Configuring an outbound connector in the Office 365 (O365) tenant domain is required to relay messages from O365 to Mailprotector's servers. The outbound connector is necessary to implement some of Mailprotector's solutions such as SecureStore archiving and Bracket email encryption.
Configuration steps for an inbound connector are in the Office 365 - Inbound Connector article.
BUG NOTIFICATION: We have received reports as of March 2, 2018 that some partners are not able to complete the verification (Step 10) when adding the outbound connector in Office 365. Microsoft is aware of the bug but has not provided an estimated time to resolution. The workaround is to create a transport rule that calls the outbound connector instead of relying on the connector to accept the "*" in step 5.
In Step 5, select 'Only when I have a transport rule set up that redirects messages to this connector' to implement the workaround.
Then follow the directions found in the article for the Outbound Connector Bug Workaround.
Office 365, O365, Exchange Online, Exchange Online Protection
Outbound Connector Configuration
- Open the Office 365 Admin Center and navigate to the Exchange Admin center, as shown in Figure 1. This link will open a new tab in your browser with the Exchange Admin Center.
- Find and click the 'connectors' link under the mail flow options, as shown in Figure 2. The link takes you to the connectors for the domain.
- You may have other connectors already listed. Click on the 'plus icon' to add a new connector. A new window will open to select your mail flow scenario. Select 'Office 365' for 'From:' and 'Partner organization' for 'To:' as shown in Figure 3. Then click the 'Next' button to continue.
- Enter a name for the connector, for example, Outbound to Mailprotector and add a description if you would like. By default, the connector will be set to turn on as shown in Figure 4. Click the 'Next' button to continue.
- Specify you want to use this outbound connector for all domains by clicking the 'plus icon' to add a domain and enter a '*' to match on all domains. Click the 'OK' button to return to the previous window as shown in Figure 5 and click the 'Next' button to continue.
- Mail will route through the Mailprotector smart host. Select 'Route email through these smart hosts' and click the 'plus icon' to add the appropriate outbound SMTP hostname.
NOTE: Find the hostname in the Mailprotector Console, the Mail Flow tab for the domain you are provisioning, in the Outbound Mail section. The address follows the format yourdomain-tld.outbound.emailservice.io. The example shown in Figure 7 illustrates the mp-office365.com domain.
Click the 'Save' button to return to the previous window and click the 'Next' button to continue.
- Configure the connection to always use Transport Layer Security (TLS). By default, the checkbox for 'Always use Transport Layer Security (TLS) to secure the connection' is checked and you will select the 'Any digital certificate, including self-signed certificates' to complete this step as shown in Figure 8. Click the 'Next' button to continue.
- The final screen summarizes the steps taken above and should look similar to Figure 9. You may need to scroll your summary window to see all of the settings. Click the 'Next' button to continue.
- Validate the configuration of the outbound connector by clicking the 'plus icon' and enter an email address that is not in the domain you are configuring. Using a general address from your company such as firstname.lastname@example.org is effective. Click the 'OK' button to return to the previous window as shown in Figure 10. Click the 'Validate' button to run the test.
- The validation test will take three steps to complete. During the test, a status window will display like the one shown in Figure 11. The test is complete when the window shows 'Done!' as in Figure 12. Click the 'Close' button to view the results of the validation test.
- The validation results should show connectivity to the smart host succeeded while the test email may show as failed. This result is typical because the sender address used in the test likely does not exist in the Mailprotector Console, which then fails as an invalid Mailprotector sender. The validation results should look similar to Figure 13. If the test email sends successfully, that is fine as well. Click the 'Save' button and click the 'Yes' button if you receive the warning dialog box regarding the unsuccessful validation test.
No Changes Needed in the Mailprotector Console
Mailprotector accepts all outbound relay IP addresses from Office 365 at a global level. No configuration of the Outbound SMTP Host Address in the Mailprotector Console is needed.
Best Practice: Create or Update the SPF TXT Record for the Domain
Email messages will be relaying from Mailprotector's servers. Improve the likelihood that messages will deliver successfully by creating or updating the SPF TXT record for the domain you are provisioning. The SPF record also makes it more difficult for spammers to spoof addresses of the domain.
The recommended SPF TXT record is "v=spf1 include:spf.us.emailservice.io -all"
If emails are sent from other servers or services in addition to Mailprotector, the SPF record will need to include the appropriate hostnames or IP addresses to maintain predictable outbound email flow. Submit a support request at Mailprotector Support if you need assistance with the SPF record.