Inbound Rule 


Using the EveryCloud email filtering service with the Exchange Online element of Office 365, you will need to ensure that your version of Exchange Online can only accept protocol connections from EveryClouds service ranges or spammers will still be able to send email directly to you Office 365 mail environment, bypassing your MX records ; here's how to lock down Office 365 Exchange Online.


You cannot define an inbound receive connector that will allow only connections from EveryCloud’s IP ranges, as EveryCloud has a /20 range within its delivery ranges and Office 365 receive connectors have a limitation, in that they will only allow connections from /24 ranges to /32 ranges. You must therefore create a Transport rule instead. This will be a reverse logic rule.


Tasks


1. Deny all email

2. Create an exception to the deny rule and allow only from EveryCloud Technologies IP ranges

3. Create an exception to allow mail sent from your Office 365 mailboxes (Inside the organization)



Method:


1. Click on ‘Mail Flow’

2. Click on ‘Rules’

3. Click on ‘+’ to create a new rule

4. Give the rule a Name

5. Immediately click on 'More options'



 online Ec



1. 'Name' = This is up to you


2. 'Apply this rule if ' = [Apply to all messages]


3. 'Do the following'  = 'Reject the message with explanation (then define an explanation, ours is    ' Email bypassed MX records'

 

Reverse logic 






Additional exception


Then add an additional exception which will allow mail from your internal mailboxes outbound in the  same transport rule 


1. The sender is located: = Extrenal/Internal = 'Inside the organisation'  


2. This will cover all sending mailboxes within your Office 365 account 





Tick 'Enforce'

Click 'OK'

Click 'Save'



Rule over view: 


EveryCloud Allow Only


If the message...

Apply to all messages


         

Do the following...

reject the message and include the explanation 'Email Bypassed MX records' with the status  

code: '5.7.1'


        

Except if...

sender ip addresses belong to one of these ranges: 

     

Rule comments

EveryCloud Allow Only

      

Rule mode

Enforce


Now go to your customer account in EveryClouds control panel https://control.everycloudtech.com/ and input the unique office 365 generated MX records under your customers IP/Host-name within the ‘Management’ tab



Important

Activate outbound relay by inputting a Dummy IP of 1.1.1.1 and save. IP 1.1.1.1 is simply a place holder which activates the ability to send outbound through your account. 



 

You will now need to go back to your DNS control panel and make sure that the MX Records are set EveryCloud Technologies MX  records


See http://support.everycloudtech.com/solution/articles/4000038125-essential-set-up-documentation for details on which MX records to use. 


Please ensure that you are only using EveryCloud's MX records and that no other MX records are published. If other MX records are published, e.g. Office 365, you will risk having emails being rejected by Office 365 due to the rules setup in this article. 


You will also need to add an additional include statement within your new office 365 TXT record

 eg: "v=spf1 include:spf.everycloudtech.com include:spf.protection.outlook.com -all". 


Outbound Rule/Connector


Firstly
Important

Activate outbound relay by inputting a Dummy IP of 1.1.1.1 and save. IP 1.1.1.1 is simply a place holder which activates the ability to send outbound through your account. 


We maintain a full list of office 365 sending address in our backend database: Office 365's active sending ranges are available to view here#



Now to Office 365


Go to 'Mail flow'

'Connectors'

Depress '+'

Add connector, seclect scenario.


From: Office 365

To: Partner Organisation





Apply a useful Name to the connector and depress 'Next'





Choose 'Only when email messages are sent to these domains'. Enter a wildcard which is denoted as [asterisk] and also make sure to put *.com due to a recent configuration change with Office 365. Due to a current Microsoft bug on validation [as of March 8, 2018], enter a 2nd entry of the domain name that you will use for validating this rule. As a wildcard is already in place, this additional domain will not cause any issues if there are no other connectors listing this domain.









Then press next and choose the option: 'Route email through these smart-hosts'. Depress the '+' option  and 
add Everycloud Technologies smart-host 




Use the outbound connector as specified in http://support.everycloudtech.com/support/solutions/articles/4000038125-essential-set-up-documentation and then depress 'Save'





Then next option is not mandatory, but if you would like to ensure that all messages    

sent outbound through EveryCloud Technologies smarthost are sent via TLS please leave this 

window as the default option as below




Depress 'Next' and you will then be presented with a summary of the scenario




Click 'Next' to apply and you will be presented with a validate connector window




You should enter an external email address and Office 365 will validate the connector and attempt

to send a test message though the EveryCloud Technologies smarthost;


EveryCloud's European / African / Asian customers

Please configure your send connector to send outbound through our dedicated Smart-host: outbound.everycloudtech.com


EveryCloud's North American customers

Please configure your send connector to send outbound through our dedicated Smart-host: outbound.us.everycloudtech.com


EveryCloud's Australasian customers

Please configure your send connector to send outbound through our dedicated Smart-host: outbound.au.everycloudtech.com




Validating




When validation is complete you will see the below window







Save the config and view in EveryCloud Technologies control panel outbound logs.





Bypassing Office 365 Spam Filtering


There is no reason to allow Microsoft Exchange Online to continue using its own inbuilt spam filtering heuristics if EveryCloud is already filtering your inbound email.


If you would like to turn off Office 365 Exchange Online filtering for connections originating from our IP ranges, please follow these instructions.


1. Go to Exchange admin center > mail flow  

2. Click on + icon to add a new rule

3. From the drop down, select Bypass spam filter

4. Name the rule Bypass Office 365 Filtering

5. In the dropdownApply this rule if

       Select The sender.....

        then IP address is in an of these ranges or exactly matches

        Add EveryCloud's IP ranges;


83.246.65.0/24
94.100.128.0/20
185.140.204.0/22
173.45.18.0/24 


Australian / New Zealand clients will use the following IP ranges; 


83.246.65.0/24
94.100.128.0/20
185.140.204.0/22
173.45.18.0/24 

52.62.108.212/32

52.62.125.178/32

52.62.114.130/32

52.62.123.207/32


6. Save the rule





Overall you should have two inbound mailflow rules:





And one outbound connector to pass email outbound through EveryCloud's smarthost.