background

SpamExperts KnowledgebaseIncoming Filtering

Configure Office 365 with SpamExperts

Inbound filtering

Basic steps to protect your domain, you need to: 

  1. Add the domain via the SpamExperts webinterface, ensure the destination route is set to the MX record hostname provided by Office 365 
  2. Add a rule to Office365 to ensure email from the filtering servers is always accepted and not wrongly classified as spam
  3. Change the MX records of the domain in the DNS to point to the SpamExperts provided MX record hostnames

IP based rule to always accept from the filtering servers

In your Office 365 environment, you can create a partner connector and rule to bypass the local spam filtering for the filtering IPs.

  • Log in to the Exchange Admin Center
  • Click on mail flow > connectors

  • Click the + (plus sign)
  • Choose Partner organization as the From and Office 365 as the To, then click Next
  • Give the connector a name, then click Next
  • Choose Use the sender's IP address then click Next
  • Add the SpamExperts IPs listed on: https://noc.spamexperts.net/
  • Ensure that Reject email messages if they aren't sent over TLS is ticked and click Next
  • Verify the settings and click Save
  • Click on mail flow > Rules
  • Under Rules, click on the + (plus button) and choose Bypass spam filtering...
  • Enter a rule name (e.g. Disable filtering for SpamExperts)
  • Choose Apply this rule if... > Senders IP Address is in any of these ranges or exactly matches
  • Add the SpamExperts delivery IPs listed on https://noc.spamexperts.net/
  • Ensure that Do the following... is set to: Modify the message properties > Set the spam confidence level (SCL) > Bypass spam filtering

  • Click OK
  • Click Save
  • Spam filtering will no longer apply to the filtering servers, avoiding Office365 to wrongly mark legitimate emails as spam (e.g. because SPF would fail)


Our NOC page allows to subscribe to receive a notification of the email address pool changes (not relevant when your service support an IP range).

X Header based rule to accept email from the filtering servers

The disadvantage of this method is that spammers could technically spoof the header, hence bypassing the build-in filtering. The advantage is that no IP addresses are required to be kept up-to-date.

  • Login to the Office 365 "Exchange admin center"
  • In the Dashboard, select Rules in the Mail Flow section
  • Under Rules, click the +button and choose Create a new rule...
  • Enter a Name for your rule, e.g. 'SpamExperts spamfilter bypass'.
  • Click More Options
  • Create Rule "A message header includes"X-Recommended-Action" header includes >> contains "accept".
  • Click +.
  • Click OK.
  • In the "Do the following" part, select "Modify the message properties" >> "Set the spam confidence level (SCL)" >> "Specify SCL" >> "Bypass spam filtering"
  • Click OK.

Outbound filtering

Basic steps to protect your domain's outbound mailflow, you need to: 

  1. Add your sender Office365 sender domain as an "Authenticating Domain", with "Re-authentication permitted:" explicitly set
  2. Setup a connector in Office 365 to relay the outgoing email via the email security smarthost

Setup outbound user in SpamExperts

  1. Go to the domain dashboard, choose "Manage users" in the "Outgoing" section
  2. At the bottom of the page, select the "Authenticating Domain" tab. Specify your Office365 sending domain, and provide a secure random password 
  3. Once the user has been added, click the dropdown icon on the left of the user and select "Edit"
  4. Verify the configuration and ensure the limits are either disabled or match your expected traffic
  5. Ensure "Re-authentication permitted" is selected, this is required for the sending domain to be allowed from Office365
  6. Save the user settings


Setup a transport rule in Office 365

  1. Login to the Office365 "Exchange admin center"
  2. In the dashboard, go to Connectors in the Mail Flow section
  3. Create new connector from Office365 to Partner Organization and give it a name
  4. Select Only when I have a transport rule set up that redirects messages to this connector
  5. Select "Route email through these smart hosts" and add port25.smtp.antispamcloud.com
  6. Check Always use Transport Layer Security (TLS) to secure the connection (recommended) and select Issued by a trusted certificate authority (CA)
  7. Validate the connector (e.g. using recipient no-reply@antispamcloud.com) and save
  8. In the Exchange Dashboard, go to Rules in the Mail Flow section
  9. Under Rules, click the +button and choose Create a new rule...
  10. Enter a Name for your rule, e.g. 'Route sending domain via filtering smarthost'.
  11. Click More Options
  12. Set "Apply this rule if..." to "The sender's domain is..."
  13. Specify as sender domain the domain you previously added as an "Authentication Domain" outgoing user to SpamExperts (similarly you could setup a rule for specific senders addresses only)
  14. Set "Do the following..." to "Redirect the message to", "The following connector"
  15. Set the smarthost connector you previous created
  16. Save the rule

Once this is done, any traffic matching your outgoing sender domain should be relayed via the transport rule and hence be processed by the filtering servers.

Email archiving

Basic steps to archive your domain's email:

  1. Ensure that archiving is enabled on the domain in SpamExperts ("Status" page in "Archive" section)
  2. Any inbound/outbound email passing the domain will automatically be archived by default
  3. Setup a filter rule to also archive the Office 365 internal message using a mail rule, or for archive-only set a rule to archive all email

Archiving combined with protection

  1. Go to the domain dashboard, enable the archiving service on the "Status" page  in the "Archive" section
  2. By default, all inbound/outbound email processed by the filtering servers for the domain will now be archived
  3. Optionally restrict which recipients should be archived on the "Archived recipients" page
  4. Login to the Office365 "Exchange admin center"
  5. In the dashboard, go to journal rules in the compliance management section
  6. First choose "select address" for "Send undeliverable journal reports to:". This should be a valid recipient to be informed in case of journal failures.
  7. Next add a journal rule:
    Send journal reports to: You can find the "Global journal address" which is unique for your domain on the "Status" page in the "Archive" section of SpamExperts. E.g. "47034d58-47e0-451a-bf64-25327148361d-example.com@MX-record-hostname". Replace "MX-record-hostname" with the primary MX record you were provided with for your security filtering, or simply use mx.spamexperts.com.
    Name: SpamExperts journal archive rule
    If the message is sent to or received from: [Apply to all messages]
    Journal the following messages: Internal messages only (in case you use protection), all messages (this would cause duplicate archiving if you also archive via the protection service)

Local Cloud outgoing filtering

For this to work successfully the following is needed:

  1. A minimum of 2 IPs on a node
  2. The secondary IP configured to use port 25 for outbound usage. Please contact support@spamexperts.com to have this enabled on a secondary IP.
  3. Office365 IP's added to a controlled authenticating domain.
  4. Make sure that you add these with the option Re-authenticate as sending domain enabled
  5. Add the sending domains to the interface
  6. Add an authenticating outgoing user  for each sending domain (this allows logging to be stored on the sending domain).
  7. Enable Re-Auth permitted option for the outgoing user domain in the settings page
  8. Configuration of The Office365 interface using the steps above (replacing the SMTP hostname with your own hostname) .

As Office365 can sometimes change their IPs without notice, its advised to periodically check and update the existing IPs added.


Was this article helpful?

Related articles

Search result for :