skip to Main Content

How to configure Microsoft 365 to only accept mail from third-party spam filter

A third-party spam filter works perfectly with Microsoft 365 if you configure it correctly. One important configuration you must apply is to lock down the Exchange Online organization and only accept mail from the third-party spam filter. If you don’t do that, attackers bypass the third-party mail filtering and deliver spam messages directly to Microsoft 365. In this article, you will learn how to configure Microsoft 365 to only accept mail from third-party spam filter.

Attackers bypass third-party spam filtering

You must read the article about how attackers bypass third-party spam filtering so you have a clear understanding of how it works.

Only accept mail from third-party spam filter

Most third-party cloud service software shows you how to add a connector in Microsoft 365 for incoming messages and add the cloud service third-party IP addresses. After that, you can start enjoying mail filtering through the third-party spam filter. But unfortunately, this is not the correct approach. They forget to tell you an important step, which is to explicitly ONLY accept mail from the third-party service.

There are two methods to restrict mail to only accept from third-party spam filter:

  1. Create inbound connector and set restriction with PowerShell
  2. Create inbound connector and set restriction in Microsoft 365 Exchange admin center

Let’s look at both of these methods.

Method 1. Create inbound connector and set restriction with PowerShell

Lock down your Exchange Online organization to only accept mail from your third-party spam filter with PowerShell by following these steps:

1. Connect to Exchange Online PowerShell.

2. Run the New-InboundConnector cmdlet and fill in the details:

  • Name: The name of the inbound connector
  • RequireTls: True (consult your third-party spam provider)
  • ConnectorType: Partner
  • SenderDomains: *
  • RestrictDomainsToIPAddresses: True
  • SenderIpAddresses: The third-party spam filter IP addresses
PS C:\>New-InboundConnector -Name "Third-party spam filter" -RequireTls $true -ConnectorType Partner -SenderDomains * -RestrictDomainsToIPAddresses $true -SenderIpAddresses 46.121.243.14,62.114.24.104,69.63.54.125,94.42.233.5,185.202.12.210

Method 2. Create inbound connector and set restriction in Microsoft 365 Exchange admin center

Lock down your Exchange Online organization to only accept mail from your third-party spam filter in Microsoft 365 Exchange admin center by following these steps:

1. Sign in to Microsoft 365 Exchange admin center.

2. Click on Mail flow > Connectors > Add a connector.

How to configure Microsoft 365 to only accept mail from third-party spam filter add connector

3. Choose Partner organization. Click Next.

How to configure Microsoft 365 to only accept mail from third-party spam filter partner organization

4. Give it the name Third-party spam filter. Check the checkbox Turn it on. Click Next.

How to configure Microsoft 365 to only accept mail from third-party spam filter name

4. Select By verifying that the sender domain matches one of the following domains. Add the * (asterisk). Click Next.

Note: The * (asterisk) means every sender domain.

How to configure Microsoft 365 to only accept mail from third-party spam filter authenticating sent email

5. Select Reject email messages if they aren’t sent over TLS. Next, select Reject email messages if they aren’t sent from within this IP address range and add the third-party spam filter IP addresses. Click Next.

Consult your third-party spam filter and ask for their IP addresses. In our example, we use the cloud spam filter SpamBull.

How to configure Microsoft 365 to only accept mail from third-party spam filter security restrictions

6. Review the connector and click on Create connector.

How to configure Microsoft 365 to only accept mail from third-party spam filter review connector

7. The inbound connector appears in the Connectors list.

How to configure Microsoft 365 to only accept mail from third-party spam filter list

Configure enhanced filtering on connector

Enable enhanced filtering on the connector you created in the previous step. Go through the article how to configure enhanced filtering for connectors (skip listing).

Test Microsoft 365 only accept mail from third-party spam filter

Let’s try it out and see that everything works as you expect.

Note: Give it 10 minutes before you test the mail filtering, as it needs time to populate the changes in the cloud.

Send email to Microsoft 365 MX record hostname

We will use the Wormly SMTP test tool to send a message and use the Microsoft 365 MX record hostname as the SMTP server. You can also try to use telnet and send a message. But, some ISPs close port 25, and you can’t proceed. So it’s good to use an external SMTP test tool, as shown here.

Fill in the below details:

  • Hostname or IP: The Microsoft 365 MX record
  • Email address: The user’s email address
  • TCP port: 25 or leave empty
  • Send SMTP test email?: Yes (so we can inspect the message header)

After you fill in everything, click on the button START SMTP TEST.

How to configure Microsoft 365 to only accept mail from third-party spam filter SMTP test

The STMP test results show that it resolved the MX record to an IP address and CAN’T send the message to the user’s mailbox.

How to configure Microsoft 365 to only accept mail from third-party spam filter test result

The error in the below text (which is the expected behavior and is good):

< 550 5.7.51 TenantInboundAttribution; There is a partner connector configured
that matched the message's recipient domain. The connector had either the 
RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set 
[AM7EUR06FT067.eop-eur06.prod.protection.outlook.com]
SMTP ERROR: DATA END command failed: 550 5.7.51 TenantInboundAttribution; There 
is a partner connector configured that matched the message's recipient domain. 
The connector had either the RestrictDomainsToIPAddresses or 
RestrictDomainsToCertificate set [AM7EUR06FT067.eop-
eur06.prod.protection.outlook.com]
SMTP test failed

Send email to Microsoft 365 user

Sign in to a Gmail account or another external mail provider. Next, send an email to the Microsoft 365 user. After that, view message details and copy the message header.

How to configure Microsoft 365 to only accept mail from third-party spam filter view message details

Paste the copied message header into Message Header Analyzer by Microsoft. Click Analyze headers button.

The message went first to the third-party spam filter, routed through Exchange Online, and delivered to the user’s inbox.

How to configure Microsoft 365 to only accept mail from third-party spam filter analyze header

You successfully locked down inbound email flow in Exchange Online to only accept emails from your third-party spam filter.

Read more: Protect domain from spam, phishers and viruses »

Conclusion

You learned how to configure Microsoft 365 to only accept mail from third-party spam filter. After the configuration is set up, spammers can’t bypass the MX records and deliver mail direct to Exchange Online. Instead, everything will go through the third-party service for mail filtering, and you’re protected as it should.

Did you enjoy this article? You may also like Add tag to external emails in Microsoft 365 for extra security. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published.