Each month we shine a spotlight on a different feature - it may be a new one, or one that our team think is awesome but under-utilised. Our aim is to equip you with the knowledge you need to help your customers get the most out of MailGuard.
This month, we’re doing things a little differently, and focusing on ‘Enhanced Filtering for Connectors’ in Microsoft 365.
Enhanced Filtering for Connectors (Skip Listing)
You can read the advice from Microsoft about enhanced filtering for connectors, here.
According to Microsoft, ‘properly configured inbound connectors are a trusted source of incoming mail to Microsoft 365 or Office 365. But in complex routing scenarios where email for your Microsoft 365 or Office 365 domain is routed somewhere else first, the source of the inbound connector is typically not the true indicator of where the message came from’, and they provide example scenarios like third-party cloud filtering services such as MailGuard, or hybrid environments (for example, on-premises Exchange).
Microsoft demonstrate what mail routing in such complex scenarios looks like in the diagram below, saying ‘the message adopts the source IP of the service, appliance, or on-premises Exchange organization that sits in front of Microsoft 365. The message arrives in Microsoft 365 with a different source IP address. This behaviour isn't a limitation of Microsoft 365; it's simply how SMTP works.’
However, ‘in these scenarios, you can still get the most out of Exchange Online Protection (EOP) and Microsoft Defender for Office 365 by using Enhanced Filtering for Connectors (also known as skip listing).
After you enable Enhanced Filtering for Connectors, mail routing in complex routing scenarios looks like this:
As you can see, Enhanced Filtering for Connectors allows IP address and sender information to be preserved, which has the following benefits:
- Improved accuracy for the Microsoft filtering stack and machine learning models, which include:
- Heuristic clustering
- Anti-spoofing
- Anti-phishing
- Better post-breach capabilities in Automated investigation and response (AIR)
- Able to use explicit email authentication (SPF, DKIM, and DMARC) to verify the reputation of the sending domain for impersonation and spoof detection.’
For our guidance on configuration of your MailGuard services to work most effectively with Microsoft 365, you can read our Help Desk article here.
It provides direction for Inbound Configuration, recommending that businesses have all domains on their Microsoft 365 tenant added to their MailGuard account via a supporting partner or MailGuard Support before proceeding with stacking MailGuard and Microsoft 365.
The MX records for each domain will then need to be directed to the MailGuard servers so that inbound email can be filtered; the MX configuration information can be found on the Domains page in the MailGuard Console.
For the inbound connector, it forces Microsoft to only accept emails that have passed through MailGuard's server network first - rejecting emails that have not passed through MailGuard.
For Outbound Configuration, Microsoft 365 subnets must be added to your domain's Trusted Networks. This is an essential step, otherwise mail flow issues will occur where MailGuard will drop mail coming outbound from your Microsoft 365 account.
Do this through the MailGuard Console:
Configure → MailGuard → Domains → Trust Office 365 Networks
If you experience any issues, please contact your supporting Partner or MailGuard Support.
The Microsoft 365 subnets are added so that MailGuard will accept emails originating from the Microsoft 365 infrastructure. Without these subnet's no outbound email will be sent through MailGuard.
Now you can create an outbound send connector (Note, if you’re in a hybrid configuration, you may need to consult Microsoft documentation or your partner for the deployment method that best suits your organisation's requirements).
Whitelisting MailGuard Alert Emails
Once complete with inbound and outbound configurations, we recommend whitelisting MailGuard Alert emails. To do so, whitelist alerts@bounces.mailguard.com.au as the sender email address of the MailGuard Alert Digests which your end users may (if configured) receive from MailGuard.
These digest alerts often contain spam content (subjects and domains) which Microsoft may interpret as junk and file away in the junk folder. Adding the address above as a bypass address will prevent this from happening and ensure your teams get the alerts in a timely manner.
Enhanced Filtering for Connectors
To take advantage of additional settings within Microsoft 365 on top of MailGuard filtering, you may wish to implement enhanced filtering for connectors. MX-type filtering services add an additional step or hop to the inbound email flow. This additional hop can result in SPF validation on Microsoft's side to be performed incorrectly and email may inadvertently end up in Junk. Use enhanced filtering if you do not wish to have an explicit whitelist on your Microsoft account and if you want to layer your email security to take advantage of all services.
Spam Bypass Rule
Another route to take is to set up a spam bypass rule. It works in much the same way as the suggested MailGuard Alert Digest rule. A spam bypass rule can be put in place to explicitly allow all emails coming through from MailGuard. Note, if you want to set this spam bypass rule up, you will need to create this rule, but you don't need this spam bypass rule AND the MailGuard Alert Digest rule.
This may be done if you wish to minimise the possibility of emails being junked or quarantined by Microsoft. You can create the following spam bypass rule instead of using enhanced filtering for connectors.
As always, MailGuard’s Support team is available 24/7 to answer questions about enhanced filtering for connectors and Microsoft 365 (or any other feature).
To contact the service desk:
Australia: 1300 306 510
United States: 888 848 2822
United Kingdom: 0 800 404 8993
Email: support@mailguard.com.au
If there’s a feature you’d like us to deep-dive into next month, let us know at marketing@mailguard.com.au
