NOTE: Coordinate with the Paubox Team for inbound security setup.
- Paubox Team will provide the appropriate mx value
- Mail relays must be set on the Paubox side or mail will not be delivered
What you’ll need:
- Trial subscription with Paubox (don't have one? sign up here!)
- A Microsoft 365 account (Business Basic, Standard, or Premium)
- Microsoft 365: Admin access to your organization's Microsoft Exchange Admin (https://admin.exchange.microsoft.com/#/homepage)
- Microsoft Defender
- Domain: Admin access to your organization's Domain Host (for ex. GoDaddy or Cloudflare)
- The appropriate mx value for your domain - provided by Paubox during setup
Note: Make sure you can log into Microsoft 365 & Domain Host as an admin before proceeding. If you don’t have login credentials or permissions, reach out to who set up your Microsoft 365 account and/or website.
What you’ll do:
- Microsoft 365: Create a connector
- Microsoft 365 Defender: Enable Enhanced Filtering for Connectors ("Skip Listing")
- Domain: Update your domain's mx record
Questions? Stuck? We’re here for you! firstname.lastname@example.org
Part I: Microsoft 365 - Create an Inbound Connector
- Log in to the Microsoft 365 Exchange Admin Center using admin-level credentials (https://admin.exchange.microsoft.com/#/homepage)
- In the navigation pane on the left, click mail flow. Then click connectors.
- Click + Add a connector
- On the pop-up window that follows, select
From: Partner Organization and To: Office 365. Then click Next
- Under *Name: enter Paubox Inbound. Make sure the checkbox labeled Turn it on is checked, then click Next
- Change the radio button to:"By verifying that the IP address of the sending server..." In the Add ip address field, enter 126.96.36.199/24 then click then the blue box with the + symbol
- Click Next
- On the next screen, keep Reject messages if they aren't using TLS selected, leave the other box unchecked. Click Next.
- On the next screen, click Create Connector
- Next click Done
- The Paubox inbound connector for Microsoft 365 is now live.
Part II: Microsoft Defender - Enable Enhanced Filtering for Connectors ("Skip Listing")
- Open the Microsoft 365 Defender portal
- In the sidebar on the left, click Email & Collaboration
- Click on Policies & Rules => Threat Policies
- In the Rules section, click Enhanced Filtering
- Select the connector just created ("Paubox Inbound")
- In the following popup:
- Select the radio button: Automatically detect and skip the last IP address
- For "Apply to these users" select: Apply to entire organization
- Click Save
Note: If there is a rule in place to bypass SCL (Spam Confidence Level), disable the rule. See Microsoft's full best practices, here.
Part III: Domain Update - MX Record
If your organization’s domain name is example.com, Microsoft Office 365 asks you to setup your MX record like this:
MX 10 example-com.mail.protection.outlook.com.
To get Paubox inbound security going, you’ll need to change your MX record so that it has just one MX record:
<appropriate mx value supplied by Paubox Team during setup>
Note: if there are multiple MX records, edit the record of the lowest value (usually "10") and replace the existing value with mx.paubox.com. Save; then delete all other records of type MX.
This update will start routing all inbound email for your domain to Paubox when the DNS record change finishes propagating.