Prerequisites for Migrating CloudFilter Domains to Shield

Description

For domains that are using CloudFilter, migrating to Shield requires extra steps before Shield can be deployed.

Shield is compatible with Microsoft 365 tenant domains only.

Partner Not-for-Resale (NFR) Domain Onboarding

CloudMail and XtraMail must be removed from the domain before onboarding. Please see the details below before proceeding with CloudMail removal.

The partner's domain is the Not-for-Resale (NFR) domain onboarded to Shield. This domain acts as the Parent Organization in Shield, and all customer Organizations are added under this Parent Organization.

Contact Support to confirm the domain is marked NFR

The partner's Parent domain must be set as Not for Resale in the Mailprotector Console. Please open a ticket with Support to request a review of the domain that will act as the Parent domain in Shield. Note that only a partner's domain can be the NFR domain. No customer domain can act as the Parent domain for Shield.

Only one primary domain may be under the Customer account in the Mailprotector Console

This step is for customers who already exist in the Mailprotector Console. Please do not add new customers to the Mailprotector Console before deploying Shield. Instead, add new customers directly to Shield.

• The business Customer account must have only one primary domain.
  
• The primary domain is the NFR domain.
• More than one primary domain will need to be reconfigured.
  
  • Two domains listed under the Customer account are not supported.
  • If both domains are in the same M365 tenant, please delete the secondary domain and set it as a domain alias of the primary business domain.
  • If the domains are in separate Microsoft 365 tenants, the other domains may be moved to a different Customer account in the Console.

Only one User Group may be in the Domain

• The domain must have a single user group.
  
• If additional groups exist, move all users or addresses to one group and delete the others.

Decrease the TTL on DNS records

You must add or update DNS records as part of Shield's deployment. If the TTL is set to a long interval, you may get stuck on a deployment step for several hours, waiting for cached DNS data to expire.

The TTL (time to live) of a DNS record instructs DNS lookups to cache data for a specific amount of time before checking the authoritative server for updates. This improves DNS efficiency across the internet but can also create a delay when verifying DNS changes on other services.

• Many DNS host providers have default TTL settings of 1 hour to as high as 4 hours.
• To ensure the records propagate quickly, make the TTL changes the day before deploying or at least 4 hours before deploying.
• Please change the TTL to the shortest time allowed by the DNS host provider for:
  • SPF (a TXT record)
• You will set the TTL back to the DNS host provider's defaults after deploying Shield.

The MX record must be changed back to the Microsoft 365 value

This step is critical if a Mailprotector domain was previously configured with CloudFilter MX records. If it is not performed before deploying Shield, the deployment will check for a valid MX record and will not proceed until the MX record is corrected.

To locate the tenant's Microsoft MX record, visit the Microsoft 365 Admin Center, expand Settings, then click Domains. Click the domain you will be onboarding to Shield, then click DNS Records and copy the MX record listed. Add this value to the domain's MX record in your DNS host.

Prepare all email-enabled domains in the M365 tenant

• Microsoft allows the addition of multiple domains to a tenant. The deployment process will recognize only email-enabled domains reported by Microsoft's API.
• Shield is applied to all addresses in M365 tenant domains selected for Shield deployment.
• Domains with email addresses, whether licensed or otherwise, must be configured to mail enablement to Microsoft's API. 

• Click the domain name if you see 'No services selected' on an email-enabled domain.
• Go to DNS Records and Manage DNS. Follow the guide to add DNS records for the domain.

• Adding the Exchange and Exchange Online Protection service is necessary for Shield to recognize the email-enabled domain.

  

Add 'bounces@' shared mailbox to facilitate forwarding rules

• Microsoft implemented the 

  Sender Rewriting Scheme (SRS)

   in M365 to resolve SPF problems with autoforwarding to external contacts.

• If you auto-forward any emails to an external email address (PSA applications such as Autotask, CRM applications, etc.), SRS alters the sender to a 'bounces@' type of address.
• Add a shared mailbox with an address of bounces@your-unique-domain.tld to ensure proper delivery of auto forwarded emails.
  • NOTE: Replace your-unqiue-domain.tld with the domain you are using in M365.

Disable Microsoft's First Contact Safety Tip

Microsoft's first contact safety tip is triggered when an email is received from a first-time sender or from someone the user rarely corresponds with. When applied, it can sometimes cause messages to bounce due to DKIM neutral, DMARC fail results, even when the sender’s DNS records are correctly configured. Since Shield’s New Sender banner already alerts users to first-time senders, Microsoft’s First Contact Safety Tip can be safely disabled.

The first contact safety tip should be disabled for all active anti-phishing policies. To navigate to the anti-phishing policies, go to Microsoft Defender > Email & collaboration > Policies & rules > Threat policies > Anti-phishing. 

Disable or uninstall other API-based email security applications

Email security applications should not be run simultaneously. The results of doing so will be unpredictable and potentially cause disruptions in service for all products involved.

CloudFilter Connectors and Transport Rules must be disabled in the Microsoft 365 tenant

Mailprotector's CloudFilter Inbound and Outbound Connectors and Transport Rules must be disabled before onboarding Shield.

CloudMail must be removed

• If the NFR domain has CloudMail addresses, those must be moved or migrated to the M365 tenant.
• Split-domain delivery is not supported with Shield. All addresses and mailboxes must be hosted on M365.

XtraMail must be removed

• XtraMail is not compatible with Shield and must be removed from the domain

Once all migration steps are complete, Shield can be deployed to the domain.

Customer Domain Onboarding

CloudMail and XtraMail must be removed from the domain before onboarding. Please see the details below before proceeding with CloudMail removal.

The customer domain onboarded to Shield is organized underneath the Parent organization in Shield. 

Only one primary domain may be under the Customer account in the Mailprotector Console

This step is for customers who already exist in the Mailprotector Console. Please do not add new customers to the Mailprotector Console before deploying Shield. Instead, add new customers directly to Shield.

• The business Customer account must have only one primary domain.
  
• More than one primary domain will need to be reconfigured.
  
  • Two domains listed under the Customer account are not supported.
  • If both domains are in the same M365 tenant, please delete the secondary domain and set it as a domain alias of the primary business domain.
  • If the domains are in separate Microsoft 365 tenants, the other domains may be moved to a different Customer account in the Console.

Only one User Group may be in the Domain

• The domain must have a single user group.
  
• If additional groups exist, move all users or addresses to one group and delete the others.

Decrease the TTL on DNS records

You must add or update DNS records as part of Shield's deployment. If the TTL is set to a long interval, you may get stuck on a deployment step for several hours, waiting for cached DNS data to expire.

The TTL (time to live) of a DNS record instructs DNS lookups to cache data for a specific amount of time before checking the authoritative server for updates. This improves DNS efficiency across the internet but can also create a delay when verifying DNS changes on other services.

• Many DNS host providers have default TTL settings of 1 hour to as high as 4 hours.
• To ensure the records propagate quickly, make the TTL changes the day before deploying or at least 4 hours before deploying.
• Please change the TTL to the shortest time allowed by the DNS host provider for:
  • SPF (a TXT record)
• You will set the TTL back to the DNS host provider's defaults after deploying Shield.

The MX record must be changed back to the Microsoft 365 value

This step is critical if a Mailprotector domain was previously configured with CloudFilter MX records. If it is not performed before deploying Shield, the deployment will check for a valid MX record and will not proceed until the MX record is corrected.

To locate the tenant's Microsoft MX record, visit the Microsoft 365 Admin Center, expand Settings, then click Domains. Click the domain you will be onboarding to Shield, then click DNS Records and copy the MX record listed. Add this value to the domain's MX record in your DNS host.

Prepare all email-enabled domains in the M365 tenant

• Microsoft allows the addition of multiple domains to a tenant. The deployment process will recognize only email-enabled domains reported by Microsoft's API.
• Shield is applied to all addresses in M365 tenant domains selected for Shield deployment.

• Domains with email addresses, whether licensed or otherwise, must be configured to mail enablement to Microsoft's API. 

  
  • Click the domain name if you see 'No services selected' on an email-enabled domain.
  • Go to DNS Records and Manage DNS. Follow the guide to add DNS records for the domain.

  • Adding the Exchange and Exchange Online Protection service is necessary for Shield to recognize the email-enabled domain.

    

Add 'bounces@' shared mailbox to facilitate forwarding rules

• Microsoft implemented the 

  Sender Rewriting Scheme (SRS)

   in M365 to resolve SPF problems with autoforwarding to external contacts.

• If you auto-forward any emails to an external email address (PSA applications such as Autotask, CRM applications, etc.), SRS alters the sender to a 'bounces@' type of address.
• Add a shared mailbox with an address of bounces@your-unique-domain.tld to ensure proper delivery of auto forwarded emails.
  • NOTE: Replace your-unqiue-domain.tld with the domain you are using in M365.

Disable Microsoft's First Contact Safety Tip

Microsoft's first contact safety tip is triggered when an email is received from a first-time sender or from someone the user rarely corresponds with. When applied, it can sometimes cause messages to bounce due to DKIM neutral, DMARC fail results, even when the sender’s DNS records are correctly configured. Since Shield’s New Sender banner already alerts users to first-time senders, Microsoft’s First Contact Safety Tip can be safely disabled.

The first contact safety tip should be disabled for all active anti-phishing policies. To navigate to the anti-phishing policies, go to Microsoft Defender > Email & collaboration > Policies & rules > Threat policies > Anti-phishing. 

Disable or uninstall other API-based email security applications

Email security applications should not be run simultaneously. The results will be unpredictable and may cause disruptions to service for all products involved.

CloudFilter Connectors and Transport Rules must be disabled in the Microsoft 365 tenant

Mailprotector's CloudFilter Inbound and Outbound Connectors and Transport Rules must be disabled before onboarding Shield.

CloudMail must be removed

• If the NFR domain has CloudMail addresses, those must be moved or migrated to the M365 tenant.
• Split-domain delivery is not supported with Shield. All addresses and mailboxes must be hosted on M365.

XtraMail must be removed

• XtraMail is not compatible with Shield and must be removed from the domain

Once all migration steps are complete, Shield can be deployed to the domain.

Updated April 17, 2026 18:18