Note: This configuration guide utilizes the “Partner organization” connector type and is suitable for both older and newer O365 tenants. If your Microsoft/O365 tenant is older than Jan 1, 2023, and you need to use the “You organization” connector type, please refer to our guide for older O365 tenants.
Trustifi admin portal
Step 1 – Verifying the plan and user type
Navigate to the “My Plan” page and verify that your plan type is “PRO” and your access level is “Admin“.
Note: If you don’t have a “Pro” plan, or you do not have admin-level access, please contact support@trustificorp.com
Step 2 – Navigating to “Domains”
On the left-side navigation panel, click on “Outbound Management” and then open the “Plan Settings” page. Then, click on the “Domains” tab at the top.
Adding new domain
This is a quick overview of the domain verification process. To view the full guide click here – https://docs.trustifi.com/docs/domain-verification
Step 3 – Adding a new domain
Now, we will need to add the domain(s) that will be used to send emails. Continue by clicking on the “Add Domain” button.
Step 4 – Verifying the domain
After adding the domain, you will have to copy and import the records to your DNS provider (e.g. DNS Made Easy, GoDaddy).
To view the DNS records, click on “Actions” and then “Show DNS records“. In the pop-up window, the required DNS records will be arranged by “Identity” (TXT record), “DKIM” (CNAME records), and “MAIL FROM” (TXT and MX records).
Pro-tip: You can click on each of the records (name and value) to easily copy them to your clipboard.
Note: You can also click on “Download records CSV” from the “Actions” menu to save these records as a CSV file.
Step 5 – Checking if the domain is verified
Make sure all the required records have been added correctly. Typically, DNS records take only a couple of minutes to propagate and finish updating, however in some cases this process can take up to 24 hours. Once the DNS records have been added and updated, refresh the Trustifi web portal and check the “Domains” tab again. If all records have been added correctly, the “Status” column should now show as “Can send” and the “DKIM” and “MAIL FROM” columns should now say “Verified“.
Step 6 – Enabling the outbound email relay
In this part, you will need to enable the outbound Email Relay and copy the “Email Relay key” which is the secret key that will be used to authenticate the transport flow of your emails.
Open the “Plan Settings” page under “Outbound Management”, and you should be on the “Email Flow Integration” tab. Click on the toggle next to “Enable Relay” to enable the integration.
After the integration was enabled, your secret key will be generated. You can click on the “copy” button to copy the Email Relay secret key for later use.
Microsoft Exchange Admin Center
Step 7 – Navigating to the Exchange Admin Center – Mail flow
Navigate to the Exchange admin center and sign in with your admin credentials.
After you have logged in, navigate to the “Mail flow” – “Connectors” page.
Creating a new connector
Step 8 – Adding a new connector
In this section, you will have to create a new connector by clicking on the “Add a connector” button.
Step 9 – Selecting mail flow scenario
Here, you will need to select the mail flow scenario.
Under “Connection from” select “Office 365”, and under “Connection to” select “Partner organization” and continue by clicking “Next”.
Step 10 – Connector name
In the “Name” field, enter the following name: “Trustifi Outbound Connector (Send)“, you can also add a description (optional).
Make sure the “Turn it on” box is checked. Continue by clicking on “Next“.
Step 11 – Use of connector
Select “Only when I have a transport rule set up that redirects messages to this connector” and continue by clicking “Next”.
Step 12 – Routing
Here we will need to add the smart host to which emails will be routed.
First, select the option “Route email through these smart hosts“. Then, in the input field, add the following smart host:smtp.trustifi.com
Then, click on the “+” icon to add the smart host and click “Next” to continue.
Step 13 – Security restrictions
Now we will need to configure the smart host security settings:
Select “Always use TLS” (First checkbox)
Select “Issued by a trusted certificate authority (CA)”
Check the box for “Add the subject name or subject alternative name (SAN) matches this domain name”
Enter the following value into the input field:
*.trustifi.com
Step 14 – Validating the connector
In this step, Exchange will need to validate the connector by sending an email through it.
Enter an email for an active mailbox that’s on your email server, and click on the “Validate” button.
Step 15 – Validation results
After the connection check is done, a status of “Succeed” or “Failed” will appear for each of the validation tests.
The “Check connectivity” test should succeed. If the status of this test has failed, please check that the smart host address was entered correctly.
If the “Send test email” test fails, it’s OK. This is because we don’t yet have a rule set up to use this connector.
Click on “Next” to continue. You may receive a warning – click “Yes” to confirm and continue.
Step 16 – Review and create connector
Here you will see a review of the connector settings.
Make sure everything looks OK before clicking “Create connector“.
Modifying “Remote domains” settings
Step 17 – Navigating to the remote domains tab and editing the default
Note: For a detailed explanation of the required changes to “Remote domains“, please read this article.
In this section, we will make some changes to the “Remote domains” settings. These changes are not strictly mandatory for the process but will ensure that all types of email content are delivered correctly using Trustifi.
First, go to “Remote domains” under “Mail flow” and click on the default domain settings.
Step 18 – Editing the RTF settings
In the section that includes “Use rich-text format”, click on “Edit text and character set”.
Step 19 – Changing the RTF settings
Set the following:
Under “Use Rich Text format”– select “Never“
Under “MIME character set” – select “Unicode (UTF-8)”
Under “Non-MIME character set” – select “Unicode (UTF-8)“
Then, click on “Save“.
Step 20 – Editing reply types
Under “Email reply types“, click on “Edit reply types“.
Step 21 – Changing reply types
Under “Out of Office automatic reply types” – select “Allow external and legacy out of office replies“. Then, click on “Save“.
Checking “Accepted Domains” settings
Step 22 – Viewing the “Accepted Domains” settings
First, navigate to “Accepted domains” under “Mail flow“.
Find the domain you are configuring the Email Relay for, and verify that the “Domain type” is set to “Authoritative” and not to “Internal relay“.
Note: the “Internal relay” configuration is almost always used in situations where the domain has at least one mail server that is not synced with O365. If this is not the situation, the recommended configuration is “Authoritative“.
Creating a mail flow rule
Step 23 – Creating a new rule
Now we will need to create a new rule to use the connector.
Navigate to the “Rules” page under “Mail flow“ and then click on “Add a rule“.
Step 24 – Naming the rule
First, name the new mail flow rule that will be used for the Trustifi outbound relay.
Step 25 – First condition: sender domain
Under “Apply this rule if“, select “The sender“. Then, in the 2nd menu, select “domain is“.
Step 26 – Selecting the sender domain
Add the domain that will be used to send emails through Trustifi Email Relay. If you have multiple domains under your tenant, add them all here.
After the domain(s) has been added, click on “Save“.
NOTE: Add here all the domains you want to be connected through the Trustifi Email Relay. In case you are adding more than one domain, make sure all of these domains have been verified in Trustifi.
Step 27 – Adding new condition
Add a new condition by clicking on the “+” icon next to the first condition.
Step 28 – Second condition: sender location
Once again select “The sender” and select “Is external/internal”.
Step 29 – Selecting sender location
Under “select sender location“, choose “Inside the organization“.
Then, click on “Save“.
Step 30 – First action: redirect to connector
Now we will start selecting the actions to be taken by this rule.
Under “Do the following” – select “Redirect the message to” and then select “the following connector“.
Step 31 – Selecting connector redirection
Under “Select connector“, choose the Trustifi outbound connector which was created earlier.
Then, click on “Save“.
Step 32 – Adding a new action
Add a new action by clicking on the “+” icon next to the first action.
Step 33 – Second action: set a message header
For the new action, select “Modify the message properties” and then select “set a message header“.
Step 34 – Setting the header name
Click on the first “Enter text” link and add the following input:
x-trustifi-creds
Then, click on “Save“.
Step 35 – Setting the header value
Click on the second “Enter text” link, and there add the email relay secret key which you copied in step 6. Then, click on “Save“.
Step 36 – Adding an exception: sender IP
Here we will add an exception to this mail flow rule to avoid processing emails which have already been sent by Trustifi. This is to avoid email loops.
Under “Except if“, select “Sender is” and then select “IP address is any of these ranges or exactly matches“.
Step 37 – Adding sender IPs
Add the following IPs:
3.93.243.1763.93.139.2203.251.32.12754.195.145.152.54.159.23752.73.143.25252.89.220.2352.37.228.167
Then, click on “Save“.
Step 38 – Continue to rule settings
Scroll down to the bottom of the window and click on “Next“.
Step 39 – Rule settings
Set the following additional settings:
Under “Severity” – select “High“
Check the box for “Stop processing more rules“
Check the box for “Defer the message if rule processing doesn’t complete“
Under “Match sender address in message” – select “Header and envelope“
Once finished, click on “Next“.
Step 40 – Review and finish
The next page will display a summary of the rule’s conditions, actions, exceptions, and settings.
Make sure that everything looks OK and click “Finish” to create the rule.
Step 41 – Verifying the rule priority order
If you are also connected to the Trustifi inbound relay, you will need to verify the 2 Trustifi mail flow rules are in the correct priority order.
To avoid issues with the deliverability of internal emails, the Trustifi inbound mail flow rule has to come after the Trustifi outbound rule, as pictured below:
If the situation is incorrect, you can use the “Move up” / “Move down” arrow buttons to change the rule order.
Limited Scope Deployment
If you are deploying the outbound relay as a Proof of Concept (PoC), or if you simply do not wish to route all outbound traffic through Trustifi, please follow the instructions in our Limited Scope Deployment guide.