Note: This configuration guide utilizes the “Your organization” connector type and should only be used if your Microsoft/O365 tenant has been created before January 1st, 2023. If your Microsoft/O365 tenant is newer than this, please refer to our main configuration guide for O365.
Step 1 – Navigating to “Email Relay Integration”
First, you will need to log into the Trustifi web portal using your admin credentials. Once logged in, click on “Inbound Management” on the left side navigation bar and then click on the “Plan Settings” page. Go to “Email Flow Integration tab and make sure the selected architecture is “via Email Relay“. If you want to create the inbound mail flow integration using an MX record, please see our MX integration guide.
Step 2 – Adding your domain, MTA, and port
Under the “Domain and MTA” section you will need to enter your domain, Mail Transfer Agent (MTA) and port. If you are not sure what your MTA is, you can click “resolve host” to auto-fill the “MTA” field.
The port number will usually be 25.
Note: If you have several domains which should be protected you can add multiple domains with their corresponding MTAs. For each domain, up to 3 MTAs can be added – the first MTA will be used by default and the other 2 will be used as a fallback in case the first MTA fails.
Step 3 – Enabling the Inbound Email Relay
After your domain, MTA, and port have been added, simply click the “Enable” toggle and confirm in the pop-up window
After the Inbound Email Relay has been enabled, your Email Relay key will be generated. You can copy this key now to use it later in the configuration.
Note: This action will not yet change anything in your server’s inbound mail flow. Mail traffic will only be routed through Trustifi after the mail-flow rule and connectors have been set up.
Step 4 – Navigating to the Exchange Admin Center – Mail flow connectors
Navigate and log into the “Exchange admin center” using your admin credentials. After you have logged in, navigate to the “Mail flow” – “Connectors” page.
Step 5 – Creating the “receive” connector
Click on the “Add a new connector” button to open the “New connector” interface.
Step 6 – Selecting a mail flow scenario
Under “Connection from” select “Your organization’s mail server” and under “Connection to” select the default option “Office 365”. Continue by clicking on “Next“.
Step 7 – Naming and describing the connector
In the “Name” field enter the following name – “Trustifi Inbound Connector (Receive)”. In the “Description” field you can add any description you like (optional). Make sure the bottom 2 boxes are checked:
Turn in on
Retain internal Exchange email headers
You can continue by clicking on “Next”.
Step 8 – Authenticating sent email
Here you need to select “By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization”. Add the following IPs and click on the “+” button to add each one:
3.93.243.176
3.93.139.220
3.251.32.127
54.195.145.1
52.37.228.167
52.89.220.23
After all IPs have been added, click on “Next” to continue.
.png)
Step 9 – Reviewing the connector
Confirm that all settings are correct and finish by clicking on “Create connector”.
.png)
Step 10 – Confirming the connector has been added
Confirm the “Trustifi Inbound Connector (Receive)” connector has been added to the connector list.
Step 11 – Creating the “send” connector
Click on the “Add a connector” button to create a new connector.
Step 12 – Selecting a mail flow scenario
Here, you will need to select the mail flow scenario. Under “Connection from” select “Office 365”, and under “Connection to” select “Your organization’s email server” and continue by clicking “Next”.
Step 13 – Naming and describing the connector
In the “Name” field enter the following name – “Trustifi Inbound Connector (Send)”. In the “Description” field you can add any description you like (optional). Make sure the bottom 2 boxes are checked:
Turn in on
Retain internal Exchange email headers
You can continue by clicking on “Next“.
Step 14 – Use of connector
Select “Only when I have transport rule set up that redirects messages to this connector” and continue by clicking “Next”
Step 15 – Routing
Here we will need to add the smart host to which emails will be routed. In the input field, add the following smart host:
inbound-smtp.trustifi.com
Then, click on the “+” icon to add the smart host and click “Next” to continue.
Step 16 – Security restrictions
Now we will need to configure the smart host security settings:
Select “Always use TLS” (First checkbox)
Select “Issued by a trusted certificate authority(CA)”
Check the box for “Add the subject name of subject alternative name (SAN) matches this domain name“
Enter the following value into the input field: *.trustifi.com
Step 17 – Validating the connector
In this step, Exchange will need to validate the connector by sending an email through it.
Enter an email for an active mailbox that’s on your email server, and click on the “Validate” button.
Step 18 – Validation results
After the connection check is done, a status of “Succeed” or “Failed” will appear for each of the validation tests. The “Check connectivity” test should succeed.
If the status of this test has failed, please check that the smart host address was entered correctly. If the “Send test email” test fails, it’s OK. This is because we don’t yet have a rule set up to use this connector.
Click on “Next” to continue. You may receive a warning – click “Yes” to confirm and continue.
Step 19- Reviewing the connector
Confirm that all settings are correct and finish by clicking on “Create connector”.
Modifying “Remote domains” settings
Step 20 – Navigating to the remote domains tab and editing the default
Note: For a detailed explanation of the required changes to “Remote domains“, please read this article.
In this section, we will make some changes to the “Remote domains” settings. These changes are not strictly mandatory for the process but will ensure that all types of email content are delivered correctly using Trustifi.
First, go to “Remote domains” under “Mail flow” and click on the default domain settings.
Step 21 – Editing the RTF settings
In the section that includes “Use rich-text format“, click on “Edit text and character set“.
Step 22 – Changing the RTF settings
Set the following:
Under “Use Rich Text format”– select “Never“
Under “MIME character set” – select “Unicode (UTF-8)“
Under “Non-MIME character set” – select “Unicode (UTF-8)“
Then, click on “Save“.
Step 23 – Editing reply types
Under “Email reply types“, click on “Edit reply types“.
Step 24 – Changing reply types
Under “Out of Office automatic reply types” – select “Allow external and legacy out of office replies“. Then, click on “Save“.
Checking “Accepted Domains” settings
Step 25 – Viewing the “Accepted Domains” settings
First, navigate to “Accepted domains” under “Mail flow“.
Find the domain you are configuring the Email Relay for, and verify that the “Domain type” is set to “Authoritative” and not to “Internal relay“.
Note: the “Internal relay” configuration is almost always used in situations where the domain has at least one mail server that is not synced with O365. If this is not the situation, the recommended configuration is “Authoritative“.
Creating a mail flow rule
Step 26 – Creating a new rule
Now we will need to navigate to the Rules tab to create a new rule to use the connector.
Step 27 – Naming the rule
First, name the new mail flow rule that will be used for the Trustifi inbound relay.
Step 28 – First condition: recipient domain
Under “Apply this rule if“, select “The recipient“. Then, in the 2nd menu, select “domain is“.
Step 29 – Selecting the recipient domain
Add the domain that will be used to receive emails through Trustifi Email Relay. If you have multiple domains under your tenant, add them all here. After the domain has been added, click on “Save“.
Step 30 – Adding a new condition
Add a new condition by clicking on the “+” icon next to the first condition.
Step 31 – Second condition: recipient location
Once again select “The recipient” and then select “Is external/internal”.
Step 32 – Selecting recipient location
Under “Select sender location“, choose “Inside the organization“.
Then, click on “Save“.
Step 33 – First action: redirect to connector
Now we will start selecting the actions to be taken by this rule.
Note: this guide provides instructions for enabling full protection for inbound emails. If you want to enable Inbound Shield in “Journal” mode only, please see our “Journaling Mode” guide.
Under “Do the following” – select “Redirect the message to” and then select “the following connector“.
Step 34 – Selecting connector redirection
Under “Select connector“, choose the Trustifi inbound send connector which was created earlier.
Then, click on “Save“.
Step 35 – Adding a new action
Add new action by clicking on the “+” icon next to the first action.
Step 36 – Second action: set a message header
For the new action, select “Modify the message properties” and then select “set a message header“.
Step 37 – Setting the header name
Click on the first “Enter text” link and add the following input: x-trustifi-creds
Then, click on “Save“.
Step 38 – Setting the header value
Click on the second “Enter text” link, and there add the email relay secret key which you copied in step 3.
Then, click on “Save“.
Step 39 – Third action: Require TLS encryption
First, add a new action for the rule. Then select “Modify the message security” and “Require TLS encryption“.
Step 40 – Fourth action: bypassing spam filtering
Add a new action for the rule. Then select “Modify the message properties” and “Set the spam confidence level (SCL)“
Step 41– Selecting spam bypass
In the “Specify SCL” window, select “Bypass spam filtering“. Then, click “Save“.
Step 42 – Adding an exception: custom header
Here we will add a couple of exceptions to this mail flow rule to avoid processing emails which have already been sent by Trustifi. This is to avoid email loops.
Under “Except if“, select “The message headers” and then select “includes any of these words“.
Step 43 – Setting the exception header name
Click on the first “Enter text” link and in the pop-up window enter “x-trustifi-inbound-processed” (without the double quotes). Click on “Save” to confirm.
Step 44 – Setting the exception header value
Click on “Enter words” and in the pop-up window enter the word “yes” (without the double quotes). Then click on the “+” icon and “Save” to confirm.
Step 45 – Creating the 2nd exception
Click on the “+” icon next to the first exception to add another exception. Then select “The sender”, and “IP address is in any of these ranges or exactly matches”.
Step 46 – Adding the exception IPs
In the “specify IP address ranges” window, enter the following IPs:
3.93.243.176
3.93.139.220
54.195.145.1
3.251.32.127
52.37.228.167
52.89.220.23
Then, click on “Save“.
.png)
Step 47 – Verifying the settings
After both exceptions have been created, take a moment to verify all conditions, actions, and exceptions are correct. If everything looks good, click on “Next“.
Step 48 – Rule settings
Set the following additional settings:
Under “Severity” – select “High“
Check the box for “Stop processing more rules“
Check the box for “Defer the message if rule processing doesn’t complete
Under “Match sender address in message“- select “Header and envelope“
Once finished, click on “Next“.
Step 49 – Review and finish
The next page will display a summary of the rule’s conditions, actions, exceptions, and settings. Make sure that everything looks OK and click “Finish” to create the rule.
Step 50 – Verifying the rule priority order
If you are also connected to the Trustifi outbound relay, you will need to verify the 2 Trustifi mail flow rules are in the correct priority order. To avoid issues with deliverability of internal emails, the Trustifi inbound mail flow rule has to come after the Trustifi outbound rule, as pictured below.