Inbound Security: Optional M365 Rule to Block Non-MX Mail Delivery
Overview
This inbound security rule will block incoming mail that attempts to bypass the MX record and deliver directly to the organization’s M365 relay point (rule will only accept mail from Paubox MX record IPs).
For example, if your MX record points to Paubox, and Paubox delivers mail to your Microsoft M365 relay point (yourcompany-com.mail.protection.outlook.com), this rule will prevent anyone from sending email directly to yourcompany-com.mail.protection.outlook.com.
Do not modify the existing inbound routing rule for accepting mail from Paubox IPs. Instead, create this additional rule in parallel.
Note: if your MX record contains “mx1” or “mx2” contact support@paubox.com before proceeding, as the IPs will be different. This rule will apply to all domains on your M365 instance.
Step-by-step guide
-
Log in to the Office 365 admin center, and go to Admin centers > Exchange.
-
In the left pane, click Mail Flow, and click Rules.
-
Click the + symbol, and click Create a new rule.
-
In the new rule page, enter a Name to represent the rule: Paubox Non-MX Inbound Blocking
-
From the Apply this rule if drop-down menu, select The Sender > Is External/Internal > Outside the organization.
-
From the Do the following drop-down menu, select Redirect the message to and hosted quarantine. (You could also choose to reject with an NDR, or other options.)
-
Next go to Except if….
-
Select The Sender > Sender’s IP address is in any of these ranges or exactly matches, and enter the Paubox IP range.
-
Enter the Paubox IP range: 165.140.171.0/24
-
Click the + symbol.
-
Click OK.
-
Note: if you have configured trusted mail sources to deliver directly to your M365 inboxes, for example phishing simulation software or on-prem based system alerts, add those IPs here as well.
-
-
Scroll to the Properties of this rule section, and in the Priority field, type: 0
-
Under Match sender address in message, select Envelope.
-
In the New Rule page, click Stop processing more rules, and click Save to create the rule.
-
Enable the rule
Microsoft 365 is now configured to block any email that does not originate from the Paubox IP address ranges of your MX record.
** Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top, click on the rule, and use the “Up” arrow to move the rule to the top of the list.
** Monitor your M365 quarantine to confirm rule is working as desired.