Spam Experts Help

Configure Office 365 with Spam Experts

Inbound filtering

Basic steps to protect your domain:

  1. Add a domain via the Spam Experts webinterface, ensure the destination route is set to the MX record hostname provided by Office 365.
  2. Add a rule to Office365 to ensure email from the filtering servers is always accepted and not wrongly classified as spam.
  3. Change the MX records of the domain in the DNS to point to the Spam Experts provided MX record hostnames.

IP based rule to always accept from the filtering servers

In your Office 365 environment, you can create a partner connector and rule to bypass the local spam filtering for the filtering IPs.

  1. Log in to the Exchange Admin Center.
  2. Click on mail flow > connectors.
  3. Click the + (plus sign).
  4. Choose Partner organization as the From and Office 365 as the To, then click Next.
  5. Give the connector a name, then click Next.
  6. Choose Use the sender's IP address then click Next.
  7. Add the Spam Experts IPs listed in Hosted Cloud Delivery IPs.
  8. Ensure that Reject email messages if they aren't sent over TLS is ticked and click Next.
  9. Verify the settings and click Save.
  10. Click on Mail flow > Rules.
  11. Under Rules, click on the + (plus button) and choose Bypass spam filtering... .
  12. Enter a rule name (e.g. Disable filtering for Spam Experts).
  13. Choose Apply this rule if... > Senders IP Address is in any of these ranges or exactly matches...
  14. Add the Spam Experts delivery IPs listed in Hosted Cloud Delivery IPs.
  15. Ensure that Do the following... is set to: Modify the message properties > Set the spam confidence level (SCL) > Bypass spam filtering.
  16. Click OK.
  17. Click Save.
  18. Spam filtering will no longer apply to the filtering servers, avoiding Office 365 to wrongly mark legitimate emails as spam (e.g. because SPF would fail).

Our status page allows you to subscribe to receive a notification of the email address pool changes (not relevant when your service supports an IP range).

X Header based rule to accept email from the filtering servers

The disadvantage of this method is that spammers could technically spoof the header, hence bypassing the build-in filtering. The advantage is that no IP addresses are required to be kept up-to-date.

  1. Login to the Office 365 "Exchange admin center".
  2. In the Dashboard, select Rules in the Mail Flow section
  3. Under Rules, click the + button and choose Create a new rule... .
  4. Enter a Name for your rule, e.g. 'Spam Experts spamfilter bypass'.
  5. Click More Options.
  6. Create Rule "A message header includes"X-Recommended-Action" header includes >> contains "accept".
  7. Click +.
  8. Click OK.
  9. In the "Do the following" part, select "Modify the message properties" > "Set the spam confidence level (SCL)" > "Specify SCL" > "Bypass spam filtering".
  10. Click OK.

Outbound filtering

Basic steps to protect your domain's outbound mailflow, you need to:

  1. Add your sender Office365 sender domain as an "Authenticating Domain", with "Re-authentication permitted:" explicitly set
  2. Setup a connector in Office 365 to relay the outgoing email via the email security smarthost

Setup outbound user in Spam Experts

  1. Go to the domain dashboard, choose Outgoing > Manage Users.
  2. At the bottom of the page, select the "Authenticating Domain" tab. Specify your Office365 sending domain, and provide a secure random password.
  3. Once the user has been added, click the dropdown icon on the left of the user and select "Edit".
  4. Verify the configuration and ensure the limits are either disabled or match your expected traffic.
  5. Ensure "Re-authentication permitted" is selected. This is required for the sending domain to be allowed from Office365.
  6. Save the user settings.

Setup a transport rule in Office 365

  1. Login to the Office365 "Exchange admin center".
  2. In the dashboard, go to Connectors in the Mail Flow section.
  3. Create a new connector from Office365 to Partner Organization and give it a name.
  4. Select Only when I have a transport rule set up that redirects messages to this connector.
  5. Select "Route email through these smart hosts" and add
  6. Check Always use Transport Layer Security (TLS) to secure the connection (recommended) and select Issued by a trusted certificate authority (CA).
  7. Validate the connector (e.g. using recipient and save.
  8. In the Exchange Dashboard, go to Rules in the Mail Flow section.
  9. Under Rules, click the + button and choose Create a new rule... .
  10. Enter a Name for your rule, e.g. 'Route sending domain via filtering smarthost'.
  11. Click More Options.
  12. Set "Apply this rule if..." to "The sender's domain is...".
  13. Specify as sender domain the domain you previously added as an "Authentication Domain" outgoing user to Spam Experts (similarly you could setup a rule for specific senders addresses only).
  14. Set "Do the following..." to "Redirect the message to", "The following connector".
  15. Set the smarthost connector you previous created.
  16. Save the rule.

Once this is done, any traffic matching your outgoing sender domain is relayed via the transport rule and be processed by the filtering servers.

Email archiving

Basic steps to archive your domain's email:

  1. Ensure that archiving is enabled on the domain in Spam Experts ("Status" page in the "Archive" section).
  2. Any inbound/outbound email passing the domain will automatically be archived by default.
  3. Set up a filter rule to also archive the Office 365 internal message using a mail rule, or for archive-only, set a rule to archive all email.

Archiving combined with protection

  1. Go to the domain dashboard, enable the archiving service on the "Status" page in the "Archive" section.
  2. By default, all inbound/outbound email processed by the filtering servers for the domain will now be archived.

  3. Optionally restrict which recipients should be archived on the "Archived recipients" page.
  4. Login to the Office365 "Exchange admin center".
  5. In the dashboard, go to journal rules in the compliance management section.
  6. First choose "select address" for "Send undeliverable journal reports to:". This should be a valid recipient to be informed in case of journal failures.
  7. Next add a journal rule:
    • Send journal reports to: You can find the "Global journal address" which is unique for your domain on the "Status" page in the "Archive" section of Spam Experts. E.g. "". Replace "MX-record-hostname" with the primary MX record you were provided with for your security filtering, or simply use
    • Name: Spam Experts journal archive rule.
    • If the message is sent to or received from: [Apply to all messages].
    • Journal the following messages: Internal messages only (in case you use protection), all messages (this would cause duplicate archiving if you also archive via the protection service).

Local Cloud outgoing filtering

For this to work successfully the following is needed:

  1. A minimum of 2 IPs on a node.
  2. The secondary IP configured to use port 25 for outbound usage. Please contact to have this enabled on a secondary IP.
  3. Office365 IP's added to a controlled authenticating domain.
  4. Make sure that you add these with the option Re-authenticate as sending domain enabled.
  5. Add the sending domains to the interface.
  6. Add an authenticating outgoing user for each sending domain (this allows logging to be stored on the sending domain).
  7. Enable Re-Auth permitted option for the outgoing user domain in the Settings page.
  8. Configure the Office365 interface using the steps above (replacing the SMTP hostname with your own hostname) .

As Office365 can sometimes change their IPs without notice, its advised to periodically check and update the existing IPs added.