneously for a period, you can add an include statement for Sophos Gateway to your existing SPF record.

You can use the all parameter in different ways. You must understand how to do this and the implications of your choice.

• Hard fail:

  You can use a dash (-) before the all parameter for a "hard fail". If your email isn't sent from Sophos Gateway, and your recipients' mail servers carry out SPF checks, they'll reject your mail.

• Soft fail:

  You can use a tilde (~) before the all parameter instead, for a "soft fail". The command doesn't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. If your recipients' mail servers carry out SPF checks, they won't reject your email.

For more information on soft and hard fails, see How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing

Sophos SPF domains

When you change your SPF record you must use one of the Sophos domains.

To find out which domain to use, see Sophos SPF domains.

If your outbound email is only routed through Sophos Gateway you can use the Sophos Gateway SPF record to replace your existing one.

If your outbound email is being routed through Sophos Gateway and Microsoft 365 simultaneously for a period, you can leave the original SPF record, and add an include statement for Sophos Gateway.

Replacing your SPF record

To replace your SPF record, do as follows:

• Remove v=spf1 include:spf.protection.outlook.com -all.

• If you're certain that you don't have any third parties sending mail on your behalf, and all your outbound mail is routed through Sophos Gateway, you can set your record to:

  v=spf1 include:_spf.<your_regionaddress>.sophos.com -all

• If you aren't routing all your email through us, or you're unsure, use a soft fail:

  v=spf1 include:_spf.<your_regionaddress>.sophos.com ~all

Adding to your SPF record

If your outbound email is being routed through Sophos Gateway and Microsoft 365 simultaneously for a period, you can leave the original SPF record, and add an include statement for Sophos Gateway.

To use an include statement to add the Sophos Gateway record to your existing record, do as follows:

• Existing SPF: v=spf1 include:spf.protection.outlook.com -all

• Example with include: SPF: v=spf1 include:spf.protection.outlook.com include:_spf.prod.hydra.sophos.com -all

We recommend you replace your include statement with the Sophos Gateway SPF record once all your outbound email is routed through us.

Confirm that outbound mail is flowing by sending an outbound mail to an external address.

To confirm that the email has been sent, do as follows:

1. Sign in to Sophos Central.
2. Go to Email Security > Logs and Reports > Message History.
3. Change the direction to outbound.
4. Refresh the screen until you can see the details of the test email you have sent.