Configure Office 365 for EMS

To successfully add Office 365 customers, you will need to perform three steps:

  1. Configure Cloud USS for the Office 365 accounts.
  2. Configure Inbound mail on Office 365 to reject non-EMS emails.
  3. Configure Outbound mail on Office 365 to send email via the EMS servers.

Configure Cloud USS for the Office 365 accounts

Configuring Inbound Mail

  1. Visit your USS Dashboard and click ProductsE-mail SecurityProduct ConfigurationInbound Mail.
  2. Click to add a new delivery route.
  3. In the Domain field, enter the domain name of the host you want to redirect. For example, tonyfrankum.co.uk.
  4. In the Route field, enter the outlook routing host for this domain name. For example, tonyfrankum-co-uk.mail.protection.outlook.com.

Configuration Changes for Office 365

  1. Log in to Microsoft 365 Defender at https://security.microsoft.com/
  2. Navigate to Policies & Rules -> Threat Policies -> Anti-Spam Policies. Click on Connection filter policy
  3. When menu opens, click on Edit connection filter policy. In the Allowed IP Address section, add all of the IP addresses for the Email Security region you are using - see Europe, United States, United Arab Emirates, India
  4. Enable Turn On Safe List

Configuring Outbound Mail

  1. Visit your USS Dashboard and click ProductsE-mail SecurityProduct ConfigurationOutbound Mail.
  2. Add a new sending host, by entering the string spf://spf.protection.outlook.com and clicking .

Configure Inbound mail on Office 365 to reject non-EMS emails

IMPORTANT: You should configure Office 365 to block any inbound email that does not originate from the Email Security (EMS) product.

Please follow the steps in this article to restrict Office 365 and then return to this article to continue configuration.

Configure Outbound mail on Office 365 to send email via the EMS servers

You should configure Office 365 to always send mail using the EMS servers.

  1. Log in to your Office 365 Admin Center, and navigate to Admin CentersExchange.
  2. In the left-hand pane, click Mail FlowConnectors.
  3. Click + to add a new connector.
  4. In the From: field, select Office 365.
  5. In the To: field, select Partner Organization.
  6. Give the new connector a sensible name.
  7. Click Next.
  8. Under When do you want to use this connector? select Only when email messages are sent to these domains, then click the + icon and enter *.
  9. Click Next.
  10. Under How do you want to route email messages, select Route email through these smart hosts.
  11. Add hosts according to the correct addresses for your cluster - either US, EU or UAE.
  1. Click Next and then click Confirm to create the connector.
If you wish to verify the connector, be sure not to use an internal address. For example, use a personal email address which is not a domain configured for your customer.
If the validation fails check the settings below before contacting technical support.
1. The connector is enabled
2. The default domain is the domain configured in EMS domain settings (MailFlow -> Accepted Domains)
M365 can still accept emails direclty bypassing EMS filtering, we recommend locking down M365 to only accept emails from your EMS region only follow this KB article here.


How did we do?