When you are using a 3rd-party spam filter for inbound email like Email Security, you typically want to configure Exchange Online to ONLY receive emails from your spam filtering servers and bypass the EOP (Exchange Online Protection) default spam filtering to prevent duplicate filtering after setting up Email Security (in the HEIMDAL Dashboard). This ensures that inbound emails are filtered by the 3rd-party service and do not undergo further anti-spam processing in Microsoft 365, avoiding issues like false positives or blocked emails.
To achieve all of this, you need to configure an inbound connector to receive emails from the Email Security servers (and reject potential emails that might try to bypass it) or a mail flow rule (transport rule) in Exchange Online to reject inbound emails that are not coming through the Email Security servers. For the double spam filtering, you need to create a mail flow rule (transport rule) to bypass the EOP spam filtering. Here's a step-by-step guide to doing that.
1. Creating an inbound Connector to receive emails from the Email Security servers
2. Creating a mail flow rule to reject inbound emails that are not coming from the Email Security servers
3. Creating a mail flow rule to bypass Exchange Online Protection (EOP) spam filtering
CREATING AN INBOUND CONNECTOR TO RECEIVE EMAILS FROM THE EMAIL SECURITY SERVERS
1. Log in to your Exchange Admin Center. From here, navigate to Mail flow -> Connectors.
2. Create a new connector with the following settings:
3. Give it a name and a description.
4. Authenticate the sent email by selecting the By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization. Add the following IP addresses: 20.50.183.144, 20.50.183.146, 20.50.183.145, 20.50.183.147, 20.50.183.148, 20.50.183.149, 20.50.183.150, 20.50.183.151, 20.88.177.217, 20.88.177.218, 20.88.177.208, 20.88.177.209, 172.166.114.48, 172.166.114.49, 172.166.114.50, 172.166.114.51.
5. On the Security restrictions, disable the Reject email messages if they aren't sent over TLS checkbox:
6. Validate the settings and save them. Your connector settings should look like this:
7. Using an elevated PowerShell window, connect to your Exchange Online (make sure you have the ExchangeOnlineManagement module installed) and set the inbound connector to restrict domains to IP addresses, with the following command line:
Set-InboundConnector "Email Security - EU Inbound flow" -RestrictDomainsToIPAddresses $true
This will set the Email Security - EU Inbound flow connector to $true in order to reject emails bypassing Email Security that are arriving from other IP addresses than the ones specified in the connector. A person who would try to bypass the Email Security connector should receive an error message similar to this one:
550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set [AM1PEPF000252E1.eurprd07.prod.outlook.com 2024-11-11T11:54:27.208Z 08DD00DDD88FC25D]
CREATING A MAIL FLOW RULE TO REJECT INBOUND EMAILS THAT ARE COMING FROM THE EMAIL SECURITY SERVERS
In case you don't want to configure an inbound connector to access emails from the Email Security and reject those arriving from other IP addresses than the ones specified in the connector, you can reach the same objective with a mail flow rule (transport rule). Follow the steps below:
1. Navigate to Mail flow -> Rules and press Add a rule that will route all messages through our newly created connector.
2. Set the rule conditions by giving it a name and by selecting the following rules:
Apply this rule if: The sender -> is external/internal -> Outside the organization.
Do the following: Block the message -> Reject the message and include an explanation, then specify the rejection reason to The email is NOT sent through the MX Records configured on the DNS.
Except if: The sender -> IP address is in any of these ranges or exactly matches and specify the following IP addresses: 20.50.183.144, 20.50.183.146, 20.50.183.145, 20.50.183.147, 20.50.183.148, 20.50.183.149, 20.50.183.150, 20.50.183.151, 20.88.177.217, 20.88.177.218, 20.88.177.208, 20.88.177.209, 172.166.114.48, 172.166.114.49, 172.166.114.50, 172.166.114.51.
3. Save rule conditions, leave the Rule settings just like this, and click Next.
4. Review and Finish. Your rule should look similar to the one below:
CREATING A MAIL FLOW RULE TO BYPASS EXCHANGE ONLINE PROTECTION (EOP) SPAM FILTERING
1. Navigate to Mail flow -> Rules and press Add a rule that will route all messages through our newly created connector.
2. Set the rule conditions by giving it a name and by selecting the following rules:
Apply this rule if: The sender -> IP address is in any of these ranges or exactly matches
Do the following: Modify the message properties -> Set the spam confidence level (SCL), then set it to Bypass Spam Filtering (SCL = -1).
3. You can add an optional condition to prevent emails from being marked as Clutter or Junk (due to the user-level settings in Outlook). To prevent this you can use a custom header (like X-MS-Exchange-Organization-BypassClutter) to bypass clutter filtering. To do this, in the same rule, add an additional action:
Do the following: Modify the message properties -> Set a message header, then set it to X-MS-Exchange-Organization-BypassClutter and its header value to true.
4. Leave the Rule settings just like this.
4. Review and Finish. Your rule should look similar to the one below:
After setting up the rules, it's important to monitor the mail flow to ensure that everything works as expected. You can do this through the Message Trace (in the Exchange Admin Center) to verify that emails from Email Security are arriving correctly.