In most cases, the inbound connector to Microsoft 365's Exchange Online to secure mail flow from Mailprotector is sufficient. Emails arriving from Mailprotector often fail SPF and DMARC validation performed by Exchange Online Protection (EOP) or Microsoft Defender. Since the inbound connector establishes a trusted connection, this does not create a problem.
If there is a need to also use EOP or Microsoft Defender as a second filter of messages, configuring Enhanced Filtering will be required. The feature provides Microsoft with gateway IP information to properly perform SPF, DKIM, and DMARC evaluations when messages come through Mailprotector first.
WARNING: Configuring Enhanced Filtering for connectors increases the chances emails will be put into the Junk Email folder by Microsoft's filters. Microsoft will perform stricter filtering of emails when the gateway IP addresses are identified. Mailprotector has no control or influence on Microsoft's filtering actions. Users will need to be aware that emails can be held in Mailprotector's quarantine or the Junk Email folder of Outlook.
Please follow the instructions for Enhanced Filtering for Connectors in Exchange Online to complete the configuration. For more information or questions, please get in touch with Microsoft support.
Gateway IP Addresses
One of the steps in the configuration requires adding all the IP addresses used between the sending source and Mailprotector's gateway. The following list of IP addresses needs to be added to the IP addresses to skip list.
NOTE: Best practice is not to configure EOP or Microsoft Defender as a secondary email filter. The default settings typically work well. These instructions are a courtesy for those partners and their clients that deem using Microsoft's email filtering in addition to Mailprotector as a necessity. Mailprotector can only support the hops through the CloudFilter secure email gateway. Once emails are delivered to Exchange Online, Microsoft support will be required for further assistance.