Configuring Microsoft365 with ExchangeDefender

If your Organization hasn't updated their SPF for Office 365:

Step 1: Configuration

Your organization should have a SPF record for the domain(s) registered with Office 365. When implementing ExchangeDefender with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following:

Remove: v=spf1 include:spf.protection.outlook.com –all
Replace with: v=spf1 include:proxy.exchangedefender.com -all

CONFIGURING OUTBOUND SMARTHOST CONNECTOR:

Step 2: Mail Flow

Select the Admin | Exchange menu item. The Exchange Admin Center is displayed. Once displayed, in the menu on the left-hand side, navigate to Mail flow and then Connectors.

Step 3: Add a connector

Click the ‘+’ button and you’ll be greeted with the following context menu. Once you've selected 'Office 365' and 'Partner Organization' click the 'Next' button.

Step 4: New Connector

ENTER the name of the connector (We suggest using ExchangeDefender).

CLICK check box for “Turn it On”. Click NEXT -

Select the option for 'Only when email messages are sent to these domains' and click the '+' button to add the domains

Step 5: Set the Connector Scope

Put * in the domain name field and hit the 'Ok' button.

Step 6: Route Email

SELECT 'Route email through these smart hosts' and then hit the '+' button.

Step 7: Add a Smart Host

Add a smart host. Add 'outbound.exchangedefender.com' as you see it below.

Once you've entered the smart host hit the 'Save' button. From there you'll be taken to the TLS screen. Keep all options default as shown in the screenshot below.

Step 8: Validate Settings

Validate your configuration by letting O365 send a test email. Enter in any email address of a recipient outside of your organization. Click the + then click VALIDATE.

Microsoft365 and ExchangeDefender Connection Filtering

Microsoft365 (Office 365) can at times, typically during high load or attack on the tenant, randomly block partner organizations from connecting to deliver email. In order to work around this issue, you need to follow the following steps.

Step 9: M365 Security Center

Microsoft 365 security controls have been moved to Microsoft 365 Defender Security Center at https://security.microsoft.com

Upon login you should see a welcome screen with navigation on the left. The following click-through instructions will help you set everything up to securely receive email through ExchangeDefender without M365 interruptions.

Click on Policies & rules.

Step 10: Required Security Policies for M365 & ExchangeDefender

Click on Threat Policies.

Click on Anti-Spam.

Click on Edit connection filter policy.

In the field "Always allow messages from the following IP addresses or address range add the following ranges:

65.99.255.0/24
206.125.40.0/24

Please note (#2) that once you type in the range you must click on the dropdown in the UI. It will convert the text you just typed in to a range and add an X next to it. If your browser / M365 is not doing what you see in this screenshot, please contact Microsoft support.

Finally, click on Turn on safe list and click on Save.

Microsoft365 and ExchangeDefender Outbound Limitation

Customers on O365 sending messages through our outbound network can only send messages from domains protected by ExchangeDefender. This limitation prevents mail contacts forwards from working and prevents any email where the sending domain is not known by ExchangeDefender. In order to send emails from external domains you need to use an outbound-auth/IOT login

M365 Tenant Anti-phishing and Anti-spam Settings

ExchangeDefender protects you from SPAM and Phishing threats. To avoid M365 falsely identifying messages as fraud, follow these steps to add ExchangeDefender to tenant allow policies:

Manage Anti-Phishing Rules