Configure Inbound mail on Office 365 to reject non-EMS emails

Updated 2 weeks ago by admin

You should configure Office 365 to block any inbound email that does not originate from Email Security product. There are two options available discussed below. The option best suited to you depends on your environment and requirements.

As a Connection Filter

This method will allow the Email Security server IP addresses to deliver emails even if spam filtering is enabled in Office 365. This will ensure emails processed by the Email Security product are delivered without delay and do not land in the junk mailbox folder for Office 365 users.

Your EMS account must have an inbound TLS rule for this option to complete successfully.
  1. Login to Office 365 Exchange Admin Center and navigate to Admin Centers and then Classic Exchange Admin Center.
  2. Navigate to Protection and then Connection Filter.
  3. Edit the Default entry and navigate to the Connection Filtering tab.
  4. In the Allowed IP Address section, add all of the IP addresses for the Email Security region you are using - see Europe, United States, United Arab Emirates.
  1. Click Enable Safe List and then Save.

As a Rule

Using a rule provides more flexibility than just using IP address, for example you could control based on email address or attachment  Depending on your requirements or environment this may be the best option, if you have other means to restrict direct connection to your Office 365 tenant other than just IP address.

  1. Log in to the Office 365 Admin Center, and navigate to Admin Centers and then Exchange.
  2. In the left-hand pane, click Mail Flow and then Rules.
  3. Click + and then click Create a new rule.
  4. In the New Rule page, enter a Name to represent the rule. For example, CloudUSS EMS IP restriction.
  5. Scroll down and click More options.
  6. From the Apply this rule if drop-down menu, select The Sender and then Is External/Internal and then Outside the organization.
  7. From the Do the following drop-down menu, select Block the message and then Reject the message with the Explanation.
  8. Click Enter text and enter the message that you want to include in the non-delivery report (NDR) that will be sent to the email's sender. For example:
IP restricted, not using MX record. Please ensure your DNS is up-to-date and try sending this message again.
  1. Click Add exception.
  2. Select Sender and then Sender's IP address is in the range or exactly matches, and enter the Cloud USS IP for your cluster - Europe, United States, United Arab Emirates.
  3. Click + to add each of the IP addresses for your region.
  4. Once all the IP addresses have been added, click OK.
  5. Scroll to the Properties of the rule section. Under Match sender address in message, select Header or Envelope.
  6. Click Stop processing more rules.
  7. Click Save.
  8. Verify that the new rule displays at the top of the list of mail flow rules. If it's not at the top, select the rule and use the Up arrow to move it.

Office 365 is now configured to block any email that does not originate from EMS.


How did we do?