Inbound Security setup for Microsoft 365

Overview

What you’ll need:

1. Trial subscription with Paubox (don't have one? sign up here!)
2. A Microsoft 365 account (Business Basic, Standard, or Premium)
3. Microsoft 365: Admin access to your organization's Microsoft Exchange Admin  (https://admin.exchange.microsoft.com/#/homepage)
4. Domain: Admin access to your organization's domain host (for ex. GoDaddy or Cloudflare)
5. The appropriate mx value for your domain - provided by Paubox during setup

Note: Make sure you can log into Microsoft 365 & domain host as an admin before proceeding. If you don’t have login credentials or permissions, reach out to who set up your Microsoft 365 account and/or website.

What you’ll do:

1. Microsoft 365: Create an inbound routing rule
2. Microsoft 365: Create a connector
3. Domain: Update your domain's mx record

Questions? Stuck? We’re here for you!  support@paubox.com

Step-by-step guide

Part I: Microsoft 365 inbound routing rule

Office 365 may block the connection from Paubox's inbound mail servers to your email environment. In order to allow Paubox to relay inbound emails to your Office 365 environment, please follow the instructions below.

1. In the Admin Center, navigate to Mail flow > Rules.

2. Click + and then select Create a new rule.

3. Give the rule a name Paubox Inbound Security

4. Under Apply this rule if, select The sender and then choose IP address is in any of these ranges or exactly matches.

5. In the specify IP addresses, specify the following IP addresses, click Add +, and then click ok.

   Enter this IP range:  165.140.171.0/24

6. Under Do the following box, set the action by choosing Modify the message properties and then set the spam confidence level (SCL). In the specify SCL box, select Bypass spam filtering, and click ok.

7. Click the save button to save the rule. It appears in your list of rules.

8. You need to enable the rule, and wait about 30 seconds for it to enable.

Part II: Microsoft 365 - create an inbound connector 

1. Log in to the Microsoft 365 Exchange Admin Center using admin-level credentials (https://admin.exchange.microsoft.com/#/homepage)
2. In the navigation pane on the left, click mail flow. Then click connectors.
3. Click + Add a connector 
4. On the pop-up window that follows, select
   From: Partner Organization and To: Office 365. Then click Next
5. Under *Name: enter Paubox Inbound. Make sure the checkbox labeled Turn it on is checked, then click Next
6. Change the radio button to: "By verifying that the IP address of the sending server..."  In the Add ip address field, enter 165.140.171.0/24 then click then the blue box with the + symbol
7. Click Next
8. On the next screen, keep Reject messages if they aren't using TLS selected, leave the other box unchecked. Click Next.
9. On the next screen, click Create Connector 
10. Next click Done
11. The Paubox inbound connector for Microsoft 365 is now live.

Part III: Domain update - MX record

If your organization’s domain name is example.com, Microsoft 365 asks you to setup your MX record like this:

MX 10 example-com.mail.protection.outlook.com.

To get Paubox inbound security going, you’ll need to change your MX record so that it has just one MX record:

<appropriate mx value supplied by Paubox Team during setup>

Note: if there are multiple MX records, edit the record of the lowest value (usually "10") and replace the existing value with the appropriate Paubox mx value. Save; then delete all other records of type MX. 

This update will start routing all inbound email for your domain to Paubox when the DNS record change finishes propagating.