Configure SecureStore Journaling with Microsoft Office 365


SecureStore will archive email messages that pass through the Mailprotector perimeter. (Outbound connectors must be configured to relay email through Mailprotector's smart host.) However, internal messages on Exchange Online will not be routed outside the Exchange environment. Therefore, creating a journaling rule in Exchange Online is necessary to journal messages between intra-domain users.

Applies To:

SecureStore archiving, Exchange Online, Microsoft 365, Office 365, M365, O365

IMPORTANT: The screenshots provided in this article may be slightly different. Microsoft continues to modify the Microsoft Office 365 and Exchange Online Admin Centers. If you need help with the configuration, please get in touch with the Partner Success team.

Please go to Configure SecureStore Journaling with Exchange 2013/2016 for on-premise or virtually hosted Exchange servers.


This article assumes you have already enabled SecureStore in the Mailprotector Console for the intended domain. If you have not enabled SecureStore in the Console, you will not have the journaling address needed to complete the journal rule configuration steps.

We recommend you have both the Mailprotector Console and the Exchange Admin Center open to complete the required steps.

Summary of Required Information

  • Unique journaling address from the Mailprotector Console.
  • An alternate email address for journaling non-delivery reports. This address should be something your support team monitors for problems.
  • Access to the Exchange Admin Center for your client's domain.

1. Obtain the Journaling Address

1a. How to Find the Address in the Mailprotector Console

  1. Navigate to the Mailprotector Console at
  2. Navigate to the domain you are working on in the Console
  3. Select the "Archiving" tab
  4. The Journaling Address will be at the bottom of the page for you to utilize

The SMTP Collector/Journaling Address is the unique mailbox assigned to the domain to capture messages for archiving. The address will be required later to configure the journal rule on the Exchange server or O365 tenant.

2. Configure the Journaling Connector

2a. Add Connector for Journaled Emails

The connector for journaled emails prevents journaling from using the Mailprotector smart host. Journaled messages should not be filtered.

The following steps are performed from the Exchange Admin Center (EAC). If you need help accessing the EAC in 365, please get in touch with your team's Exchange expert.


On the Exchange Admin Center page, navigate to Mail Flow --> Connectors. EAC_fig3.png
Click the Add a connector link on the Connectors page. EAC_fig4.png
Select Office 365 as the connection from and Partner organization as the connection to. 2023-01-04_15-50-32.png
Create a name for the new connector, such as SecureStore Connector. The description can be left blank or used to document the connector's purpose. ConnectorName.png

Select Only when email messages are sent to these domains.

The domain to add is:


Select Routing email through these smart hosts.

The host to add is:

Use the default settings for security restrictions. SecRestrictions.png
Add the journaling address from Step 1a to validate the connector. Validation.png


2b. Configure Journaling Rule

After creating the connector for journaled messages, add the journaling rule to Exchange Online. The rule is designed to journal internal emails only. Email coming from or going to the internet is journaled automatically by Mailprotector.

Go to the Compliance Admin Center. ComplianceCenter.png
In the Compliance Admin Center (Microsoft Purview), click on Exchange (legacy) under the Data lifecycle management menu. ExchangeLegacy.png
Click on Journal rules and then New rule to begin the creation of the journaling rule. NewJournalRule.png

Add the journaling address from Step 1a to the Send journal reports to field.

Select Everyone for Journal messages sent or received from, and Internal messages only for Type of message to journal.

Modify the Journal rule name if desired, for example:
SecureStore Journaling

Click the Submit button on the review rule page. SubmitJournalRule.png


3. (Optional) Prevent winmail.dat Type Messages from Being Archived

Unfortunately, email encoding can cause winmail.dat files to be attached to emails despite an administrator's best efforts to configure the server and clients to use HTML or plain text messaging. Configuring a mail flow rule for the remote domain to the SecureStore archive can prevent the archiving of winmail.dat attachments.

BEST PRACTICE: We recommend configuring this mail flow rule to prevent the winmail.dat file, especially with messages sent from your client's organization, and include both an internal and external recipient. That type of message is the most likely to create winmail.dat attachments.

From the Exchange Admin Center (EAC) -

Click on Remote domains from the Mail flow menu. ExchAdminCenter.png
Click on Add a remote domain on the Remote domains page. RemoteDomains.png

Give the remote domain a descriptive Name such as:

SecureStore Archiving


The Remote domain is:

Select None for Out of Office automatic reply types, and leave the Automatic replies default as checked. SetReplyTypes.png
The Message reporting default options are correct. MessageReporting.png
Select Never for Use rich-text format, and leave None as the default option for both Supported Character Sets. TextCharacterSet.png
Click the Save button on the Review page to complete the configuration. SaveAfterReview.png


This completes the journaling configuration to SecureStore from your Microsoft Office 365 tenant.

NOTE: Propagation of the new settings could take an hour or more to filter through Microsoft 365 services. The exact timeframes are unknown to Mailprotector.

If you have more questions about configuring the journaling rule in 365 or find errors with this knowledge base article, please contact the Partner Success team.

Have more questions? Submit a request