Description
Configuring an inbound connector in the Microsoft 365 (M365) tenant domain is required to restrict message delivery from Mailprotector's servers and prevent spammers from using a direct connection to the M365 host address, bypassing Mailprotector scanning.
IMPORTANT: The inbound connector will reject mail flow that does not come from Mailprotector after turning it on.
If the MX records for your domain already point to Mailprotector, it is safe to turn on the inbound connector. If the MX record still points directly to Office 365 or another host, do not turn this connector on until Mailprotector is scanning email. The connector will not accept messages from the Internet when turned on.
Configuration steps for an outbound connector are in the Office 365 - Outbound Connector article.
Applies to:
Microsoft 365, M365, Office 365, O365, Exchange Online, Exchange Online Protection
Configuration Steps
NOTE: The following steps apply to the Exchange Admin Center's new interface. If your interface doesn't match what is shown below, toggle "Try the new Exchange admin center" in the top right corner of the page.
Inbound Connector Configuration
- Open the Microsoft 365 Admin Center and navigate to the Exchange Admin Center, as shown in Figure 1. This link will open a new tab in your browser with the Exchange Admin Center.
Fig. 1 - Find and click the 'connectors' link under the mail flow options, as shown in Figure 2. The link takes you to the connectors for the domain.
Fig. 2 - You may have other connectors already listed. Click on 'Add a connector' to add a new connector. Select 'Partner organization' for 'From:' and 'Office 365' for 'To:' as shown in Figure 3. Then click the 'Next' button to continue.
Fig. 3 - Enter a name for the connector, for example, Inbound from Mailprotector, and add a description if you would like. As shown in Figure 4, uncheck the box to the left of 'Turn it on' if you have not changed the MX record to point to Mailprotector yet. Then click the 'Next' button to continue.
Fig. 4 - Select the radio button for 'By verifying that the sender domain matches one of the following domains' and add the asterisk (*) wildcard as shown in Figure 5.
Fig. 5 - Security restrictions will leave 'Reject email messages if they aren't sent over TLS' checked. Also, check the box for 'Reject email messages if they aren't sent from within this IP address range, and add each address individually, as shown below in Figure 6. Click Next to continue.
The IP addresses are:
52.0.70.91
52.0.31.31
52.0.74.211
Fig. 6 - The final screen summarizes the steps taken above and should look similar to Figure 7. Click the 'Save' button to finish creating the inbound connector.
Fig. 7 - You will return to the connectors for the domain. The inbound connector you just created will be turned off if you follow the directions in this article. You can confirm whether the rule is turned on or off by looking at the status of the connector, as shown in Figure 8.
Fig. 8
NOTE: If the MX records for your domain already point to Mailprotector, it is safe to turn on the inbound connector. If the MX record still points directly to Office 365 or another host, do not turn this connector on until Mailprotector is scanning email. The connector will not accept messages from the Internet when turned on.
Implementation Steps
Enable the Inbound Connector After Changing the MX Record to Point to Mailprotector
If the MX record for your domain has been changed to yourdomain.tld.us.emailservice.io, you are ready to turn on the inbound connector created above. Remember! The inbound connector will reject mail flow that does not come from Mailprotector after it is turned on.
- Return to the connectors in the Exchange Admin Center, select the inbound connector you created above, and click the 'Edit name or status' link to edit the connector.
Fig. 9 - A new window opens. Click the checkbox to the left of 'Turn it on' as shown in Figure 10, and click the 'Save' button.
Fig. 10
Updated