Skip to content
Cloudflare Docs

Cisco - Email Security as MX Record

A schematic showing where Email Security sits in the life cycle of an email received

In this tutorial, you will learn how to configure Cisco IronPort with Email Security as MX record.

Prerequisites

To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying.

Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Cloudflare Email Security (formerly Area 1). This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting.

To check your existing TTL, open a terminal window and run the following command against your domain:

Terminal window
dig mx <YOUR_DOMAIN>
; <<>> DiG 9.10.6 <<>> mx <YOUR_DOMAIN>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.    IN  MX


;; ANSWER SECTION:
<YOUR_DOMAIN>.  300  IN  MX  5 mailstream-central.mxrecord.mx.
<YOUR_DOMAIN>.  300  IN  MX  10 mailstream-east.mxrecord.io.
<YOUR_DOMAIN>.  300  IN  MX  10 mailstream-west.mxrecord.io.

In the above example, TTL is shown in seconds as 300 (or five minutes).

If you are using Cloudflare for DNS, you can leave the TTL setting as Auto.

Below is a list with instructions on how to edit MX records for some popular services:

1. Add a Sender Group for Email Security Email Protection IPs

To add a new Sender Group:

  1. Go to Mail Policies > HAT Overview.

  2. Select Add Sender Group.

  3. Configure the new Sender Group as follows:

    • Name: Email Security.
    • Order: Order above the existing WHITELIST sender group.
    • Comment: Email Security Email Protection egress IP Addresses.
    • Policy: TRUSTED (by default, spam detection is disabled for this mail flow policy).
    • SBRS: Leave blank.
    • DNS Lists: Leave blank.
    • Connecting Host DNS Verification: Leave all options unchecked.

  4. Select Submit and Add Senders and add the IP addresses mentioned in Egress IPs

2. Configure Incoming Relays

You need to configure the Incoming Relays section to tell IronPort to ignore upstream hops, since all the connections are now coming from Email Security. This step is needed so the IronPort can retrieve the original IPs to calculate IP reputation. IronPort also uses this information in the Anti-Spam (IPAS) scoring of messages.

  1. To enable the Incoming Relays Feature, select Network > Incoming Relays.
  2. Select Enable and commit your changes.
  3. Now, you will have to add an Incoming Relay. Select Network > Incoming Relays.
  4. Select Add Relay and give your relay a name.
  5. Enter the IP address of the MTA, MX, or other machine that connects to the email gateway to relay incoming messages. You can use IPv4 or IPv6 addresses.
  6. Specify the Received: header that will identify the IP address of the original external sender.
  7. Commit your changes.

3. Disable SPF checks

Make sure you disable Sender Policy Framework (SPF) checks in IronPort. Because Email Security is acting as the MX record, if you do not disable SPF checks, IronPort will block emails due to an SPF failure.

Refer to Cisco's documentation for more information on how to disable SPF checks.

Next steps

Now that you have completed the prerequisite steps, you can set up MX/Inline on the Cloudflare dashboard.