Prerequisites for Migrating CloudFilter Domains to Shield

Description

For domains that are using CloudFilter, migrating to Shield requires extra steps before Shield can be deployed.

Partner Not-for-Resale (NFR) Domain Onboarding

CloudMail and XtraMail must be removed from the domain before onboarding. Please see the details below before proceeding with CloudMail removal.

The Not-for-Resale (NFR) domain onboarded to Shield is the partner's domain. This domain acts as the Parent Organization in Shield, and all customer Organizations are added under this Parent Organization.

Contact Partner Success to confirm the domain is marked NFR

The partner's Parent domain must be set as Not for Resale in the Mailprotector Console. Please open a ticket with Partner Success to request a review of the domain that will act as the Parent domain in Shield. Note that only a partner's domain can be the NFR domain. No customer domain can act as the Parent domain for Shield.

Only one primary domain may be under the Customer account in the Mailprotector Console

• The business Customer account must have only one primary domain.
  
• The primary domain is the NFR domain.
• More than one primary domain will need to be reconfigured.
  
  
  • Two domains listed under the Customer account are not supported.
  • If both domains are in the same M365 tenant, please delete the secondary domain and set it as a domain alias of the primary business domain.
  • If the domains are in separate Microsoft 365 tenants, the other domains may be moved to a different Customer account in the Console.

Only one User Group may be in the Domain

• The domain must have a single user group.
  
• If additional groups exist, move all users or addresses to one group and delete the others.

Align Microsft 365 domains with the Mailprotector Console

• If you have more than one domain in your M365 tenant
  • Ensure you have the appropriate domain as the primary in the Mailprotector Console (as described in the section above.)
  • Add other domains as domain aliases to the primary domain in the Mailprotector Console.
• IMPORTANT: High-risk filtering for messages with Dangerous Results is applied to the entire tenant. You can deploy Shield to individual domains in an M365 tenant and then onboard skipped domains later, but all domains in the tenant will receive high-risk message filtering.

Decrease the TTL on DNS records

You must add or update DNS records as part of Shield's deployment. If the TTL is set to a long interval, you may get stuck on a deployment step for several hours, waiting for cached DNS data to expire.

The TTL (time to live) of a DNS record instructs DNS lookups to cache data for a specific amount of time before checking the authoritative server for updates. This improves DNS efficiency across the internet but can also create a delay when verifying DNS changes on other services.

• Many DNS host providers have default TTL settings of 1 hour to as high as 4 hours.
• To ensure the records propagate quickly, make the TTL changes the day before deploying or at least 4 hours before deploying.
• Please change the TTL to the shortest time allowed by the DNS host provider for:
  
  • SPF (a TXT record)
• You will set the TTL back to the DNS host provider's defaults after deploying Shield.

The MX record must be changed back to the Microsoft 365 value

This step is critical if a Mailprotector domain was previously configured with CloudFilter MX records. If it is not performed before deploying Shield, the deployment will check for a valid MX record and will not proceed until the MX record is corrected.

To locate the tenant's Microsoft MX record, visit the Microsoft 365 Admin Center, expand Settings, then click Domains. Click the domain you will be onboarding to Shield, then click DNS Records and copy the MX record listed. Add this value to the domain's MX record in your DNS host.

CloudFilter Connectors and Transport Rules must be disabled in the Microsoft 365 tenant

Mailprotector's CloudFilter Inbound and Outbound Connectors and Transport Rules must be disabled before onboarding Shield.

CloudMail must be removed

• If the NFR domain has CloudMail addresses, those must be moved or migrated to the M365 tenant.
• Split-domain delivery is not supported with Shield. All addresses and mailboxes must be hosted on M365.

XtraMail must be removed

• XtraMail is not compatible with Shield and must be removed from the domain

Once all migration steps are complete, Shield can be deployed to the domain.

Getting Help

If you need assistance with preparing a Mailprotector domain for migration to Shield, please contact the Partner Success team.

Customer Domain Onboarding

CloudMail and XtraMail must be removed from the domain before onboarding. Please see the details below before proceeding with CloudMail removal.

The customer domain onboarded to Shield is organized underneath the Parent organization in Shield. 

Only one primary domain may be under the Customer account in the Mailprotector Console

• The business Customer account must have only one primary domain.
  
• More than one primary domain will need to be reconfigured.
  
  
  • Two domains listed under the Customer account are not supported.
  • If both domains are in the same M365 tenant, please delete the secondary domain and set it as a domain alias of the primary business domain.
  • If the domains are in separate Microsoft 365 tenants, the other domains may be moved to a different Customer account in the Console.

Only one User Group may be in the Domain

• The domain must have a single user group.
  
• If additional groups exist, move all users or addresses to one group and delete the others.

Align Microsft 365 domains with the Mailprotector Console

• If you have more than one domain in your M365 tenant
  • Ensure you have the appropriate domain as the primary in the Mailprotector Console (as described in the section above.)
  • Add other domains as domain aliases to the primary domain in the Mailprotector Console.
• IMPORTANT: High-risk filtering for messages with Dangerous Results is applied to the entire tenant. You can deploy Shield to individual domains in an M365 tenant and then onboard skipped domains later, but all domains in the tenant will receive high-risk message filtering.

Decrease the TTL on DNS records

You must add or update DNS records as part of Shield's deployment. If the TTL is set to a long interval, you may get stuck on a deployment step for several hours, waiting for cached DNS data to expire.

The TTL (time to live) of a DNS record instructs DNS lookups to cache data for a specific amount of time before checking the authoritative server for updates. This improves DNS efficiency across the internet but can also create a delay when verifying DNS changes on other services.

• Many DNS host providers have default TTL settings of 1 hour to as high as 4 hours.
• To ensure the records propagate quickly, make the TTL changes the day before deploying or at least 4 hours before deploying.
• Please change the TTL to the shortest time allowed by the DNS host provider for:
  
  • SPF (a TXT record)
• You will set the TTL back to the DNS host provider's defaults after deploying Shield.

The MX record must be changed back to the Microsoft 365 value

This step is critical if a Mailprotector domain was previously configured with CloudFilter MX records. If it is not performed before deploying Shield, the deployment will check for a valid MX record and will not proceed until the MX record is corrected.

To locate the tenant's Microsoft MX record, visit the Microsoft 365 Admin Center, expand Settings, then click Domains. Click the domain you will be onboarding to Shield, then click DNS Records and copy the MX record listed. Add this value to the domain's MX record in your DNS host.

CloudMail must be removed

• If the NFR domain has CloudMail addresses, those must be moved or migrated to the M365 tenant.
• Split-domain delivery is not supported with Shield. All addresses and mailboxes must be hosted on M365.

XtraMail must be removed

• XtraMail is not compatible with Shield and must be removed from the domain

Once all migration steps are complete, Shield can be deployed to the domain.

Getting Help

If you need assistance with preparing a Mailprotector domain for migration to Shield, please contact the Partner Success team.

Updated April 04, 2025 21:05