Description

By default, Exchange (and Exchange Online) routes all internal messages without them ever reaching the Internet. This prevents internal email from passing through Mailprotector's smarthost, and by association, Bracket encryption. Internal messages on Exchange are inherently more secure due to this behavior. However, some users may still have reasons to require filtering or Bracket encryption of internal email as well.

The steps below provide Transport Rule and Connector configurations that route internal email to pass to Mailprotector's smarthost, without conflicting with existing connector configurations.

Applies To:

CloudFilter, SafeSend, Bracket, Exchange Online, Office 365 (O365)

Prerequisites

This article assumes you have already completed the configuration of the outbound connector to route external email through Mailprotector's smarthost.

On-premise Exchange servers (2010,2013,2016,2019) do not provide functions to alter internal mail routing without significant effort and third-party add-ins. Mailprotector can not provide support for this use case. Microsoft 365 and the steps included in this article are for informational purposes. Mailprotector does not provide Microsoft 365 or Exchange Online support in its scope of services.

The Mailprotector filter is designed with Exchange Online's default internal routing behavior in mind. Filtering changes in Mailprotector will likely be necessary to avoid a high false positive rate if all internal messages are routed through Mailprotector's relay.

Configuration Steps

1. Modify the Outbound Connector

1. Locate the Mailprotector outbound connector.

2. Click on the Name of the outbound connector, then under Use of connector, click on Edit use.

   

    

3. Change Use of connector to Only when I have a transport rule set up that redirects messages to this connector then click Next.
    
4. Enter a test address then the + icon to validate this connector*. This can be any external address that you have access to. Do not use an address that is the same as the domain you are configuring. Click Validate.
5. Once validation is complete, click Save.
   
6. Proceed to one of the two Transport Rule configurations below, depending on whether all internal mail should be routed to Mailprotector or only internal mail that will qualify for Bracket encryption.

Occasional validation failures may occur with the connector. This is a known issue with Microsoft. You can proceed with creating and enabling the connector despite the error.

2a. Create a transport rule that routes all internal mail through Mailprotector's smarthost

1. Navigate to Mail Flow > Rules, click +Add a rule, then on Create a new rule.
2. Add a descriptive name that will allow this rule to be easily distinguished from other transport rules.
3. In Apply this rule choose The sender > Is external/internal > Inside the organization then click Save.
4. Click the + to the right of the condition, then in the And line choose The recipient > Is external/internal > Inside the organization then click Save.
5. Under Do the following... select Redirect the message to > the following connector > [the name of your Mailprotector outbound connector] then click Save.
6. Under Except if select The message headers... > match these text patterns. Click on Enter text and Add > X-Mailprotector-ID then click on Save. Click on Enter words then Add > . (a period, with no other characters) and click Save.
7. Click Next.
8. Under Set rule settings leave all values as their defaults then click Next.

9. Under Review and Finish, ensure that all values correctly match the instructions above then click on Finish.
    

     

Step 6 above is required in order to avoid a mail loop when the message passes back to Exchange. It is critical that each field matches the screenshot identically to prevent the mail loop.

2b. Route only internal mail which has a subject that matches for Bracket encryption

Perform all steps in 2a above through step 5 then do the following:

1. Click the + to the right of the condition, then in the new And line choose The subject or body > subject matches these text patterns.

2. Click on Enter text. Add the text below exactly as written, with no spaces before or after the text:

   ^\[.*\]

   Click on Save.

Note: If using curly braces or pipes as the Bracket trigger, the following expressions will be used instead:

^\{.*\}

or

^\|.*\|

After these steps are complete, continue with steps 6 through 9 in 2a above.

Updated May 15, 2026 20:32