Routing mail from Office365 to your SMG

Routing Mail From Office 365 To Your SMG


If you are using Microsoft Office 365 as your mail service, setting up your mail flow to include GlobalCerts SecureMail Gateway(s) is done using a 'Connector' and routing rules. First you need to set up a connector to your SMG. Then, you'll create mail flow rule(s) that will utilize this connector when needed. 

SMG Configuration

Before configuring routing on your Office 365 tenant, first set up your SMGs to allow relayed email from Office 365, and also to route inbound mail back to Office 365 properly.
In the SMG web administration, please go to "Network Configuration" -> "Host Access Control" and check the box for "Office 365" under the "Allowed to Send Outbound" section, and click "Set" This will allow Microsoft's IP ranges to relay outbound email through your SMGs: 
White-List Office 365 IP ranges screenshotWhite-listing Office 365 ranges

Then, go to "Network Configuration" -> "Mail Routing" and add entries for your tenants' domain(s) under 'Local Delivery'. For example, you would add the domain "yourdomain.com" in the first box, and then "yourdomain-com.mail.protection.outlook.com" in the second box. This entry should be whatever your MX record is supposed to be from Office 365. See example below:
inbound mail routes screenshotinbound routing to Office 365

Please make sure to enter your domain(s) mail routing on ALL SMGs if you have multiple servers

Setting up a Connector to your SMG

  1. Login to your Office 365 tenant's Exchange Admin center
  2. In the menu, click on Mail Flow, then Connectors. Click on the "+" icon to create a new connector.
  3. For the mail flow scenario select From "Office 365" and To "Partner Organization" and click Next.
  4. Name the connector 'SMG' and give it a description, click Next.
  5. Select "Only when I have a transport rule set up that redirects messages to this connector" on the next page, click Next.
  6. On the next page, check "Route email through these smart hosts" click the "+" icon to add a route. Enter your FQDN here, for example "securemail.yourdomain.com", click "Save" then click Next.
  7. Next, Make sure to check the box "Always use Transport Layer Security (TLS) to secure the connection (recommended)" so that your mail is sent via encrypted TLS connections to our service. This is vital!
  8. For additional assurance, you can select that "the subject name or subject alternative name (SAN) matches this domain name:" and enter *.yourdomain.com in the box.
  9. On the next page, review the connector, click Next
  10. Validate the connector by entering in a test email address. This can be our email 'support@globalcerts.net' or one of your external email addresses. Don't worry if it says the validation failed. Click 'Save'.

Setting up an Outbound Mail Flow Rule

  1. Login to your Office 365 tenant's Exchange Admin center.
  2. In the menu, click on Mail Flow, then "Rules". Click on the "+" icon to "create a new rule...".
  3. Name the rule something like "Route outbound to SMG"
  4. Click "more options..." at the bottom.
  5. Under "*Apply this rule if..." select "The recipient is..." "external/internal" and select "Outside the organization" click OK.
  6. If you would like to add additional conditions, click "Add Condition" or "add exception" and provide further restrictions on when to use the connector. You can use this rule to limit secure email functionality to certain users or groups.
  7. Outlook Calendar emails cannot be auto-parsed if they're signed or encrypted. To add an exception for them, click "add exception" button, then choose "The message properties..." -> "include the message type" and then select "Calendaring" as the type.
  8. Under "Do the following" select "Redirect the message to" "the following connector" and select the "SMG" connector you established earlier.
  9. Click Save.
If you have established an SPF record in your DNS for your domain, please remember to include our service in the record by adding "a:securemail.yourdomain.com" to your record. This will help ensure that your messages delivered via your SMG will be pass SPF spam checks, and won't be caught in junk filters.


Inbound Mail Routing

Since your users will now GlobalCerts secure accounts, other customers may now automatically send encrypted emails to your users using certificate-based S/MIME encryption. These MUST pass through the SMG to be decrypted and verified unless you have installed the user's private key on their mail clients.
If you don't receive S/MIME emails from any of our other customers, and also do not wish for the SMG to harvest S/MIME certificates from inbound signed emails, then you may leave the SMG out of your inbound mail path and disregard this section.

In general we recommend keeping your Existing MX record as Office 365 so that it may process inbound mail connections first. In this configuration it can block spam and phishing emails more effectively. Then, signed or encrypted emails will be routed to the SMG for decryption and/or signature validation and harvesting, and finally routed back to Office365 for delivery.

To route inbound mail through the SMG, you will create another mail flow rule similar to the one above, except the Conditions will be:
  1. "The sender..." -> "is external/internal" and select "Outside the organization"
  2. "The recipient..." -> "domain is" and then add all the domains that you would like to route inbound mail for (any domains in your tenant that have secure users)
  3. "The message properties..." -> "include the type" and specify the following: "Encrypted" (This will only redirect S/MIME encrypted emails instead of all inbound email. You may specify a second rule and include the type "Signed" as well to redirect all signed emails through the SMG as well.)
  4. Under "Do the following" select "Redirect the message to" -> "the following connector" and select the "SMG" connector you established earlier.
  5. IMPORTANT: To ensure a message never 'loops' between Office 365 and our service, click the "Add Exception" and select "A message header..." -> "includes any of these words" and enter "X-GlobalCerts-Milter" for the header name and add "securemail.yourdomain.com" (replacing this with the actual hostname(s) of your SMG(s)) as a word for the header value. Make sure to list all your SMG hostnames as words here. The will prevent the rule from triggering if the message has already passed through your SMG.

Ensuring Delivery of Inbound Messages

To ensure that all inbound emails from our service are delivered to your Office 365 tenant, it is best to 'whitelist' the IP address of our service in the Exchange administration. Please follow these steps:
  1. Login to your Office 365 tenant's Exchange Admin center
  2. Go to "Protection" -> "Connection Filter".
  3. There should be a 'Default' policy there that you can edit by double clicking it. 
  4. Then select the "connection filtering" and add your SMG IP address(es) to the "allowed IP addresses" box.

As always, GlobalCerts is there to assist you in setting up your mail routing properly. At your discretion you can allow GlobalCerts support delegated access to your Office 365 tenant so that we may set these rules for you.

    • Related Articles

    • SMG Mail Routing for Microsoft Exchange

      If your organization is using Microsoft Exchange for your email server infrastructure, below you will find details on routing your outbound email through the SecureMail Gateway server so that it can secure outgoing emails: ​ Setting up a "Send ...
    • Mail Routing for Office 365

      If you are using Microsoft Office 365 as your mail service, setting up your mail flow to include GlobalCerts encryption services is done using a 'Connector'. First you need to set up a connector to our Fast&Secure service. Then, you'll create mail ...
    • Multi-Factor Setup for Office 365 Accounts

      This FAQ will guide you through the process of setting up Multi-Factor Authentication (MFA) on your Office 365 accounts, which is now a requirement since Feb 28 2020 on all Fast&Secure accounts. The walk-through will focus on using the Microsoft ...
    • End User Training for the SMG

      The attached document contains detailed walkthroughs on how to send and receive secure emails using the SecureMail Gateway solution.
    • How To Import SMG User's S/MIME Certificates into Microsoft Outlook

      Introduction The article describes how to manually trust and use GlobalCerts S/MIME certificates within Microsoft Outlook. It is useful for any 3rd parties that would like to use S/MIME to secure their email with a GlobalCerts user. It assumes you ...