Configure Inbound mail on Office 365 to reject non-EMS emails

Updated 1 month ago by admin

You should configure Office 365 to block any inbound email that does not originate from Email Security product. There are two options available discussed below. The option best suited to you depends on your environment and requirements.

As a Connector

Your EMS account must have an inbound TLS rule for this option to complete successfully.
  1.  Login to Office 365 Exchange Admin Center and navigate to Mail Flow and then Connectors
  1. Click on Add a Connector
  1. Under Connection From select Partner Organization. This will default the Connection To to Office 365.
  2. Enter a name for the connector, such as Inbound from CloudUSS EMS and an optional description.
At this stage, if you have already changed MX records and the TTL time has lapsed, leave "Turn it on" checked. If the mx records have not been changed then uncheck “Turn it on".
  1. Click Next.
  2. Select Verify that the IP address of thee sending server matches one of the following IP addresses, which belong to your partner organization and enter the correct IP addresses for the region you are using.
    Please select the correct region to view IP addresses: Europe, United States, United Arab Emirates. Enter each of the IP addresses in turn. Optionally, you may enter any additional IP addresses your organization uses.
  1. Click Next.
  1. Ensure only Reject email messages if they aren’t sent over TLS is enabled
  2. Click Next.
  3. Click Create Connector and then Done once it as been created

As a Rule

Using a rule provides more flexibility than just using IP address, for example you could control based on email address or attachment  Depending on your requirements or environment this may be the best option, if you have other means to restrict direct connection to your Office 365 tenant other than just IP address.

  1. Log in to the Office 365 Admin Center, and navigate to Admin Centers and then Exchange.
  2. In the left-hand pane, click Mail Flow and then Rules.
  3. Click + and then click Create a new rule.
  4. In the New Rule page, enter a Name to represent the rule. For example, CloudUSS EMS IP restriction.
  5. Scroll down and click More options.
  6. From the Apply this rule if drop-down menu, select The Sender and then Is External/Internal and then Outside the organization.
  7. From the Do the following drop-down menu, select Block the message and then Reject the message with the Explanation.
  8. Click Enter text and enter the message that you want to include in the non-delivery report (NDR) that will be sent to the email's sender. For example:
IP restricted, not using MX record. Please ensure your DNS is up-to-date and try sending this message again.
  1. Click Add exception.
  2. Select Sender and then Sender's IP address is in the range or exactly matches, and enter the Cloud USS IP for your cluster - Europe, United States, United Arab Emirates.
  3. Click + to add each of the IP addresses for your region.
  4. Once all the IP addresses have been added, click OK.
  5. Scroll to the Properties of the rule section. Under Match sender address in message, select Header or Envelope.
  6. Click Stop processing more rules.
  7. Click Save.
  8. Verify that the new rule displays at the top of the list of mail flow rules. If it's not at the top, select the rule and use the Up arrow to move it.

Office 365 is now configured to block any email that does not originate from EMS.


How did we do?