Manually creating Bracket Connector & Transport Rule in Microsoft 365


Due to issues with 2FA, or specific Admin account roles. Our automated Bracket-only (MX-less Bracket) setup may fail and present a "Invalid MFA or Admin Credentials" error. The steps below will instruct how to configure the connector and transport rule manually in O365 if the automated setup cannot.


  • Access to the O365 Exchange admin center.

    Warning: If any other services (signature service, outbound filter, etc) are routing the domains outbound mail elsewhere, you should submit a ticket to Partner Success to ensure these rules will not interfere with their existing services.

Configuring the Connector

  1. Open the Office 365 Admin Center and navigate to the Exchange Admin center, as shown in Figure 1. This link will open a new tab in your browser with the Exchange Admin Center.

    Fig. 1

  2. Find and click the 'connectors' link under the mail flow options, as shown in Figure 2. The link takes you to the connectors for the domain.

    Fig. 2

  3. You may have other connectors already listed. Click on the 'Add connector' to add a new connector. A new window will open to select your mail flow scenario. Select 'Office 365' for 'Connection from' and 'Partner organization' for 'Connection to' as shown in Figure 3. Then click the 'Next' button to continue.

    Fig. 3

  4. Enter a name for the connector, for example, "Bracket Outbound" and add a description if you would like. By default, the connector will be set to turn on as shown in Figure 4. Click the 'Next' button to continue.

    Fig. 4

  5. Select the "Only when I have a transport rule set up that redirects messages to this connector" option.

    Fig. 5

  6. Select the "Route email through these smart hosts" option, and configure "Encrypt.Bracket.Email" as the smart host.

    Fig. 6

  7. Configure the connection to always use Transport Layer Security (TLS). By default, the checkbox for 'Always use Transport Layer Security (TLS) to secure the connection' is checked as shown in Figure 8. Click the 'Next' button to continue.

    Fig. 7

  8. Validate the configuration of the outbound connector by clicking the 'plus icon' and entering an email address that is not in the domain you are configuring. Using a general address from your company such as is effective. Click the 'Validate' button to run the test.

    Fig. 8


  9. The validation test will take three steps to complete. During the test, a status window will display like the one shown in Figure 10. The test is complete when the window shows 'Validation successful' as in Figure 11. Click the 'Next' button.

    Fig. 9
    Fig. 10

  10. The final screen summarizes the steps taken above and should look similar to Figure 11. You may need to scroll your summary window to see all of the settings. Click the 'Next' button to continue.

    Fig. 11

Configuring the Transport Rule

  1. In the Exchange Admin Center, navigate to Mail Flow > Rules, and click "Add a rule" and "Create a new rule".

    Fig 1

  2. Add a descriptive name that will allow this rule to be easily distinguished from other transport rules.
  3. Click the "+" sign to the right of the first "Apply this rule if" line twice, to add two more "Apply this rule if" statements.

    Fig. 2

  4. The first criteria of the transport rule should be configured as "The sender, domain is". A pane will then swing out, and you can add the domain(s) in the tenant that will be using Bracket.

    Fig. 3

  5. The second criteria of the transport rule should be configured as "The Recipient, is external/internal". The "Select sender location" pane that swings out, should be changed to "Outside the organization".

    Fig. 4

  6. The third "Apply this rule if" statement should be configured to read as "The subject matches these text patterns". The subject criteria should be configured with the Regex strings listed below to identify the trigger you wish to set for Bracket.
    ^\[.*\]  <-- brackets
    ^\{.*\}   <-- curly braces
    ^\|.*\| <-- pipes

    Fig. 5

  7. The “Do the following” line should read as “Redirect the message to, the following connector”. It should then let you choose the connector we created in “Configuring the Connector” section above.

    Fig. 6

  8. Once the transport rule is configured as above, you can continue with the "Next" Option. No exception is needed for this transport rule and can be left blank.

    Warning: You should verify that no automated systems or services already send with Brackets surrounding the subject line. The typical culprits are usually scanners, or ticketing systems. You may want to configure an exception for those sender addresses if they do send with the Bracket trigger you have selected.

  9. The "Set rule settings" page of the transport rule creation should have the option to "stop processing more rules" enabled as shown in the screenshot below. The rest of the options on this page can remain default.

  10. You will then see a "Review and finish" page. As long as the transport rule matches what is shown in the screenshot below, with the correct domains and Bracket trigger, you can finish.

    Fig. 7

  11. The Transport rule will create in a disabled state. Make sure you enable the transport rule if the domain is ready to start using Bracket.
Have more questions? Submit a request


  • Avatar
    Pedro Miranda

    Thanks for sharing this article, Jared. This will help us greatly until the scripts get updated by DevOps. I won't be afraid of Bracket setups going forward lol.