Skip to content
Supported migration paths

Configure and Setup Sophos Email

Before going into the specific Firewall policies and equivalent settings, the first step is to configure Sophos Email. You should receive a Sophos Email Paid License valid for the same duration as your current Firewall product license.

Next, identify how Sophos Email will connect to your email services. There are two ways of configuring Email Security in Sophos – Sophos Mailflow and Sophos Gateway.

Sophos Mailflow is supported only on Microsoft 365. If your email service is on Microsoft 365, we recommend that you configure Sophos Email by Mailflow setup. However, you may decide to configure by Gateway setup. The following document can help you decide between the two options, Sophos Mailflow or Sophos Gateway.

All non-M365 customers must configure Sophos Email by Gateway setup.

In these steps you’ll need to create or synchronize mailboxes and add each of your protected domains. Repeat these steps if you have multiple domains to move to Sophos Email. If inbound email is routed through Sophos Email to the Sophos Firewall, do ensure the correct port is chosen, if you are unsure what port to use, see Create a DNAT rule.

Once a decision has been made between Gateway or Mailflow mode, follow the relative video or documented instructions listed below but skip any MX record changes, this will be done at a later step to ensure the Firewall has been configured. Prior to changing any MX records and routing email through Sophos Email, please be sure to first migrate all policies from your firewall with the help of the instructions below.

It is recommended to start from scratch with new settings,the following video can get you started Techvids Policy Configuration. Please note, some of these menu items and policies UI may slightly differ to the current version.


If using Gateway Mode and your mail server is hosted behind your Sophos Firewall, specify the FQDN or Public IP address(es) of your firewall public WAN interfaces. Specify an unused port and take note of this for steps later in this guide. If the Sophos Firewall does not have a public IP address, specify the Public IP of the device in front of the Firewall. More on this later.

Synchronize Mailboxes and Self Service Portal (SSP)

Before emails can be processed through Sophos Email, mailboxes must exist. If an email is sent to a non-existing mailbox, the email will be rejected by Sophos Email. If an outbound email is sent by a non-existing mailbox for your domain, it will also be rejected. You can easily synchronize users and mailboxes from your environment using Azure AD, AD Sync, or manual synchronization