Inbound filtering

Basic steps to protect your domain:

1. Ensure the destination route is set to the MX record hostname provided by Office 365.
2. Add a rule to Office365 to ensure email from the filtering servers is always accepted and not wrongly classified as spam.
3. Change the MX records of the domain in the DNS to point to the SpamHitman provided MX record hostnames.

IP based rule to always accept from the filtering servers

In your Office 365 environment, you can create a partner connector and rule to bypass the local spam filtering for the filtering IPs.

1. 1. Log in to the Exchange Admin Center.
   2. Click on mail flow > connectors.

1. 3. Click the + (plus sign).
   4. Choose Partner organization as the From and Office 365 as the To, then click Next.
   5. Give the connector a name, then click Next.
   6. Choose Use the sender’s IP address then click Next.
   7. Add the SpamHitman IPs listed in Delivery IPs.
   8. Ensure that Reject email messages if they aren’t sent over TLS is ticked and click Next.
   9. Verify the settings and click Save.
   10. Click on Mail flow > Rules.
   11. Under Rules, click on the + (plus button) and choose Bypass spam filtering… .
   12. Enter a rule name (e.g. Disable filtering for SpamHitman).
   13. Choose Apply this rule if… > Senders IP Address is in any of these ranges or exactly matches…
   14. Add the SpamHitman delivery IPs listed in Delivery IPs.
   15. Ensure that Do the following… is set to: Modify the message properties > Set the spam confidence level (SCL) > Bypass spam filtering.

1. 16. Click OK.
   17. Click Save.

Spam filtering will no longer apply to the filtering servers, avoiding Office 365 to wrongly mark legitimate emails as spam (e.g. because SPF would fail).

X Header based rule to accept email from the filtering servers

The disadvantage of this method is that spammers could technically spoof the header, hence bypassing the build-in filtering. The advantage is that no IP addresses are required to be kept up-to-date.

1. Login to the Office 365 “Exchange admin center”.
2. In the Dashboard, select Rules in the Mail Flow section
3. Under Rules, click the + button and choose Create a new rule… .
4. Enter a Name for your rule, e.g. ‘SpamHitman spamfilter bypass’.
5. Click More Options.
6. Create Rule “A message header includes”X-Recommended-Action” header includes >> contains “accept”.
7. Click +.
8. Click OK.
9. In the “Do the following” part, select “Modify the message properties” > “Set the spam confidence level (SCL)” > “Specify SCL” > “Bypass spam filtering”.
10. Click OK.

Outbound filtering

Basic steps to protect your domain’s outbound mailflow, you need to:

1. Add your sender Office365 sender domain as an “Authenticating Domain”, with “Re-authentication permitted:” explicitly set
2. Setup a connector in Office 365 to relay the outgoing email via the email security smarthost

Setup outbound user in SpamHitman

1. 1. Go to the domain dashboard, choose Outgoing > Manage Users.
   2. At the bottom of the page, select the “Authenticating Domain” tab. Specify your Office365 sending domain, and provide a secure random password.
   3. Once the user has been added, click the dropdown icon on the left of the user and select “Edit“.
   4. Verify the configuration and ensure the limits are either disabled or match your expected traffic.
   5. Ensure “Re-authentication permitted” is selected. This is required for the sending domain to be allowed from Office365.

6. Save the user settings.

Setup a transport rule in Office 365

1. 1. Login to the Office365 “Exchange admin center”.
   2. In the dashboard, go to Connectors in the Mail Flow section.
   3. Create a new connector from Office365 to Partner Organization and give it a name.

1. 4. Select Only when I have a transport rule set up that redirects messages to this connector.

1. 5. Select “Route email through these smart hosts” and add port25.smtp.antispamcloud.com.
   6. Check Always use Transport Layer Security (TLS) to secure the connection (recommended) and select Issued by a trusted certificate authority (CA).

7. Validate the connector (e.g. using recipient no-reply@antispamcloud.com) and save.
8. In the Exchange Dashboard, go to Rules in the Mail Flow section.
9. Under Rules, click the + button and choose Create a new rule… .
10. Enter a Name for your rule, e.g. ‘Route sending domain via filtering smarthost’.
11. Click More Options.
12. Set “Apply this rule if…” to “The sender’s domain is…“.
13. Specify as sender domain the domain you previously added as an “Authentication Domain” outgoing user to SpamHitman (similarly you could setup a rule for specific senders addresses only).
14. Set “Do the following…” to “Redirect the message to“, “The following connector“.
15. Set the smarthost connector you previous created.
16. Save the rule.

Once this is done, any traffic matching your outgoing sender domain is relayed via the transport rule and be processed by the filtering servers.

The post Configure Office 365 with SpamHitman appeared first on SpamHitman.