Support Center

            Mail Routing for Office 365

            If you are using Microsoft Office 365 as your mail service, setting up your mail flow to include GlobalCerts encryption services is done using a 'Connector'. First you need to set up a connector to our Fast&Secure service. Then, you'll create mail flow rule(s) that will utilize this connector when needed. These instructions assume you're on our default shared service, ''. Please contact if you're unsure and need to find out the hostname or IP address of your hosted service.

            Setting up a Connector to Fast&Secure

            1. Login to your Office 365 tenant's Exchange Admin center
            2. In the menu, click on Mail Flow, then Connectors. Click on the "+" icon to create a new connector.
            3. For the mail flow scenario select From "Office 365" and To "Partner Organization" and click Next.
            4. Name the connector 'Fast&Secure' and give it a description, click Next.
            5. Select "Only when I have a transport rule set up that redirects messages to this connector" on the next page, click Next.
            6. On the next page, check "Route email through these smart hosts" click the "+" icon to add a route. Enter "" here, click "Save" then click Next.
            7. Next, Make sure to check the box "Always use Transport Layer Security (TLS) to secure the connection (recommended)" so that your mail is sent via encrypted TLS connections to our service.
            8. For additional assurance, you can select that "the subject name or subject alternative name (SAN) matches this domain name:" and enter * in the box.
            9. On the next page, review the connector, click Next
            10. Validate the connector by entering in a test email address. This can be our email '' or one of your external email addresses. Don't worry if it says the validation failed. Click 'Save'.

            Setting up an Outbound Mail Flow Rule

            1. Login to your Office 365 tenant's Exchange Admin center.
            2. In the menu, click on Mail Flow, then "Rules". Click on the "+" icon to "create a new rule...".
            3. Name the rule something like "Route outbound to F&S"
            4. Click "more options..." at the bottom.
            5. Under "*Apply this rule if..." select "The recipient is..." "external/internal" and select "Outside the organization" click OK.
            6. If you would like to add additional conditions, click "Add Condition" or "add exception" and provide further restrictions on when to use the connector.
            7. Under "Do the following" select "Redirect the message to" "the following connector" and select the "Fast&Secure" connector you established earlier.
            8. Click Save.
            If you have established an SPF record in your DNS for your domain, please remember to include our service in the record by adding "" to your record. This will help ensure that your messages delivered via our service will be pass spam checks and won't be caught in junk filters.

            Inbound Mail Routing

            If you have purchased advanced Anti-Spam and Anti-Virus protection for your organization, then you simply need to route all inbound mail to our spam/virus protection service by changing your MX record in your public DNS to "".

            Since your users will now have fully functioning GlobalCerts accounts, other customers may now automatically send you encrypted emails using certificate-based S/MIME encryption. If you don't receive email from any of our other customers, you can leave our services out of your inbound mail path.

            If you do receive encrypted emails from our other customers that arrive unreadable, you will want to route these inbound encrypted emails to our service. You can do this by creating another mail flow rule similar to the one above, except the Conditions will be:
            1. "The sender..." -> "is external/internal" and select "Outside the organization"
            2. "The recipient..." -> "domain is" and then add all the domains that you would like to route inbound mail for (any domains in your tenant that have secure users)
            3. Under "Do the following" select "Redirect the message to" "the following connector" and select the "Fast&Secure" connector you established earlier.
            4. IMPORTANT: To ensure a message never 'loops' between Office 365 and our service, click the "Add Exception" and select "A message header..." -> "includes any of these words" and enter "X-GlobalCerts-Milter" for the header name and add "" as a word for the header value. The will prevent the rule from triggering if the message has already gone through our service.

            Ensuring Delivery of Inbound Messages

            To ensure that all inbound emails from our service are delivered to your Office 365 tenant, it is best to 'whitelist' the IP address of our service in the Exchange administration. Please follow these steps:
            1. Login to your Office 365 tenant's Exchange Admin center
            2. Go to "Protection" -> "Connection Filter".
            3. There should be a 'Default' policy there that you can edit by double clicking it.
            4. Then select the "connection filtering" and add our IP to the "allowed IP addresses" box. The default F&S service will be sending from

            As always, GlobalCerts is there to assist you in setting up your mail routing properly. At your discretion you can allow GlobalCerts support delegated access to your Office 365 tenant so that we may set up these rules for you.
            Updated: 12 Dec 2017 01:23 PM
            Help us to make this article better
            0 0