ESM for Microsoft 365 MX version with outbound message filtering

    ⚠️ To ensure proper configuration and avoid any email loss, it is essential to follow the procedure in the specified order. Please note that the configuration of the MX records must be done last.  


    To ensure the delivery of messages to the mailbox filtered/relayed by e-securemail, please follow the steps below to specify the required IP address or logical name:


    1. Log in to the domain management interface using the following address: https://www.security-mail.net/
    2. Enter your username and password to access your account.
    3. Navigate to the "Configuration" section, then select "Domain Settings", and finally "Delivery/SMTP".
    4. Update the destination mail server by specifying your Microsoft 365 server address.

    Make sure to correctly enter the IP address or logical name followed by the appropriate port.
    By default, the port is usually 25, but you can specify a custom port by adding it after the address (e.g., mail.mydomain.com:587).


    If you prefer to keep your email flow with us, simply enter "hold" in the appropriate field.

    If you have any further questions or encounter difficulties during this procedure, please do not hesitate to contact our support team.


    IMPORTANT: Not setting up your SPF may impact your mailings and your correspondents may not receive them.


    1. Define the Destination Mail Server

    1. Log in to the domain management interface at https://www.security-mail.net/.
    2. Enter your username and password.
    3. Navigate to Configuration => Domain Settings => Delivery/SMTP and update the destination mail server.


    2. Modifying DNS Records (SPF, DKIM and DMARC) :

     To legitimize sending emails through e-securemail servers, you will need to add:  

    Adding the SPF Record

    The SPF record is a line you must add to your DNS server to prevent email spoofing on your domain. This helps reduce the risk of your domain being used for SPAM.

    Here is the information you need to add via your registrar (e.g., Gandi, 1&1, OVH…) to create the TXT record for the domain "your-domain-name.com".

    (Note: "your-domain-name.com" is used as an example.)

    your-domain-name.com 10800 IN TXT "v=spf1 include:includespf.security-mail.net -all"

     

    Adding the DKIM Record

    The DKIM record ensures that your domain has not been spoofed and that the message has not been altered during transmission.

    1. Generate your DKIM key:

      • Log in to the e-securemail interface.
      • Navigate to Configuration > Domain Settings > DKIM.

    2. Add the DKIM key to your domain’s DNS records:

      • Namesec-sig-email._domainkey
      • TTL3600
      • FormatTXT


    Adding the DMARC Record

    The DMARC record specifies how a domain should handle emails failing SPF and DKIM checks, providing protection against spoofing and phishing by indicating whether messages should be accepted, quarantined, or rejected.

    1. Generate a DMARC record:

    2. Example DMARC Record:
      Below is an example of a DMARC record for the domain example.com that uses the policy "none" and sends reports to the email address dmarc@secuserve.com:

    v=DMARC1; p=none; rua=mailto:dmarc@secuserve.com

    This ensures proper email authentication and reporting while protecting your domain from abuse.



    Adding a DMARC Record to Your DNS Zone

    Once you have generated your DMARC record, you need to add it to your DNS zone.

    This can be done by logging into your hosting provider's control panel and accessing the DNS settings for your domain.


     These records can be configured after deployment, provided you do not have a DKIM entry.  


    3. 'ESM SPAM' Rule for junk Mail in Microsoft 365:

     To disable the quarantine report and enable junk mail handling in Microsoft 365, you need to create a rule in Microsoft 365.
    For more details, refer to the following guide: 'Microsoft 365 Junk Mail Rule'.

    4. ESM Oubound Filtering Connector :

    Go to the website www.office.com, and click on Sign In.

    Once logged in, go to Admin, then select …Show All, choose Exchange, and then Mail Flow.



    In the Connectors tab: Create (+) a connector From: Office 365 To: Partner Organization, then click Next.

    Give it a name: ESM Outbound Filtering.



     Then click Next, enter * (click the + to add it), then check ‘Only when emails are sent to these domains’, and click Next.  




    Routage :

     Next, select ‘Route mail through these smart hosts’ and add (+) smtp.security-mail.net, then click the + to save.  


    Restriction de sécurité :

     Click Next, then check ‘Always use TLS protocol’, followed by the option ‘Issued by a trusted certificate authority (CA)’, then click Next, and confirm by clicking Next again.  


    Courrier de validation :

    Now, you need to validate the connector by adding (+) an address, such as support@secuserve.com or an address from your domain, and confirm by clicking OK. A message will appear, indicating that a test email has been sent.



    NOTE: If you encounter an error message during validation, bypass this step by clicking Start without validation (image 2). Otherwise, repeat the validation process.  


    Start without validation (image 2):


    Information :

    We trcommend using the DKIM protocol for better message delivrability. You can refer to the following article: (How to set ip DKIM?)


    5. e-securemail IP Whitelisting Procedure

    Verify IP Address Permissions in Microsoft 365:

    To bypass SPF checks, we strongly recommend adding our IP range to Microsoft 365. For the procedure, please refer to the following manual:

    https://support.security-mail.net/help/fr-fr/26-esm-for-microsoft-365-e-securemail-for-microsoft-365/26-procedure-de-whitelistage-de-l-ip-e-securemail


    6. Modifying DNS Records (MX):

    The protocol that governs email addressing on the Internet relies on information in your DNS: these are the MX records. They are ranked by priority, with the record containing the lowest value typically being your mail server, while higher values are usually the mail relays of your ISP. Relays are used to temporarily receive your messages if your server is unavailable.

    We will leverage this property by assigning the Email Filtering Service the lowest priority value, giving it precedence for receiving messages. After processing your messages, the Email Filtering Service will forward them to your mail server. Normally, this is done easily by the person managing your DNS (often your Internet Service Provider, ISP).


    Enter the type (MX), the destination, and the priority.

    Priority Mail Server
    10 france.security-mail.net.
    20 europe.security-mail.net.

    For certain registrars, it is necessary to add a PERIOD (.) after .net to properly close the record.



    7. Permissions & AD Synchronizations :

    It is necessary to log in as an Azure administrator to allow e-securemail to synchronize your directory.

    Log in, select the relevant domain, and follow the instructions on your console: https://www.security-mail.net/


    Please note: This step includes the activation of remediation.


    Remediation?

    Tags
    esm for 365 Activation filtrage Microsoft 365 Déploiement manuel Déployer e-securemail pour Microsoft 365 Configuration messagerie Configuration DNS SPF DKIM MX
    Published