Skip to content
Cloudflare Docs

Office 365 as MX Record

A schematic showing where Email Security is in the life cycle of an email received

In this tutorial, you will learn how to configure Microsoft Office 365 with Email Security as its MX record.

1. Add Email Security IP addresses to Allow List

  1. Go to the Anti-spam policies page > Select Edit connection filter policy.
  2. In Always allow messages from the following IP addresses or address range, add IP addresses and CIDR blocks mentioned in Egress IPs.
  3. Select Save.
  4. Microsoft recommends disabling SPF Hard fail when an email solution is placed in front of it:
  5. Select Save.

2. Configure Enhanced Filtering

Create an inbound connector

  1. Set up a connector.
  2. Select Partner organization under Connection from.
    • Provide a name for the connector:
      • Name: Email Security Inbound Connector
      • Description: Inbound connector for Enhanced Filtering
  3. In Authenticating sent email, select By verifying that the IP address of the sending server matches one of the following IP addresses, which belongs to your partner organization.
  4. Enter all of the egress IPs in the Egress IPs page.
  5. In Security restrictions, accept the default Reject email messages if they aren't sent over TLS setting.

Enable enhanced filtering

Now that the inbound connector has been configured, you will need to enable the enhanced filtering configuration of the connector.

  1. Go to the Security admin console, and enable enhanced filtering.
  2. Select Automatically detect and skip the last IP address and Apply to entire organization.
  3. Select Save.

3. Configure anti-spam policies

To configure anti-spam policies:

  1. Open the Microsoft 365 Defender console.
  2. Go to Email & collaboration > Policies & rules.
  3. Select Threat policies.
  4. Under Policies, select Anti-spam.
  5. Select the Anti-spam inbound policy (Default) text (not the checkbox).
  6. In Actions, scroll down and select Edit actions.
  7. Set the following conditions and actions (you might need to scroll up or down to find them):
  • Spam: Move messages to Junk Email folder.
  • High confidence spam: Quarantine message.
    • Select quarantine policy: AdminOnlyAccessPolicy.
  • Phishing: Quarantine message.
    • Select quarantine policy: AdminOnlyAccessPolicy.
  • High confidence phishing: Quarantine message.
    • Select quarantine policy: AdminOnlyAccessPolicy.
  • Retain spam in quarantine for this many days: Default is 15 days. Email Security recommends 15-30 days.
    • Select the spam actions in the above step:
  1. Select Save.

4. Create transport rules

To create the transport rules that will send emails with certain dispositions to Email Security:

  1. Open the new Exchange admin center.

  2. Go to Mail flow > Rules.

  3. Select Add a Rule > Create a new rule.

  4. Set the following rule conditions:

    • Name: Email Security Deliver to Junk Email folder.
    • Apply this rule if: The message headers > includes any of these words.
      • Enter text: X-CFEmailSecurity-Disposition > Save.
      • Enter words: SUSPICIOUS, BULK > Add > Save.
    • Apply this rule if: Select + to add a second condition.
    • And: The sender > IP address is in any of these ranges or exactly matches > enter the egress IPs mentioned in Egress IPs.
    • Do the following - Modify the message properties > Set the Spam Confidence Level (SCL) > 5.

  5. Select Next.

  6. You can use the default values on this screen. Select Next.

  7. Review your settings and select Finish > Done.

  8. Select the rule Email Security Deliver to Junk Email folder you have just created, and Enable.

  9. Select Add a Rule > Create a new rule.

  10. Set the following rule conditions:

    • Name: .
    • Apply this rule if: The message headers > includes any of these words.
      • Enter text: X-CFEmailSecurity-Disposition > Save.
      • Enter words: MALICIOUS, UCE, SPOOF > Add > Save.
    • Apply this rule if: Select + to add a second condition.
    • And: The sender > IP address is in any of these ranges or exactly matches > enter the egress IPs in the Egress IPs.
    • Do the following: Redirect the message to > hosted quarantine.

  11. Select Next.

  12. You can use the default values on this screen. Select Next.

  13. Review your settings and select Finish > Done.

  14. Select the rule you have just created, and select Enable.

Next steps

Now that you have completed the prerequisite steps, you can set up MX/Inline on the Cloudflare dashboard.