Configuring Microsoft365 with ExchangeDefender

If your Organization hasn't updated their SPF for Office 365:

Step 1: Configuration

Your organization should have a SPF record for the domain(s) registered with Office 365. When implementing ExchangeDefender with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following:

Remove: v=spf1 –all
Replace with: v=spf1 -all


Step 2: Mail Flow

LOG IN to the Office 365 Administration Console.

Select the Admin | Exchange menu item. The Exchange Admin Center is displayed. Once displayed, in the menu on the left-hand side, navigate to Mail flow and then Connectors.

Step 3: Add a connector

Click the ‘+’ button and you’ll be greeted with the following context menu. Once you've selected 'Office 365' and 'Partner Organization' click the 'Next' button.

Step 4: New Connector

ENTER the name of the connector (We suggest using ExchangeDefender).

CLICK check box for “Turn it On”. Click NEXT -

Select the option for 'Only when email messages are sent to these domains' and click the '+' button to add the domains

Step 5: Set the Connector Scope

Put * in the domain name field and hit the 'Ok' button.

Step 6: Route Email

SELECT 'Route email through these smart hosts' and then hit the '+' button.

Step 7: Add a Smart Host

Add a smart host. Add '' as you see it below.

Once you've entered the smart host hit the 'Save' button. From there you'll be taken to the TLS screen. Keep all options default as shown in the screenshot below.

Step 8: Validate Settings

Validate your configuration by letting O365 send a test email. Enter in any email address of a recipient outside of your organization. Click the +  then click VALIDATE.

Microsoft365 and ExchangeDefender Connection Filtering

Microsoft365 (Office 365) can at times, typically during high load or attack on the tenant, randomly block partner organizations from connecting to deliver email. In order to work around this issue, you need to follow the following steps.

Step 9: M365 Security Center

Microsoft 365 security controls have been moved to Microsoft 365 Defender Security Center at

Upon login you should see a welcome screen with navigation on the left. The following click-through instructions will help you set everything up to securely receive email through ExchangeDefender without M365 interruptions.

Click on Policies & rules.

Step 10: Required Security Policies for M365 & ExchangeDefender

Click on Threat Policies.

Click on Anti-Spam.

Click on Edit connection filter policy.

In the field "Always allow messages from the following IP addresses or address range add the following ranges:

Please note (#2) that once you type in the range you must click on the dropdown in the UI. It will convert the text you just typed in to a range and add an X next to it. If your browser / M365 is not doing what you see in this screenshot, please contact Microsoft support.

Finally, click on Turn on safe list and click on Save.

Microsoft365 and ExchangeDefender Outbound Limitation

Customers on O365 sending messages through our outbound network can only send messages from domains protected by ExchangeDefender. This limitation prevents mail contacts forwards from working and prevents any email where the sending domain is not known by ExchangeDefender. In order to send emails from external domains you need to use an outbound-auth/IOT login

Out of office messages will also not work out of the box for users on O365 who relay their mail through OOF messages are sent from an empty/null email address which will be rejected by our servers with the error "550 5.7.1 ... Command rejected"

However, O365 customers can create a custom send connector and transport rule to route OOF messages directly, bypassing

Before creating the rule, you should make sure to configure dkim signing and update your domains spf. For most customers, simply adding before -all should suffice

Send Connector:

Name: Automatic Replies (Out of Office) Only

Mail flow scenario

From: Office 365

To: Partner organization

Use of connector

Use only when I have a transport rule set up that redirects messages to this connector.


Use the MX record associated with the partners domain.

Transport Rule:

Name: Send Automatic Replies to connector Automatic Replies

Status: Enabled

Apply this rule if

Is message type 'Automatic reply'

Do the following

Route the message using the connector named 'Automatic Replies (Out of Office) Only'.

M365 Tenant Anti-phishing and Anti-spam Settings

ExchangeDefender protects you from SPAM and Phishing threats. To avoid M365 falsely identifying messages as fraud, follow these steps to add ExchangeDefender to tenant allow policies:

Manage Anti-Phishing Rules

  1. Log into your 365 admin center
  2. Navigate to Security
  3. Navigate to Policies and Rules
  4. Select Threat Policies
  5. Select Anti- phishing
  6. Edit the active policy
  7. Select Edit Protection Settings 
  8. Disable Enable spoof protection

Policies & rules

Tenant Allow/Block Lists

Below is the content to paste into the domain pair list


Need assistance?

ExchangeDefender is easy to reach, and we are here to help with your IT: