This article contains information on configuring outbound delivery routing with Microsoft 365, including updating SPF records, setting up outbound routing, adding internal domains, and verifying configurations.
This step must be completed to route emails outbound from Microsoft 365 to Mimecast.
We recommend completing this step at least three working days before switching your MX records to route inbound emails through us. This allows us to build your Auto Allow list based on the recipients your users send messages to. This positively impacts inbound email delivery speed because many senders will already be known and consequently not be subject to our greylisting security feature.
Prerequisites
-
-
- Your internal domains must already be registered with us.
- A Mimecast administrator login with view permission to the Message Center | Accepted Messages menu item.
- A Microsoft 365 administrator login with permission to create a send connector.
-
Overview
The process of configuring your outbound delivery routing involves:
- Updating the SPF record for your domain.
- Configuring your outbound routing.
- Adding the Microsoft 365 tenant domain as an internal domain.
- Verifying your configuration.
Updating the SPF Record for your Domain(s)
You must have an SPF record for the domain(s) registered with Microsoft 365. When implementing Mimecast with Microsoft 365, this record must be updated in the DNS zone for the relevant domain to include the following:
-
-
- Remove: v=spf1 include:spf.protection.outlook.com -all
- Replace with or add: v=spf1 include:_netblocks.mimecast.com ~all
-
If your outbound email is temporarily coexisting with us, you can leave the v=spf1 include:spf.protection.outlook.com -all SPF records. However, it must be removed once all your outbound email is routed through us. When replacing or adding the SPF record with: v=spf1 include:_netblocks.mimecast.com ~all, the region needs to be included. To find the appropriate record for your region, see Implementing SPF for Outbound Email.
Configuring Outbound Routing
You can create an outbound Routing Connector, by using the following steps:
- Log in to the Microsoft 365 Administration Console.
- Navigate to Mail Flow | Connectors.
- Click on Add a Connector.
- Complete the New Connector dialog as follows:
| Field / Option | Description |
|---|---|
| Connection from | Select "Microsoft 365" from the drop-down list. |
| Connection To | Select "Partner Organization" from the drop-down list. |
- Click on Next.
- Complete the New Connector Dialog as follows:
| Field / Option | Description |
|---|---|
| Name | Enter a name for the connector. |
| Description | Enter a description for the connector. |
| Turn It On | Leave as default. |
| Retain internal Exchange email headers | Leave as default. |
- Click on Next.
- Select Only when email messages are sent to these domains if you have validated all domains.
If you have only validated some of your domains, you must create a Transport Rule and select only when I have a Transport Rule set up that redirects messages to this connector option.
- Select the Asterisk symbol (*).
- Click on Next.
- Enter and click the + icon to add your regions' hostnames.
| Region | Microsoft 365 Account Hostnames |
|---|---|
| Europe (Excluding Germany) | eu-smtp-o365-outbound-1.mimecast.com eu-smtp-o365-outbound-2.mimecast.com |
| Germany | de-smtp-o365-outbound-1.mimecast.com de-smtp-o365-outbound-2.mimecast.com |
| United States of America | us-smtp-o365-outbound-1.mimecast.com us-smtp-o365-outbound-2.mimecast.com |
| United States of America (B Grid) | usb-smtp-o365-outbound-1.mimecast.com usb-smtp-o365-outbound-2.mimecast.com |
| Canada | ca-smtp-o365-outbound-1.mimecast.com ca-smtp-o365-outbound-2.mimecast.com |
| South Africa | za-smtp-o365-outbound-1.mimecast.co.za za-smtp-o365-outbound-2.mimecast.co.za |
| Australia | au-smtp-o365-outbound-1.mimecast.com au-smtp-o365-outbound-2.mimecast.com |
| Offshore | je-smtp-o365-outbound-1.mimecast-offshore.com je-smtp-o365-outbound-2.mimecast-offshore.com |
- Click on Next.
- Select the following options:
-
- Always use Transport Layer Security (TLS) to Secure the Connection (recommended).
- Issued by a trusted certificate authority (CA).
- Click on Next.
- Enter an Email Address external to your domain.
- Click the + icon.
- Click on Validate.
- Click on Save once Microsoft 365 has successfully validated your settings.
Disable or remove any other Outbound Send Connectors. Failure to do this means your outbound email still uses those send connectors and isn't routed through us. Any send connectors used for other purposes (e.g., archiving) may still be enabled. If in doubt, contact Mimecast Support.
Adding the Microsoft 365 Tenant Domain as an Internal Domain
Your Microsoft 365 tenant domain must be added to the list of internal domains available in the Mimecast Administration Console. See Managing Internal Domain & Subdomains. This enables us to recognize certain auto-response messages where the sender address is not a normal internal domain. This is typically in the format @domain.onmicrosoft.com. Contact Mimecast Support if you have queries regarding this step (Raising a Mimecast Support Case). For more details on how to configure the Microsoft 365 tenant, see Validate Microsoft 365 Tenant Domain.
Verifying Your Configuration
Once this step is complete, Microsoft 365 must be added to your authorized outbounds as an umbrella account. See Maintaining Authorized Outbound IP Addresses.
You can verify that Microsoft 365 is successfully routing email outbound via us, by using the following steps:
- Log in to the Mimecast Administration Console.
- Select the Message Center | Accepted Messages menu item.
See Accepted Messages.
You should see messages from your organization's internal users to external recipients. If you don't see messages shortly after they're sent, this indicates a configuration problem on your Microsoft 365 send connector. Double-check your configuration. Use the Microsoft 365 Message Trace Tool in the Mail Flow | Message Trace menu of the Exchange Admin Center, to help identify the issue.
Comments
Please sign in to leave a comment.