Skip to content

Set up Sophos Mailflow

Use Sophos Mailflow to integrate Sophos Email Security with third-party mail services.

You can use Sophos Mailflow to integrate Sophos Email Security with Microsoft 365 (formerly Office 365) email domains without modifying your DNS and your MX records.

For instructions on using Sophos Gateway to connect with on-premises email systems and non-Microsoft 365 domains, see Set up Sophos Gateway.

Sophos Mailflow doesn't currently support the following:

  • Transport Layer Security (TLS)
  • Remote block lists (RBL)

Sophos Mailflow sends users' messages to the Sophos Central Self Service Portal emergency inbox after processing. But if there are issues with Microsoft's servers, Sophos Mailflow doesn't receive messages from Microsoft, so they don't reach the emergency inbox. The emergency inbox only holds messages from before the problem occurred. See Manage settings for Sophos Central Self Service.

Restriction

You must be a Microsoft 365 administrator to set up Sophos Mailflow.

To set up Sophos Mailflow, do as follows:

  • Add the mailboxes you want to protect.

  • Add and configure the email domains you want to protect.

    The way you do this depends on whether you're already using Sophos Email Security or not.

  • Configure your policies and settings.

Add mailboxes

You can add mailboxes in the following ways:

  1. Automatically, using a directory service. You can use Active Directory and Azure AD. For more information and instructions on how to set up a directory service, see Directory service.
  2. Manually.
  3. Manually, using a .csv file.

If you want to use a Microsoft 365 group to protect a subset of your mailboxes, you must set the group up before you connect your domain. See Microsoft 365 email groups.

Accept Microsoft pop-ups

When you add and configure your domains, you must give permission for Sophos applications to access your Microsoft tenants.

To do this your browser must accept pop-ups from Microsoft. You might have to disable pop-up blockers, or make exceptions for Microsoft domains.

You must also be able to sign in to the correct domain. If your browser has stored sign-in credentials for a different domain, use an incognito or private browsing window.

Add and configure domains

The steps you take depend on whether you're already using Sophos Email Security or not.

If you don't have any Microsoft 365 domains set up for Sophos Gateway, do as follows:

  1. Click Email Security > Set Up Email Security.
  2. Click M365 Mailflow Domain Settings / Status.
  3. If you haven't synchronized your Active Directory, do it now. If you've already synchronized your users and mailboxes, click Proceed to Next Step.
  4. In Add Domain, enter your domain details and click Setup M365 Mailflow.

    Note

    If you want to protect only a subset of mailboxes from the domain, create a new group in Microsoft 365 and add the mailboxes you want to protect. When you synchronize users and groups, this group is also imported. See Microsoft 365 email groups.

  5. Follow the instructions to set up your domains and mail flow rules. When you've added your domain, you're redirected to Microsoft for authentication and to grant permissions. You must grant these permissions to create the necessary applications and mail flow rules.

    When the migration or addition of domains is complete, M365 Mailflow Domain Settings / Status screen appears, with your list of domains.

  6. To set up mail flow rules for these domains, click Connect and follow the instructions.

    You're redirected to Microsoft to authenticate your domains and grant permissions.

    You must grant these permissions in order to create a Microsoft 365 connector and the necessary applications and mail flow rules in your Microsoft 365 environment.

    Note

    When you've granted the permissions, the connector creation process can take up to ten minutes.

    If you already have mail flow rules set up on your Microsoft 365 domain, you see the Pre-existing Mailflow Rules Found message. To deal with this see Fix conflicts with Microsoft 365 rules.

    When your Mailflow protection is set up, a success message appears.

  7. You can click Run a Quick Test to verify your Mailflow setup. Enter an email address to receive the test message. The test may take a few minutes.

    Warning

    After the connection is set up, Microsoft may continue to create other connections and resources in the background. If the quick test fails, wait for at least fifteen minutes and run it again before starting troubleshooting processes. See Testing and fixing Sophos Mailflow.

    The domains appear in M365 Mailflow Domain Settings / Status with a green check mark.

If you're already using Sophos Gateway on your Microsoft 365 domains and want to set up Sophos Mailflow rules on a new domain, or migrate your existing domains to Sophos Mailflow, do as follows:

  1. In Sophos Central go to Settings. Click M365 Mailflow Domain Settings / Status.
  2. In the next screen do one of the following:
    1. If you're migrating a domain from Sophos Gateway to Sophos Mailflow, click Copy Existing M365 Domains and Policies. You confim your choice, then we copy any Microsoft 365 domains we've detected.
    2. If you're adding a domain to use with Sophos Mailflow for the first time, click Setup Domains and Policies manually and follow the instructions.
  3. When the migration or addition of domains is complete, M365 Mailflow Domain Settings / Status screen appears, with your list of domains.
  4. To set up mail flow rules for these domains, click Connect and follow the instructions.

    You're redirected to Microsoft to authenticate your domains and grant permissions.

    You must grant these permissions in order to create a Microsoft 365 connector and the necessary applications and mail flow rules in your Microsoft 365 environment.

    Note

    When you've granted the permissions, the connector creation process can take up to ten minutes.

    If you already have mail flow rules set up on your Microsoft 365 domain, you see the Pre-existing Mailflow Rules Found message. To deal with this see Fix conflicts with Microsoft 365 rules.

    When your Sophos Mailflow protection is set up, a Success! message appears.

  5. You can click Run a Quick Test to verify your Sophos Mailflow setup. Enter an email address to receive the test message. The test may take a few minutes.

    Warning

    After the connection is set up, Microsoft may continue to create other connections and resources in the background. If the quick test fails, wait for at least fifteen minutes and run it again before starting troubleshooting processes. See Testing and fixing Sophos Mailflow.

    The domains appear in M365 Mailflow Domain Settings / Status with a green check mark.

If you migrated your existing domains, verify that the mail flow rules are working and then remove the Sophos Gateway setup for each domain. See Prevent duplicate scans.

Configure policies and settings

Go to Email Security > Policies to configure, edit or delete Email Security and Data Loss Prevention policies.

Go to Email Security > Settings to configure, edit or delete Email Security settings.

Delete Sophos Gateway connections

If you're an existing user and the domain you've connected to Sophos Mailflow was previously connected to Sophos Gateway, we recommend you delete the connection to Sophos Gateway as soon as possible.

If you don't disconnect and delete the Sophos Gateway connection your messages could be scanned twice. See Prevent duplicate scans.

Back to top