Configuring an inbound connector in the Office 365 (O365) tenant domain is required to restrict message delivery from Mailprotector's servers and prevent spammers from using a direct connection to the O365 host address, bypassing Mailprotector scanning.
IMPORTANT: The inbound connector will reject mail flow that does not come from Mailprotector after it is turned on.
If the MX records for your domain already point to Mailprotector, it is safe to turn on the inbound connector. If the MX record still points directly to Office 365 or another host, do not turn this connector on until Mailprotector is scanning email. The connector will not accept messages from the Internet when turned on.
Configuration steps for an outbound connector are in the Office 365 - Outbound Connector article.
Office 365, O365, Exchange Online, Exchange Online Protection
NOTE: The following steps apply to the Exchange Admin Center's new interface. If your interface doesn't match what is shown below, toggle "Try the new Exchange admin center" in the top right corner of the page.
Inbound Connector Configuration
- Open the Office 365 Admin Center and navigate to the Exchange Admin center, as shown in Figure 1. This link will open a new tab in your browser with the Exchange Admin Center.
- Find and click the 'connectors' link under the mail flow options, as shown in Figure 2. The link takes you to the connectors for the domain.
- You may have other connectors already listed. Click on 'Add a connector' to add a new connector. A new window will open to select your mail flow scenario. Select 'Partner organization' for 'From:' and 'Office 365' for 'To:' as shown in Figure 3. Then click the 'Next' button to continue.
- Enter a name for the connector, for example, Inbound-Mailprotector and add a description if you would like. As shown in Figure 4, uncheck the box to the left of 'Turn it on' to prevent an interruption of mail flow if the domain's MX record is not pointing at Mailprotector yet. Then click the 'Next' button to continue.
- Select the radio button for 'By verifying that the IP address of the sending server matches...' and click the 'plus icon' to add the addresses as shown in Figure 5. Add each address individually.
- Security restrictions can be left at default configurations, as shown below in Figure 6. Click Next to continue.
- The final screen summarizes the steps taken above and should look similar to Figure 7. You may need to scroll your summary window to see all of the settings. Click the 'Save' button to finish creating the inbound connector.
- You will return to the connectors for the domain. The inbound connector you just created will be turned off if you followed the directions in this article. You can confirm the rule is turned on or off by looking at the status of the connector as shown in Figure 9.
NOTE: If the MX records for your domain already point to Mailprotector, it is safe to turn on the inbound connector. If the MX record still points directly to Office 365 or another host, do not turn this connector on until Mailprotector is scanning email. The connector will not accept messages from the Internet when turned on.
Enable the Inbound Connector After Changing the MX Record to Point to Mailprotector
If the MX record for your domain has been changed to yourdomain.tld.us.emailservice.io, you are ready to turn on the inbound connector created above. Remember! The inbound connector will reject mail flow that does not come from Mailprotector after it is turned on.
- Return to the connectors in the Exchange Admin Center, select the inbound connector you created above, and click the 'Edit name or status' link to edit the connector.
- A new window opens. Click the checkbox to the left of 'Turn it on' as shown in Figure 10 and click the 'Save' button.
These instructions need to be updated. M365 now asks for different steps, including "When do you want to use this connector" and has options for routing through MX records or Smart Hosts. (I know, documenting microsoft changes is a never-ending struggle).