Pre-flight checklist for adding a domain to Shield

Description

To ensure the successful deployment of Shield to a domain, a few prerequisites must be met. DNS and tenant configuration changes are verified at every step. Preparing for deployment will ensure a smoother and more successful deployment.

IMPORTANT: This article assumes you have already added your not-for-resale (NFR) domain to Shield. Customer organizations cannot be added to Shield until your NFR domain is added. Please see Pre-flight checklist for deploying Shield to your NFR domain before using this article.

Prerequisites for All Customers

 

Decrease the TTL on DNS records

WARNING: You must add or update DNS records as part of Shield's deployment. If the TTL is set to a long interval, you may get stuck on a deployment step for several hours, waiting for cached DNS data to expire.

The TTL (time to live) of a DNS record instructs DNS lookups to cache data for a specific amount of time before checking the authoritative server for updates. This improves DNS efficiency across the internet but can also create a delay when verifying DNS changes on other services.

  • Many DNS host providers have default TTL settings of 1 hour to as high as 4 hours.
  • To ensure the records propagate quickly, make the TTL changes the day before deploying or at least 4 hours before deploying.
  • Please change the TTL to the shortest time allowed by the DNS host provider for:
    • MX record
    • SPF (a TXT record)
  • You will set the TTL back to the DNS host provider's defaults after deploying Shield.

Prepare all email-enabled domains in the M365 tenant

  • Microsoft allows the addition of multiple domains to a tenant. The deployment process will recognize only email-enabled domains reported by Microsoft's API.
  • Shield is an 'all or nothing' solution applied to all addresses and domains in an M365 tenant.
  • Domains with email addresses, whether licensed or otherwise, must be configured to mail enablement to Microsoft's API. The Shield deployment process may omit domains without services and cause unexpected mail flow problems.

    • Click the domain name if you see 'No services selected' on an email-enabled domain.
    • Go to DNS Records and Manage DNS. Follow the guide to add DNS records for the domain.
    • Adding the Exchange and Exchange Online Protection service is necessary for Shield to recognize the email-enabled domain.
    • Perform this on all domains that need to be email-enabled with Shield.

 

Add 'bounces@' shared mailbox to facilitate forwarding rules

  • Microsoft implemented the Sender Rewriting Scheme (SRS) in M365 to resolve SPF problems with autoforwarding to external contacts.
  • If you auto-forward any emails to an external email address (PSA applications such as Autotask, CRM applications, etc.), SRS alters the sender to a 'bounces@' type of address.
  • Add a shared mailbox with an address of bounces@your-unique-domain.tld to ensure proper delivery of auto forwarded emails.
    • NOTE: Replace your-unqiue-domain.tld with the domain you are using in M365.

Prerequisites for Customers currently using CloudFilter

One primary domain in the Customer account

  • The Customer account must have only one primary domain.
  • The primary domain should be the intended primary domain in M365.
  • More than one primary domain will need to be reconfigured.

    • Two domains listed under the Customer account are not supported.
    • If both domains are in the same M365 tenant, please delete the secondary domain and set it as a domain alias of the primary business domain.
    • If the domains are in separate M365 tenants, the other domains may be moved to a different Customer account in the Console.

One group in the Domain

  • The domain must have a single group.
  • If additional groups exist, move all users or addresses to one group and delete the others.

Align M365 domains with Mailprotector Console

  • If you have more than one domain in your M365 tenant
    • Ensure you have the appropriate domain as the primary in the Mailprotector Console (as described in the section above.)
    • Add other domains as domain aliases to the primary domain in the Mailprotector Console.
  • IMPORTANT: Shield is applied to the entire tenant. You cannot deploy Shield to individual domains in an M365 tenant.

CloudMail needs to be removed

  • If the domain has CloudMail addresses, those must be moved or migrated to the M365 tenant.
  • Split-domain delivery is not supported with Shield. All addresses and mailboxes must be hosted on M365.

XtraMail needs to be removed

  • XtraMail is not compatible with Shield and must be removed from the domain.
Have more questions? Submit a request

Comments