How To Lock Down Office 365


This article will show you how to lock down Office 365 to only accept from the MPmail service


  • Office 365 customer setup on MPmail
  • Office 365 admin account
  • MPmail with in the Outbound Relay, must have been done at least 60 minutes prior
  • MPmail Outbound Smarthost address

The Process

  • Log into the Exchange section of your Office 365
  • Click on ‘Mail Flow’
  • Click on ‘Rules’
  • Click on ‘+’ to create a new rule
  • Give the rule a Name
  • Immediately click on 'More options' 


  • 'Name' = MPmail Inbound Rule
  • 'Apply this rule if ' = [Apply to all messages]
  • 'Do the following' = 'Reject the message with explanation (then define an explanation, ours is 'Email bypassed MX records')

  • Add Exception to the rule. 'Except if' = Senders IP is in the range (and enter our IP ranges)

  • Add an additional exception which will allow mail from your internal mailboxes outbound in the same transport rule
  • The sender is located 'External/Internal'
  • Select Inside the organisation. This will cover all sending mailboxes within your Office 365 account

  • Add another Exception with 'The message type is -> Calendaring'


  • Tick 'Enforce'
  • Click 'OK'
  • Click 'Save'
  • Go to your customer account in the and input the unique office 365 generated MX records under your customers IP/Hostname within the ‘Management’ tab
  • Activate outbound relay by inputting a Dummy IP and save. IP which is a virtual container, which encompasses all of Office 365 IP ranges

Outbound Rule/Connector

To send all emails outbound through Manage Protect Smarthost:

  • Go to 'Mail flow'
  • 'Connectors'
  • Click '+'
  • Add connector, select scenario.
  • From: Office 365
  • To: Partner Organisation 


  • Apply a useful Name to the connector and click 'Next'

  • Choose 'Only when email messages are sent to these domains' and add you Domains or for the purposes of this example, Add * 

  • Then press next and choose the option: 'Route email through these smarthosts'. Click the '+' option and add

  • Click Save
  • The next option is not mandatory, but if you would like to ensure that all messages sent outbound through the smarthost are sent via TLS please leave this window as the default option as below 

  • Click 'Next' and you will then be presented with a summary of the scenario 

  • Click 'Next' to apply and you will be presented with a validate connector window


  • You should enter an external email address and Office 365 will validate the connector and attempt to send a test message though the smarthost
  • You should see the following results when validation is complete.