Configuring an outbound connector in the Office 365 (O365) tenant domain is required to relay messages from O365 to Mailprotector's servers. The outbound connector is necessary to implement some of Mailprotector's solutions such as SecureStore archiving and Bracket email encryption.
Configuration steps for an inbound connector are in the Office 365 - Inbound Connector article.
Office 365, O365, Exchange Online, Exchange Online Protection
NOTE: The following steps apply to the Exchange Admin Center's new interface. If your interface doesn't match what is shown below, toggle "Try the new Exchange admin center" in the top right corner of the page.
Outbound Connector Configuration
- Open the Office 365 Admin Center and navigate to the Exchange Admin center, as shown in Figure 1. This link will open a new tab in your browser with the Exchange Admin Center.
- Find and click the 'connectors' link under the mail flow options, as shown in Figure 2. The link takes you to the connectors for the domain.
- You may have other connectors already listed. Click on the 'Add connector' to add a new connector. A new window will open to select your mail flow scenario. Select 'Office 365' for 'Connection from' and 'Partner organization' for 'Connection to' as shown in Figure 3. Then click the 'Next' button to continue.
- Enter a name for the connector, for example, Outbound-Mailprotector and add a description if you would like. By default, the connector will be set to turn on as shown in Figure 4. Click the 'Next' button to continue.
- Specify you want to use this outbound connector for all domains by clicking the 'plus icon' to add a domain and enter a '*' to match on all domains as shown in Figure 5. Click the 'Next' button to continue.
- Mail will route through the Mailprotector smart host. Select 'Route email through these smart hosts' and click the 'plus icon' to add the appropriate outbound SMTP hostname.
NOTE: Find the hostname in the Mailprotector Console, the Mail Flow tab for the domain you are provisioning, in the Outbound Mail section. The address follows the format yourdomain-tld.outbound.emailservice.io. The example shown in Figure 7 illustrates the mp-office365.com domain.
Click the 'Next' button to continue.
- Configure the connection to always use Transport Layer Security (TLS). By default, the checkbox for 'Always use Transport Layer Security (TLS) to secure the connection' is checked and you will select the 'Any digital certificate, including self-signed certificates' to complete this step as shown in Figure 8. Click the 'Next' button to continue.
- Validate the configuration of the outbound connector by clicking the 'plus icon' and entering an email address that is not in the domain you are configuring. Using a general address from your company such as firstname.lastname@example.org is effective. Click the 'Validate' button to run the test.
- The validation test will take three steps to complete. During the test, a status window will display like the one shown in Figure 10. The test is complete when the window shows 'Validation successful' as in Figure 11. Click the 'Next' button.
- The final screen summarizes the steps taken above and should look similar to Figure 12. You may need to scroll your summary window to see all of the settings. Click the 'Next' button to continue.
- Click "Create Connector" and "Done"
No Changes Needed in the Mailprotector Console
Mailprotector accepts all outbound relay IP addresses from Office 365 at a global level. No configuration of the Outbound SMTP Host Address in the Mailprotector Console is needed.
NOTE: When working with a multi-domain tenant where all domains route through Mailprotector, only a single outbound connector is needed. We will correctly handle the mail based on header information regardless of which Outbound Smarthost is used.
Best Practice: Create or Update the SPF TXT Record for the Domain
Email messages will be relaying from Mailprotector's servers. Improve the likelihood that messages will deliver successfully by creating or updating the SPF TXT record for the domain you are provisioning. The SPF record also makes it more difficult for spammers to spoof addresses of the domain.
The recommended SPF TXT record is "v=spf1 include:spf.us.emailservice.io -all"
If emails are sent from other servers or services in addition to Mailprotector, the SPF record will need to include the appropriate hostnames or IP addresses to maintain predictable outbound email flow. Submit a support request at Mailprotector Support if you need assistance with the SPF record.