Support Center

            Mail Routing for Office 365


            If you are using Microsoft Office 365 as your mail service, setting up your mail flow to include GlobalCerts encryption services is done using a 'Connector'. First you need to set up a connector to our Fast&Secure service. Then, you'll create mail flow rule(s) that will utilize this connector when needed. These instructions assume you're on our default shared service, 'gc1.fastandsecure.net'. Please contact support@globalcerts.net if you're unsure and need to find out the hostname or IP address of your hosted service.

            Setting up a Connector to Fast&Secure

            1. Login to your Office 365 tenant's Exchange Admin center
            2. In the menu, click on Mail Flow, then Connectors. Click on the "+" icon to create a new connector.
            3. For the mail flow scenario select From "Office 365" and To "Partner Organization" and click Next.
            4. Name the connector 'Fast&Secure' and give it a description, click Next.
            5. Select "Only when I have a transport rule set up that redirects messages to this connector" on the next page, click Next.
            6. On the next page, check "Route email through these smart hosts" click the "+" icon to add a route. Enter "gc1.fastandsecure.net" here, click "Save" then click Next.
            7. Next, Make sure to check the box "Always use Transport Layer Security (TLS) to secure the connection (recommended)" so that your mail is sent via encrypted TLS connections to our service.
            8. For additional assurance, you can select that "the subject name or subject alternative name (SAN) matches this domain name:" and enter *.fastandsecure.net in the box.
            9. On the next page, review the connector, click Next
            10. Validate the connector by entering in a test email address. This can be our email 'support@globalcerts.net' or one of your external email addresses. Don't worry if it says the validation failed. Click 'Save'.

            Setting up an Outbound Mail Flow Rule

            1. Login to your Office 365 tenant's Exchange Admin center.
            2. In the menu, click on Mail Flow, then "Rules". Click on the "+" icon to "create a new rule...".
            3. Name the rule something like "Route outbound to F&S"
            4. Click "more options..." at the bottom.
            5. Under "*Apply this rule if..." select "The recipient is..." "external/internal" and select "Outside the organization" click OK.
            6. If you would like to add additional conditions, click "Add Condition" or "add exception" and provide further restrictions on when to use the connector.
            7. Under "Do the following" select "Redirect the message to" "the following connector" and select the "Fast&Secure" connector you established earlier.
            8. Click Save.
            If you have established an SPF record in your DNS for your domain, please remember to include our service in the record by adding "a:gc1.fastandsecure.net" to your record. This will help ensure that your messages delivered via our service will be pass spam checks and won't be caught in junk filters.


            Inbound Mail Routing (Optional)

            If you have purchased advanced Anti-Spam and Anti-Virus protection for your organization, then you simply need to route all inbound mail to our spam/virus protection service by changing your MX record in your public DNS to "netmail.fastandsecure.net" and disregard the rest of this section.

            Since your users will now have fully functioning GlobalCerts accounts, other customers may now automatically send you encrypted emails using certificate-based S/MIME encryption. If you don't receive email from any of our other customers, you can leave our services out of your inbound mail path.

            If you do receive encrypted emails from our other customers that arrive unreadable, you will want to route these inbound encrypted emails to our service. You can do this by creating another mail flow rule similar to the one above, except the Conditions will be:
            1. "The sender..." -> "is external/internal" and select "Outside the organization"
            2. "The recipient..." -> "domain is" and then add all the domains that you would like to route inbound mail for (any domains in your tenant that have secure users)
            3. Under "Do the following" select "Redirect the message to" "the following connector" and select the "Fast&Secure" connector you established earlier.
            4. IMPORTANT: To ensure a message never 'loops' between Office 365 and our service, click the "Add Exception" and select "A message header..." -> "includes any of these words" and enter "X-GlobalCerts-Milter" for the header name and add "gc1.fastandsecure.net" as a word for the header value. The will prevent the rule from triggering if the message has already gone through our service.

            Ensuring Delivery of Your Inbound Messages

            NOTE: This only applies if you are using Fast&Secure as your inbound MX record. If your MX record is set to Office 365, disregard this section.
            To ensure that all inbound emails from our service are delivered to your Office 365 tenant, it is best to create a Connector in Office365 specifying our service. This will accomplish two things: (1) It will make sure no rate limiting or throttling occurs from our service to Office 365, and (2) it ensures all your inbound mail flows through our service; spammers won't be able to connect directly to Office365 to try and send you emails.


            First create a new connector within the Exchange Admin Center with the following mail flow scenario:


            To restrict all mail sent to your organization to our Fast&Secure service, use these options during setup:

            Choose to use the sender's domain name

            Restrict to proper TLS connections

            When you set these restrictions, all mail sent to your organization must be sent from a server with a certificate issued to 'fastandsecure.net'. All other internet traffic will be rejected. If you need your Office365 tenant to accept mail direct from the internet, do not implement this connector!

            As always, GlobalCerts is there to assist you in setting up your mail routing properly. At your discretion you can allow GlobalCerts support delegated access to your Office 365 tenant so that we may set up these rules for you.
            Updated: 01 Feb 2019 10:45 AM
            Helpful?  
            Help us to make this article better
            0 0