Pre-flight checklist for deploying Shield to your NFR domain


Before deploying Shield to your NFR (not-for-resale) domain, a few prerequisites must be met to ensure the deployment completes successfully.

If you receive an error that your domain needs to be ready for Shield deployment, this article is the reference to help identify what is missing or requires reconfiguration.


Designated NFR domain

  • Your business domain must be in the Mailprotector Console and designated as an NFR domain.
  • New partners typically have their business domain added to the Console during the new partner training call. The domain is set as the NFR domain at the end of the training call.
  • Existing partners may verify the NFR domain from your current statement in the Billing tab or request assistance if you need clarification.

One primary domain in the Customer account

  • The business Customer account must have only one primary domain.
  • The primary domain is the NFR domain.
  • More than one primary domain will need to be reconfigured.

    • Two domains listed under the Customer account are not supported.
    • If both domains are in the same M365 tenant, please delete the secondary domain and set it as a domain alias of the primary business domain.
    • If the domains are in separate M365 tenants, the other domains may be moved to a different Customer account in the Console.

Align M365 domains with Mailprotector Console

  • If you have more than one domain in your M365 tenant
    • Ensure you have the appropriate domain as the primary in the Mailprotector Console (as described in the section above.)
    • Add other domains as domain aliases to the primary domain in the Mailprotector Console.
    • Adding the domain aliases assures proper email flow to customers you manage who are still using CloudFilter. The CloudFilter perimeter will be able to validate your email addresses.
  • IMPORTANT: Shield is applied to the entire tenant. You cannot deploy Shield to individual domains in an M365 tenant.

CloudMail needs to be removed

  • If the NFR domain has CloudMail addresses, those must be moved or migrated to the M365 tenant.
  • Split-domain delivery is not supported with Shield. All addresses and mailboxes must be hosted on M365.

User Sync must be configured and synced

  • Only required for the business NFR domain, not customer domains.
  • User Sync must be configured for the M365 tenant, and 'Sync & Save' must be run to gather all addresses from the tenant into the Console. Please enable the automatic hourly sync as well.
  • This step ensures the addresses are recognized by CloudFilter which will still validate your business domain when communicating with your customer still using CloudFilter.

Prepare all email-enabled domains in the M365 tenant

  • Microsoft allows the addition of multiple domains to a tenant. The deployment process will recognize only email-enabled domains reported by Microsoft's API.
  • Shield is an 'all or nothing' solution applied to all addresses and domains in an M365 tenant.
  • Domains with email addresses, whether licensed or otherwise, must be configured to mail enablement to Microsoft's API. The Shield deployment process may omit domains without services and cause unexpected mail flow problems.

    • Click the domain name if you see 'No services selected' on an email-enabled domain.
    • Go to DNS Records and Manage DNS. Follow the guide to add DNS records for the domain.
    • Adding the Exchange and Exchange Online Protection service is necessary for Shield to recognize the email-enabled domain.
    • Perform this on all domains that need to be email-enabled with Shield.


Have more questions? Submit a request