Inbound Security Setup for Microsoft 365 with Defender

NOTE: Coordinate with the Paubox Team for inbound security setup.

• Paubox Team will provide the appropriate mx value 
• Mail relays must be set on the Paubox side or mail will not be delivered

Overview

What you’ll need:

1. Trial subscription with Paubox (don't have one? sign up here!)
2. A Microsoft 365 account (Business Basic, Standard, or Premium)
3. Microsoft 365: Admin access to your organization's Microsoft Exchange Admin  (https://admin.exchange.microsoft.com/#/homepage)
4. Microsoft Defender
5. Domain: Admin access to your organization's Domain Host (for ex. GoDaddy or Cloudflare)
6. The appropriate mx value for your domain - provided by Paubox during setup

Note: Make sure you can log into Microsoft 365 & Domain Host as an admin before proceeding. If you don’t have login credentials or permissions, reach out to who set up your Microsoft 365 account and/or website.

What you’ll do:

1. Microsoft 365: Create a connector
2. Microsoft 365 Defender: Enable Enhanced Filtering for Connectors ("Skip Listing")
3. Domain: Update your domain's mx record

Questions? Stuck? We’re here for you!  support@paubox.com

Step-By-Step Guide

Part I: Microsoft 365 - Create an Inbound Connector 

1. Log in to the Microsoft 365 Exchange Admin Center using admin-level credentials (https://admin.exchange.microsoft.com/#/homepage)
2. In the navigation pane on the left, click mail flow. Then click connectors.
3. Click + Add a connector 
4. On the pop-up window that follows, select
   From: Partner Organization and To: Office 365. Then click Next
5. Under *Name: enter Paubox Inbound. Make sure the checkbox labeled Turn it on is checked, then click Next
6. Change the radio button to:"By verifying that the IP address of the sending server..."  In the Add ip address field, enter 165.140.171.0/24 then click then the blue box with the + symbol
7. Click Next
8. On the next screen, keep Reject messages if they aren't using TLS selected, leave the other box unchecked. Click Next.
9. On the next screen, click Create Connector 
10. Next click Done
11. The Paubox inbound connector for Microsoft 365 is now live.

Part II: Microsoft Defender - Enable Enhanced Filtering for Connectors ("Skip Listing")

1. Open the Microsoft 365 Defender portal
2. In the sidebar on the left, click Email & Collaboration
3. Click on Policies & Rules => Threat Policies
4. In the Rules section, click Enhanced Filtering
5. Select the connector just created ("Paubox Inbound")
6. In the following popup:

• Select the radio button: Automatically detect and skip the last IP address
• For "Apply to these users" select: Apply to entire organization
• Click Save 

Note: If there is a rule in place to bypass SCL (Spam Confidence Level), disable the rule. See Microsoft's full best practices, here. 

Part III: Domain Update - MX Record

If your organization’s domain name is example.com, Microsoft Office 365 asks you to setup your MX record like this:

MX 10 example-com.mail.protection.outlook.com.

To get Paubox inbound security going, you’ll need to change your MX record so that it has just one MX record:

<appropriate mx value supplied by Paubox Team during setup>

Note: if there are multiple MX records, edit the record of the lowest value (usually "10") and replace the existing value with mx.paubox.com. Save; then delete all other records of type MX. 

This update will start routing all inbound email for your domain to Paubox when the DNS record change finishes propagating.