Connect Application: Securing Your Inbound Email (Office 365)

Document created by user.oxriBaJeN4 Employee on Sep 22, 2016Last modified by user.oxriBaJeN4 Employee on Nov 10, 2016
Version 7Show Document
  • View in full screen mode

Applies To...


This page applies to new clients connecting with Mimecast using the Connect Application with Office 365 Exchange Online.


If you are using an On Premise Exchange Server, or an Exchange Server in a Hybrid configuration, see the Connect Application: Securing Your Inbound Email (On Premise / Hybrid Exchanges) page. If you are not using the Connect Application, click here.




To secure your inbound email flow:

  1. Click on the Gateway | Secure Your Inbound Email menu item.
  2. Click the Start button.
  3. Set up Mimecast as your only trusted email source. See the "Setting Us Up as Your Only Trusted Email Source" section below.
  4. Click the Next button.
  5. Click the Start Test button to test your Office 365 connection. See the "Testing Your Office 365 Configuration" section below.

    Test your Office 365 Connection

  6. Click the Confirm button. A summary of your secure inbound email connection is displayed.


Setting Us Up as Your Only Trusted Email Source


We recommended that you lock down your inbound email flow in Office 365 to only allow mail from Mimecast IP addresses. This requires you to create a receive connector in Office 365.


To lock down your firewall:

  1. Log on to the Office 365 Exchange Admin Console.
  2. Click on the Mail flow menu item on the left hand side.
  3. Click on the Connectors link at the top. Your connectors are displayed.
  4. Click on the + icon.
  5. Complete the Select Your Mail Flow Scenario dialog as follows:

    FromPartner organization
    ToOffice 365
    The text at the bottom of the wizard changes to:

    “Creating a connector is optional for this mail flow scenario. Create a connector only if you want to enhance security for the email messages sent between your partner organization or service provider and Office 365. You can create multiple connectors for this scenario, each applying to different partner organizations or service providers”
  6. Click the Next button.
  7. Change the connector's name to Mimecast to Office 365.
  8. Click the Next button.
  9. Select the Use the Sender's Domain option in the "How do you want to identify the partner organization?” dialog.
  10. Click the Next button.
  11. Click on the + icon to add the * as the domain and click OK.
  12. Click the Next button.
  13. Leave the Reject Email Messages if They Aren't Sent Over TLS option with the default value on the “What security restrictions do you want to apply?” dialog. Mimecast will send the message on to Office 365 with Opportunistic TLS.
  14. Select Reject email messages if they aren't sent from within this IP address range.
  15. Click on the + icon to add the Mimecast IP address ranges depending on your region.
  16. Click the Next button.
  17. A summary page is displayed. Check this to ensure it has all the correct information.
  18. Click the Save button.


Testing Your Office 365 Configuration


The test attempts to establish a connection to your Office 365 host name from a Mimecast IP address that isn't part of the data centers you've set up. This uses the SMTP protocol up to the “RCPT” command. The test results in one of the following statuses displayed in the application:

  • Secured: The host has rejected the recipient.
  • Not Secured: The host has accepted the recipient.