Office 365: Configuring Outbound Delivery Routing

Document created by user.oxriBaJeN4 Employee on Sep 21, 2015Last modified by user.oxriBaJeN4 Employee on Apr 4, 2017
Version 12Show Document
  • View in full screen mode

The following steps should be completed to route emails outbound from Office 365 to Mimecast.

We recommend you complete this step at least a few working days before switching your MX records to route inbound email through Mimecast. This is so we can start building the Auto Allow list, based on recipients that your users send email to. Following this process has a positive impact on the speed of inbound email delivery. This is because when you start receiving email through Mimecast, many senders will already be known and consequently not be subject to Mimecast's greylisting security feature.

What You'll Need

 

  • An Office 365 Administrator with permission to create a send connector.
  • Your organization's internal domains must already be registered with Mimecast.
  • A Mimecast Administrator with at least view permission to the Gateway | Accepted Email menu in the Administration Console.

 

Walkthrough

 

Updating the SPF Record for your Domain(s)

 

Your organization should already have a SPF record for the domain(s) registered with Office 365. When implementing Mimecast with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following:

  • Remove: v=spf1 include:spf.protection.outlook.com –all
  • Replace with or add:  v=spf1 include:_netblocks.mimecast.com ~all

If your outbound email is coexisting with us for a period, you can leave the v=spf1 include:spf.protection.outlook.com –all SPF record. However we recommend you remove it once all your outbound email is routed through us.

Configuring Outbound Routing

Mimecast has observed that this process can only be successfully completed using Internet Explorer. This is due to an issue with the controls used in the final validation step.

  1. Log in to the Office 365 Administration Console.
  2. Select the Admin | Exchange menu item. The Exchange Admin Center is displayed.
  3. Select the Mail Flow | Connectors menu item and create a new Connector.
  4. Complete the New Connector - Select Your Mail Flow Scenario dialog as follows:

    FieldDescription
    FromSelect "Office 365" from the drop down list.
    ToSelect "Partner Organization" from the drop down list.
  5. Click the Next button.
  6. Complete the New Connector - New Connector dialog as follows:

    FieldDescription
    NameEnter a name for the Connector.
    DescriptionOptionally, enter a description for the Connector.
    Turn It OnSelect this option to enable the Connector.
  7. Click the Next button.
  8. Select the Only When Email Messages are Sent to These Domains option.
  9. Click the ico_plus.png icon to add the recipient domains that should use this connector.

    new_connector.png
  10. Enter a value of * to route all outbound emails through Mimecast.
  11. Click the OK button.
  12. Click the Next button.
  13. Select the Route Email Through These Smart Hosts option.
  14. Click the ico_plus.png icon to add the smart hosts from the table below for the region where your Mimecast service is hosted.
    add_smart_host.png
    RegionOffice 365 Account Hostnames
    Europe

    eu-smtp-o365-outbound-1.mimecast.com

    eu-smtp-o365-outbound-2.mimecast.com

    North America

    us-smtp-o365-outbound-1.mimecast.com

    us-smtp-o365-outbound-2.mimecast.com

    South Africa

    za-smtp-o365-outbound-1.mimecast.co.za

    za-smtp-o365-outbound-2.mimecast.co.za

    Australia

    au-smtp-o365-outbound-1.mimecast.com

    au-smtp-o365-outbound-2.mimecast.com

    Offshore

    je-smtp-o365-outbound-1.mimecast-offshore.com

    je-smtp-o365-outbound-2.mimecast-offshore.com

  15. Click the Save button.
  16. Click the Next button.
  17. Select the following options:
    • Always use Transport Layer Security (TLS) to Secure the Connection (recommended)
    • Issued by a trusted certificate authority (CA)
  18. Click the Next button to verify your settings.
  19. Click the Next button.
  20. Add an email address of a recipient from a domain external to your organization.
  21. Click the Validate button.
  22. Once Office 365 has successfully validated your settings, click the Save button.
  23. Disable or remove any other Outbound Send Connectors that were previously used. Failure to do this means your outbound email still uses these older send connectors, and is not routed through Mimecast. Any send connectors used for other purposes (e.g archiving) may still be required to be enabled. If in doubt, consult your Mimecast Support engineer.

 

Adding the Office 365 Tenant Domain as an Internal Domain

 

Your Office 365 tenant domain must be added to the list of internal domains available in the Directories | Internal Directories menu item. This enables Mimecast to recognize certain auto response messages where the sender address is not a normal internal domain. This is typically in the format @domain.onmicrosoft.com.

 

See the Validating an onmicrosoft.com Tenant Domain page for further details.

 

Next Steps

 

To verify that Office 365 is routing email outbound via MImecast successfully:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Gateway | Accepted Email menu item.
  4. Use the View option to filter on Outbound email.

 

You should see messages from your organization's internal users to external recipients listed here. If you do not see messages listed here shortly after they have been sent, this typically indicates a configuration problem on your Office 365 send connector. Double check your configuration and use the Office 365 Message Trace tool found in the Mail Flow | Message Trace menu of the Exchange Admin Center to help you identify the issue.

5 people found this helpful

Attachments

    Outcomes