We use Office 365 and Exchange Online Protection (EOP) as our email hygiene solution. If…
A third-party spam filter works perfectly with Microsoft 365 if you configure it correctly. One important configuration you must apply is to lock down the Exchange Online organization and only accept mail from the third-party spam filter. If you don’t do that, attackers bypass the third-party mail filtering and deliver spam messages directly to Microsoft 365. In this article, you will learn how to configure Microsoft 365 to only accept mail from third-party spam filter.
Table of contents
- Attackers bypass third-party spam filtering
- Only accept mail from third-party spam filter
- Configure enhanced filtering on connector
- Test Microsoft 365 only accept mail from third-party spam filter
Attackers bypass third-party spam filtering
You must read the article about how attackers bypass third-party spam filtering so you have a clear understanding of how it works.
Only accept mail from third-party spam filter
Most third-party cloud service software shows you how to add a connector in Microsoft 365 for incoming messages and add the cloud service third-party IP addresses. After that, you can start enjoying mail filtering through the third-party spam filter. But unfortunately, this is not the correct approach. They forget to tell you an important step, which is to explicitly ONLY accept mail from the third-party service.
There are two methods to restrict mail to only accept from third-party spam filter:
- Create inbound connector and set restriction with PowerShell
- Create inbound connector and set restriction in Microsoft 365 Exchange admin center
Let’s look at both of these methods.
Method 1. Create inbound connector and set restriction with PowerShell
Lock down your Exchange Online organization to only accept mail from your third-party spam filter with PowerShell by following these steps:
2. Run the New-InboundConnector cmdlet and fill in the details:
- Name: The name of the inbound connector
- RequireTls: True (consult your third-party spam provider)
- ConnectorType: Partner
- SenderDomains: *
- RestrictDomainsToIPAddresses: True
- SenderIpAddresses: The third-party spam filter IP addresses
PS C:\>New-InboundConnector -Name "Third-party spam filter" -RequireTls $true -ConnectorType Partner -SenderDomains * -RestrictDomainsToIPAddresses $true -SenderIpAddresses 126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168
Method 2. Create inbound connector and set restriction in Microsoft 365 Exchange admin center
Lock down your Exchange Online organization to only accept mail from your third-party spam filter in Microsoft 365 Exchange admin center by following these steps:
1. Sign in to Microsoft 365 Exchange admin center.
2. Click on Mail flow > Connectors > Add a connector.
3. Choose Partner organization. Click Next.
4. Give it the name Third-party spam filter. Check the checkbox Turn it on. Click Next.
4. Select By verifying that the sender domain matches one of the following domains. Add the * (asterisk). Click Next.
Note: The * (asterisk) means every sender domain.
5. Select Reject email messages if they aren’t sent over TLS. Next, select Reject email messages if they aren’t sent from within this IP address range and add the third-party spam filter IP addresses. Click Next.
Consult your third-party spam filter and ask for their IP addresses. In our example, we use the cloud spam filter SpamBull.
6. Review the connector and click on Create connector.
7. The inbound connector appears in the Connectors list.
Configure enhanced filtering on connector
Enable enhanced filtering on the connector you created in the previous step. Go through the article how to configure enhanced filtering for connectors (skip listing).
Test Microsoft 365 only accept mail from third-party spam filter
Let’s try it out and see that everything works as you expect.
Note: Give it 10 minutes before you test the mail filtering, as it needs time to populate the changes in the cloud.
Send email to Microsoft 365 MX record hostname
We will use the Wormly SMTP test tool to send a message and use the Microsoft 365 MX record hostname as the SMTP server. You can also try to use telnet and send a message. But, some ISPs close port 25, and you can’t proceed. So it’s good to use an external SMTP test tool, as shown here.
Fill in the below details:
- Hostname or IP: The Microsoft 365 MX record
- Email address: The user’s email address
- TCP port: 25 or leave empty
- Send SMTP test email?: Yes (so we can inspect the message header)
After you fill in everything, click on the button START SMTP TEST.
The STMP test results show that it resolved the MX record to an IP address and CAN’T send the message to the user’s mailbox.
The error in the below text (which is the expected behavior and is good):
< 550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set [AM7EUR06FT067.eop-eur06.prod.protection.outlook.com] SMTP ERROR: DATA END command failed: 550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set [AM7EUR06FT067.eop- eur06.prod.protection.outlook.com] SMTP test failed
Send email to Microsoft 365 user
Sign in to a Gmail account or another external mail provider. Next, send an email to the Microsoft 365 user. After that, view message details and copy the message header.
Paste the copied message header into Message Header Analyzer by Microsoft. Click Analyze headers button.
The message went first to the third-party spam filter, routed through Exchange Online, and delivered to the user’s inbox.
You successfully locked down inbound email flow in Exchange Online to only accept emails from your third-party spam filter.
You learned how to configure Microsoft 365 to only accept mail from third-party spam filter. After the configuration is set up, spammers can’t bypass the MX records and deliver mail direct to Exchange Online. Instead, everything will go through the third-party service for mail filtering, and you’re protected as it should.
Did you enjoy this article? You may also like Add tag to external emails in Microsoft 365 for extra security. Don’t forget to follow us and share this article.