Configuration for older O365 tenants

Note: This configuration guide utilizes the “Your organization” connector type and should only be used if your Microsoft/O365 tenant has been created before January 1st, 2023. If your Microsoft/O365 tenant is newer than this, please refer to our main configuration guide for O365.

---

Step 1 – Navigating to “Email Relay Integration”

First, you will need to log into the Trustifi web portal using your admin credentials. Once logged in, click on “Inbound Management” on the left side navigation bar and then click on the “Plan Settings” page. Make sure the selected architecture is “via Email Relay“. If you want to create the inbound mail flow integration using an MX record, please see our MX integration guide. 

Step 2 – Adding your domain, MTA, and port

Under the “Email Relay Integration” section you will need to enter your domain, Mail Transfer Agent (MTA) and port. If you are not sure what your MTA is, you can click “resolve host” to auto-fill the “MTA” field. The port number will usually be 25.

Note: If you have several domains which should be protected you can add multiple domains with their corresponding MTAs. For each domain, up to 3 MTAs can be added – the first MTA will be used by default and the other 2 will be used as a fallback in case the first MTA fails.

Step 3 – Enabling the Inbound Email Relay

After your domain, MTA, and port have been added, simply click the “Enable” toggle and confirm in the pop-up window After the Inbound Email Relay has been enabled, your Email Relay key will be generated. You can copy this key now to use it later in configuration.

Note: This action will not yet change anything in your server’s inbound mail flow. Mail traffic will only be routed through Trustifi after the mail-flow rule and connectors have been set up.

Step 4 – Navigating to the Exchange Admin Center – Mail flow connectors

Navigate and log into the “Exchange admin center” using your admin credentials. After you have logged in, navigate to the “Mail flow” – “Connectors” page.

Step 5 – Creating the “receive” connector

Click on the “Add a new connector” button to open the “New connector” interface.

Step 6 – Selecting a mail flow scenario

Under “Connection from” select  “Your organization’s mail server” and under “Connection to” select the default option “Office 365”. Continue by clicking on “Next“.

Step 7 – Naming and describing the connector

In the “Name” field enter the following name – “Trustifi Inbound Connector (Receive)‎”. In the “Description” field you can add any description you like (optional). Make sure the bottom 2 boxes are checked:

• Turn in on
• Retain internal Exchange email headers

You can continue by clicking on “Next”.

Step 8 – Authenticating sent email

Here you need to select “By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization”. Add the following IPs and click on the “+” button to add each one:

• • 3.93.243.176
  • 3.93.139.220
  • 3.251.32.127
  • 54.195.145.1

After both IPs have been added, click on “Next” to continue.

Step 9 – Reviewing the connector

Confirm that all settings are correct and finish by clicking on “Create connector”.

Step 10 – Confirming the connector has been added

Confirm the “Trustifi Inbound Connector (Receive)‎‎‎” connector has been added to the connector list.

Step 11 – Creating the “send” connector

Click on the “Add a connector” button to create a new connector.

Step 12 – Selecting a mail flow scenario

Here, you will need to select the mail flow scenario. Under “Connection from” select “Office 365”, and under “Connection to” select “Your organization’s email server” and continue by clicking “Next”.

Step 13 – Naming and describing the connector

In the “Name” field enter the following name – “Trustifi Inbound Connector (Send)‎”. In the “Description” field you can add any description you like (optional). Make sure the bottom 2 boxes are checked:

• • Turn in on
  • Retain internal Exchange email headers

You can continue by clicking on “Next“.

Step 14 – Use of connector

Select “Only when I have transport rule set up that redirects message to this connector” and continue by clicking “Next”

Step 15 – Routing

Here we will need to add the smart host to which emails will be routed. In the input field, add the following smart host: inbound-smtp.trustifi.com Then, click on the “+” icon to add the smart host and click “Next” to continue.

Step 16 – Security restrictions

Now we will need to configure the smart host security settings:

• • Select “Always use TLS” (First checkbox)
  • Select “Issued by a trusted certificate authority(CA)”
  • Check the box for “Add the subject name of subject alternative name (SAN) matches this domain name“
  • Enter the following value into the input field: *.trustifi.com

Step 17 – Validating the connector

In this step, Exchange will need to validate the connector by sending an email through it.

Enter an email for an active mailbox that’s on your email server, and click on the “Validate” button.

Step 18 – Validation results

After the connection check is done, a status of “Succeed” or “Failed” will appear for each of the validation tests. The “Check connectivity” test should succeed. If the status of this test has failed, please check that the smart host address was entered correctly. If the “Send test email” test fails, it’s OK. This is because we don’t yet have a rule set up to use this connector. Click on “Next” to continue. You may receive a warning – click “Yes” to confirm and continue.

Step 19- Reviewing the connector

Confirm that all settings are correct and finish by clicking on “Create connector”.

Modifying “Remote domains” settings

Step 20 – Navigating to the remote domains tab and editing the default

Note: For a detailed explanation of the required changes to “Remote domains“, please read this article. In this section, we will make some changes to the “Remote domains” settings. These changes are not strictly mandatory for the process, but will ensure that all types of email content are delivered correctly using Trustifi. First, go to “Remote domains‘” under “Mail flow” and click on the default domain settings.

Step 21 – Editing the RTF settings

In the section that includes “Use rich-text format“, click on “Edit text and character set“.

Step 22 – Changing the RTF settings

Set the following:

• • Under “Use Rich Text format” – select “Never“
  • Under “MIME character set” – select “Unicode (UTF-8)“
  • Under “Non-MIME character set” – select “Unicode (UTF-8)“

Then, click on “Save“.

Step 23 – Editing reply types

Under “Email reply types“, click on “Edit reply types“.

Step 24 – Changing reply types

Under “Out of Office automatic reply types” – select “Allow external and legacy out of office replies“. Then, click on “Save“.

Checking “Accepted Domains” settings

Step 25 – Viewing the “Accepted Domains” settings

First, navigate to “Accepted domains” under “Mail flow“. Find the domain you are configuring the Email Relay for, and verify that the “Domain type” is set to “Authoritative” and not to “Internal relay“. 

Note: the “Internal relay” configuration is almost always used in situations where the domain has at least one mail server that is not synced with O365. If this is not the situation, the recommended configuration is “Authoritative“.

Creating a mail flow rule

Step 26 – Creating a new rule

Now we will need to navigate to the Rules tab to create a new rule to use the connector.

Step 27 – Naming the rule

First, name the new mail flow rule that will be used for the Trustifi inbound relay.

Step 28 – First condition: recipient domain

Under “Apply this rule if“, select “The recipient“. Then, in the 2nd menu, select “domain is“.

Step 29 – Selecting the recipient domain

Add the domain that will be used to receive emails through Trustifi Email Relay. If you have multiple domains under your tenant, add them all here. After the domain has been added, click on “Save“.

Step 30 – Adding a new condition

Add a new condition by clicking on the “+” icon next to the first condition.

Step 31 – Second condition: recipient location

Once again select “The recipient” and then  select “Is external/internal”.

Step 32 – Selecting recipient location

Under “Select sender location“, choose “Inside the organization“. Then, click on “Save“.

Step 33 – First action: redirect to connector

Now we will start selecting the actions to be taken by this rule.

Note: this guide provides instructions for enabling full protection for inbound emails. If you want to enable Inbound Shield in “Journal” mode only, please see our “Journaling Mode” guide .

Under “Do the following” – select “Redirect the message to” and then select “the following connector“.

Step 34 – Selecting connector redirection

Under “Select connector“, choose the Trustifi inbound send connector which was created earlier. Then, click on “Save“.

Step 35 – Adding a new action

Add new action by clicking on the “+” icon next to the first action.

Step 36 – Second action: set a message header

For the new action, select “Modify the message properties” and then select “set a message header“.

Step 37 – Setting the header name

Click on the first “Enter text” link and add the following input: x-trustifi-creds Then, click on “Save“.

Step 38 – Setting the header value

Click on the second “Enter text” link, and there add the email relay secret key which you copied in step 3. Then, click on “Save“.

Step 39 – Third action: Require TLS encryption

First, add a new action for the rule. Then select “Modify the message security” and “Require TLS encryption“.

Step 40 – Fourth action: bypassing spam filtering

Add a new action for the rule. Then select “Modify the message properties” and “Set the spam confidence level (SCL)“

Step 41– Selecting spam bypass

In the “Specify SCL” window, select “Bypass spam filtering“. Then, click “Save“.

Step 42 – Adding an exception: custom header

Here we will add a couple of exceptions to this mail flow rule to avoid processing emails which have already been sent by Trustifi. This is to avoid email loops. Under “Except if“, select “The message headers” and then select “includes any of these words“.

Step 43 – Setting the exception header name

Click on the first “Enter text” link and in the pop-up window enter “x-trustifi-inbound-processed” (without the double quotes). Click on “Save” to confirm.

Step 44 – Setting the exception header value

Click on “Enter words” and in the pop-up window enter the word “yes” (without the double quotes). Then click on the “+” icon and “Save” to confirm.

Step 45 – Creating the 2nd exception

Click on the “+” icon next to the first exception to add another exception. Then select  “The sender”, and “IP address is in any of these ranges or exactly matches”.

Step 46 – Adding the exception IPs

In the “specify IP address ranges” window, enter the following IPs:

• 3.93.243.176
• 3.93.139.220
• 54.195.145.1
• 3.251.32.127

Then, click on “Save“.

Step 47 – Verifying the settings

After both exceptions have been created, take a moment to verify all conditions, actions, and exceptions are correct. If everything looks good, click on “Next“.

Step 48 – Rule settings

Set the following additional settings:

• Under “Severity” – select “High“
• Check the box for “Stop processing more rules“
• Check the box for “Defer the message if rule processing doesn’t complete
• Under “Match sender address in message“- select “Header and envelope“

Once finished, click on “Next“.

Step 49 – Review and finish

The next page will display a summary of the rule’s conditions, actions, exceptions, and settings. Make sure that everything looks OK and click “Finish” to create the rule.

Step 50 – Verifying the rule priority order

If you are also connected to the Trustifi outbound relay, you will need to verify the 2 Trustifi mail flow rules are in the correct priority order. To avoid issues with deliverability of internal emails, the Trustifi inbound mail flow rule has to come after the Trustifi outbound rule, as pictured below.