Configuring Office 365 for EMP Cloud

This article explains how to configure Microsoft Office 365 to use EMP Cloud as your email gateway.

What Is Microsoft Office 365?

Office 365 is a cloud-based solution from Microsoft which offers email, messaging, security, archiving and other capabilities delivered from Microsoft’s worldwide network of cloud data centers. For more information please see: https://products.office.com/en-us/business/office

Before You Start…

Before continuing with the provisioning and configuration of the EMP Cloud service, it is recommended that you have the information listed below.

INFORMATION NEEDED FOR CONFIGURING EMP Cloud

• MX record(s) for domain(s) you are configuring

INFORMATION NEEDED FOR CONFIGURING OFFICE 365

• EMP Cloud IPs, Smart Host, and SPF
• Office 365 administrator account

Office 365 Tenant

The instructions on this KB presume that you are setting up all your domains in your tenant with EMP Cloud. If you are splitting your mail routing, you may need to consult Microsoft on creating the necessary custom rules based on our documentation.

EMP Cloud SIDE

Prior to the below set-up for Office 365, please ensure to do this with the EMP Cloud side.

• Set the domain verification
• Customize Spam settings (before adding in users)
• Customize Digest settings (before adding in users)
• Modify Notifications (if warranted)
• Add in users (preferable with Azure: Azure Active Directory Sync Guide
• Create filter policies and/or approve/block sender list items

DNS TTLs

For ease of DNS changes, turning down your TTLs on the DNS, specifically, MX and TXT records will help in the above domain verification, and later MX cut-over.

OFFICE 365 SIDE

Setup Inbound Mail Flow

EMP Cloud is deployed between the customer’s Office 365 environment and the Internet. Inbound mail is routed to EMP Cloud by changing the customer’s MX records. After the email is processed by EMP Cloud it is routed to Office 365.

Locate your MX record for the domain in Office 365…

• Sign-In to the Office 365 Admin center.
• Click on Settings > Domains
• Click on the domain you wish to manage.
• Under Exchange Online, locate the MX row in the table from the Points to address or value column (i.e.,mybusiness.com.mail.protection.outlook.com)

These values will be necessary when you add your domains to EMP Cloud

Adding domain(s) to EMP Cloud…

• Sign-in to the EMP Cloud user interface.
• Navigate to the ‘Administration‘ section and click Account Management > Domains
• Click on New Domain.
• Enter the domain name you wish to configure.
• Ensure “Relay” is selected for domain purposes.
• Enter the delivery and failover destinations’ values.
• Choose the method you wish to use for domain verification.
• Click Verify Now if you wish to verify your domain at this stage or Verify Later.

Each Domain must be verified before it can be enabled.

Repeat if you are adding more than 1 domain.

The delivery and failover destinations refer to the “points to” values captured in the previous section.

CONFIGURE OFFICE 365…

Microsoft Office 365 limitation

Please note that Microsoft has a limitation of their allow list. It does not allow you to enter a large IP range. The maximum size of a range is a /24; it will not recognize larger ranges. Unfortunately, you have to enter in the IP ranges twice in this set-up documentation: Connection Details

Bypass Spam Filtering in Office 365…

• Sign-In to the Office 365 Admin portal.
• Click on Admin > Exchange

This will launch the Exchange Admin Center

• Navigate to mail flow > rules.
• Click + icon to access the pull-down menu.
• Select By-pass spam filtering.
• In the new rule window, complete the required fields:
  • Enter a value for Name (e.g. By-pass Spam filtering for EMP Cloud)
  • For Apply this rule if… select The sender…IP address is in any of these ranges or exactly matches.
  • Add IP address to the IP address list.
    • Type in the address followed by the + icon.
    • Repeat for each IP address.
  • Ensure Set the spam confidence level (SCL) to is selected in the Do the following… menu
    • Do the following > Modify the message proprieties > set the spam confidence level > bypass spam filtering
  • Click Save.

SCL Bypass

Due to major complaints, Proofpoint has opted to change to the format of ensuring EMP Cloud mail is not scored via the O365 system. This rule will allow external email to come in still but will follow O365 scoring. This is to ensure no mail is lost.

Select the IP addresses that correspond to the stack you are hosted on. You can determine this by looking at the URL in your browser. For example, if your URL is https://empcloud.cloud-protect.net than you are on stack “US1”. Therefore look for that stack in the list of IP values. If you are unsure, please email support for clarification.

CREATE INBOUND CONNECTOR

An inbound connector is used to manage mail traffic between Office 365 and EMP Cloud.

• While accessing the Exchange Admin Center, click mail flow then connectors.
• Click + to launch control.
• For From select Partner Organization.
• For To select Office 365.
• Click Next.
• Enter a value for Name (e.g. EMP Cloud Inbound Connector).
• (Optional) Enter a value for Description (e.g. Inbound connector for EMP Cloud).
• Uncheck the turn it on setting. You will turn this inbound connector on once you are ready to cutover mailflow.
• Click Next.
• Select Use the sender’s IP address.
• Click Next.
• Click +.
• Add IP address to the IP address list.
  • Click +.
  • Type in the address followed by OK.
  • Repeat for each IP address.
• Clive Next.
• Ensure Reject email messages if they aren’t over TLS is checked.
• Click Next.
• Click Save.

SETUP OUTBOUND MAIL FLOW

EMP Cloud is deployed between the customer’s Office 365 environment and the Internet. Outbound mail is routed to EMP Cloud by configuring an outbound mail gateway.

Outbound instructions set-up for all mail-in tenant

Please note that these instructions are for all mail within in the tenant. If you custom routing, or extra outbound mail flow, other outbound routing and/or rules will be required to set-up.

CONFIGURE EMP Cloud

Enable Outbound Relaying

• Sign-in to the EMP Cloud user interface.
• Navigate to ‘Administration‘  and click Account Management > Features
• Check Enable Outbound Relaying.
• Click Save.

Add Service IP addresses to your Inbound Gateway

• While logged into the EMP Cloud user interface, navigate to ‘Administration‘ and click Account Management > Domains
• Click Managed Hosted Services.
• Choose Office 365.
• Click Save.

CONFIGURE OFFICE 365

Create Outbound Connector

• Sign-In to the O365 365 Admin portal.
• Navigate to Admin > Exchange.

This will launch Exchange Admin Center

• Click Mail Flow > Connectors.
• Click + to access menu.
• For From select Office 365.
• For To select Partner Organization.
• Click Next.
• Enter a value for Name (e.g. EMP Cloud).
• Enter a value for Description (e.g. Outbound connector for EMP Cloud).
• Uncheck the turn it on setting. You will turn this outbound connector on once you are ready to cutover mailflow.
• Click Next.
• For When do you want to use this connector? select Only when email messages are sent to these domains.
• Click +.
• Enter * to specify all domains.
• Click OK.
• Click Next.
• For How do you want to route email messages? select Route email through these smart hosts.
• Click + and enter your EMP Cloud smart host value (i.e., outbound-us1.ppe-hosted.com).
• Click Save.
• Click Next.
• For How should Office 365 connect to your partner organization’s email server? choose your preferred approach.
  • If you choose Always use Transport Layer Security (TLS) to secure the connection, please choose Any digital certificate, including self-signed certificates.
• Click Next.
• Click Next.
• Click + icon and enter an email address for validation.
• Click OK.
• Click Validate.
• Click Save.

If you are using EMP Cloud Professional service package and the Email Archive, you will need to create an additional outbound connector. Please refer to Configuring Journaling for Office 365 for additional steps.

If you are using another archiving service, you will need to create an additional outbound connector to ensure journal emailed is not sent to EMP Cloud. If it is sent to EMP Cloud it will be subject to outbound rate-limiting policies. Please contact your archiving service provider for instructions.

External Recipients of distro-groups/Auto-forwarding

Please note that EMP Cloud does not explicitly support some types of auto-forwarding.

• User-level forwarding – O365 support this for messages sent directly to the user
• Distribution Groups with external Recipients – EMP Cloud does not support this outbound behavior. A custom rule will be required to allow these messages out by by-passing the EMP Cloud smarthost.
• Distribution Groups with a user-level forward – Similar to external recipient, a by-pass rule will be required

CUTTING OVER MAILFLOW

ENABLE & TEST DOMAIN(S)

• Sign-in to the EMP Cloud user interface.
• Navigate to ‘Administration‘ and click Account Management > Domains
• Click the relay control to enable the domain for relay.

Once the domain is turned on, you will need to wait for EMP Cloud MTAs to be updated. This occurs every half-hour. You should not proceed to the next step until you’ve waited for this change to be applied.

• Click the test domain (clipboard) icon to verify EMP Cloud can deliver to the specified SMTP destination

UPDATE YOUR MX RECORDS

You will need to add EMP Cloud MX records to your DNS record.

You may want to add the MX records with a low priority ahead of your cutover. Once ready, you can then increase the priority of the EMP Cloud MX records while decreasing the priority of your existing MX record.

Update Sender Policy Framework (SPF)

When sending outbound email through the EMP Cloud gateway, recipients receive mail sent from EMP Cloud rather than Office 365 mail servers. If the recipient’s mail service attempts to verify that the message came from your domain, it must confirm that the gateway server is an authorized mail server for your domain.

To enable this, you need to add the EMP Cloud MX records to your domain.

ENABLE INBOUND CONNECTOR

• Sign-In to the O365 Admin portal.
• Navigate to Admin > Exchange.
• Click Mail Flow > Connectors.
• Select the Inbound Connector and click edit (pencil icon).
• Check the turn it on checkbox.
• Click Next and move through the next 3 screens.
• Click Save.

ENABLE OUTBOUND CONNECTOR

• Sign-In to the O365 Admin portal.
• Navigate to Admin > Exchange.
• Click Mail Flow > Connectors.
• Select the outbound connector and click edit (pencil icon).
• Check the turn it on checkbox and click next through the remaining screens.
• Click Validate.
• Click Save.

ENABLE BY-PASS SPAM FILTERING RULE

• While accessing the Exchange Admin Center, click mail flow > rules.
• Check the checkbox next to the mail flow rule you created previously.

VERIFY INBOUND MAILFLOW

• While logged into the EMP Cloud user interface, click the Logs tab.
• Select Any from the Status drop-down and click Search.
• Look for new entries to be listed in the search results.

VERIFY OUTBOUND MAILFLOW

• Send a test message from an Office 365 mailbox to an external SMTP address.
• While logged into the EMP Cloud user interface, click the Logs tab.
• Select Outbound mail from the type drop-down.
• Select Any from the status drop-down and click Search.
• Look for the test message that was sent.