Inbound Rule 


Using EveryCloud email filtering with the Exchange Online element of Office 365, you will need to ensure that your version of Exchange Online can only accept protocol connections from EveryClouds service ranges or spammers will still be able to send email directly to you Office 365 mail environment, bypassing your MX records ; here's how to lock down Office 365 Exchange Online.


You cannot define an inbound receive connector that will allow only connections from EveryCloud’s IP ranges, as EveryCloud has a /20 range within its delivery ranges and Office 365 receive connectors have a limitation, in that they will only allow connections from /24 ranges to /32 ranges. You must therefore create a Transport rule instead. This will be a reverse logic rule.


Tasks


1. Deny all email

2. Create an exception to the deny rule and allow only from EveryCloud Technologies IP ranges

3. Create an exception to allow mail sent from your Office 365 mailboxes (Inside the organization)



Method:


1. Click on ‘Mail Flow’

2. Click on ‘Rules’

3. Click on ‘+’ to create a new rule

4. Give the rule a Name

5. Immediately click on 'More options'



 online Ec



1. 'Name' = This is up to you


2. 'Apply this rule if ' = [Apply to all messages]


3. 'Do the following'  = 'Reject the message with explanation (then define an explanation, ours is    ' Email bypassed MX records'

 

Reverse logic 


Add Exception to the rule:

 

'Except if'  = Senders IP is in the range (and enter our IP ranges)



   Subnet IP
    Subnet Mask  
      Net Mask  
IP Range
83.246.65.0
255.255.255.0
/24
   83.246.65.0 - 83.246.65.255
94.100.128.0
255.255.240.0
/20
       94.100.128.0 - 94.100.143.255
185.140.204.0 255.255.252.0 /22 185.140.204.0 - 185.140.207.255
107.170.168.72
 255.255.255.255
/32
       107.170.168.72








Additional exception


Then add an additional exception which will allow mail from your internal mailboxes outbound in the  same transport rule 


1. The sender is located: = Extrenal/Internal = 'Inside the organisation'  


2. This will cover all sending mailboxes within your Office 365 accoun





Tick 'Enforce'

Click 'OK'

Click 'Save'



Rule over view: 


EveryCloud Allow Only


If the message...

Apply to all messages


         

Do the following...

reject the message and include the explanation 'Email Bypassed MX records' with the status  

code: '5.7.1'


        

Except if...

sender ip addresses belong to one of these ranges: '94.100.128.0/20', 107.170.168.72/32, 185.140.204.0/22
or '83.246.65.0/24 or Is received from  'Inside the organization'


       

Rule comments

EveryCloud Allow Only

      

Rule mode

Enforce


Now go to your customer account in EveryClouds control panel https://control.everycloudtech.com/ and input the unique office 365 generated MX records under your customers IP/Host-name within the ‘Management’ tab



Important

Activate outbound relay by inputting a Dummy IP of 1.1.1.1 and save. IP 1.1.1.1 is simply a place holder which activates the ability to send outbound through your account. 


We maintain a full list of office 365 sending address in our backend database: Office 365's active sending ranges are available to view here



 

You will now need to go back to your DNS control panel and make sure that the MX Records are set EveryCloud Technologies MX  records


Your new MX record syntax for non-US customers


Priority 10: mx101.everycloudtech.com

Priority 20: mx102.everycloudtech.com

Priority 30: mx103.everycloudtech.com

Priority 40: mx104.everycloudtech.com


Your new MX record syntax for North American continent customers


Priority 10: mx101.everycloudtech.us

Priority 20: mx102.everycloudtech.us

Priority 30: mx103.everycloudtech.us

Priority 40: mx104.everycloudtech.us


You will also need to add an additional include statement within your new office 365 TXT record

 eg: "v=spf1 include:spf.everycloudtech.com include:spf.protection.outlook.com -all". 


SPF Record for non-US customers on Office 365

"v=spf1 include:spf.everycloudtech.com include:spf.protection.outlook.com -all". 


SPF Record for  North American continent customers on Office 365

"v=spf1 include:spf.everycloudtech.us include:spf.protection.outlook.com -all". 


Outbound Rule/Connector


Firstly
Important

Activate outbound relay by inputting a Dummy IP of 1.1.1.1 and save. IP 1.1.1.1 is simply a place holder which activates the ability to send outbound through your account. 


We maintain a full list of office 365 sending address in our backend database: Office 365's active sending ranges are available to view here#



Now to Office 365


Go to 'Mail flow'

'Connectors'

Depress '+'

Add connector, seclect scenario.


From: Office 365

To: Partner Organisation





Apply a useful Name to the connector and depress 'Next'





Choose 'Only when email messages are sent to these domains' and add your Domains or for 

the purposes of this example, Add * = all















Then press next and choose the option: 'Route email through these smart-hosts'. Depress the '+' option  and 
add Everycloud Technologies smart-host 




outbound.everycloudtech.com and then depress 'Save'





Then next option is not mandatory, but if you would like to ensure that all messages    

sent outbound through EveryCloud Technologies smarthost are sent via TLS please leave this 

window as the default option as below




Depress 'Next' and you will then be presented with a summary of the scenario




Click 'Next' to apply and you will be presented with a validate connector window




You should enter an external email address and Office 365 will validate the connector and attempt

to send a test message though the EveryCloud Technologies smarthost;


EveryCloud's Non US customers

Please configure your send connector to send outbound through our dedicated Smart-host: outbound.everycloudtech.com


EveryCloud's US customers

Please configure your send connector to send outbound through our dedicated Smart-host: outbound.everycloudtech.us


Validating




When validation is complete you will see the below window







Save the config and view in EveryCloud Technologies control panel outbound logs.





Bypassing Office 365 Spam Filtering


There is no reason to allow Microsoft Exchange Online to continue using its own inbuilt spam filtering heuristics if EveryCloud is already filtering your inbound email.


If you would like to turn off Office 365 Exchange Online filtering for connections originating from our IP ranges, please follow these instructions.


Go to Exchange -> mail flow -> rules -> create a new rule.



  • Give the rule a name: 'Bypass Office 365 Filtering'
  • *Apply this rule if: Senders IP address is in the range 
  • Add EveryCloud's ranges
  • *Do the following: Set the spam confidence level (SCL) : Bypass spam filtering
  • Save the rule and you are done





Overall you should have two inbound mailflow rules:





And one outbound connector to pass email outbound through EveryCloud's smarthost.