Note: This configuration guide utilizes the “Your organization” connector type and should only be used if your Microsoft/O365 tenant has been created before January 1st, 2023. If your Microsoft/O365 tenant is newer than this, please refer to our main configuration guide for O365.
Trustifi admin portal
Step 1 – Verifying the plan and user type
Navigate to the “My Plan” page and verify that your plan type is “PRO” and your access level is “Admin“.
Note: If you don’t have a “Pro” plan, or you do not have admin-level access, please contact support@trustificorp.com
Step 2 – Navigating to outbound plan settings
Open the “Outbound Management” section on the left-side navigation panel and click on the “Plan Settings” page.
Step 3 – Selecting “Your MTA” architecture
First, open the “Email Flow Integration” tab. Under “Email Flow Architecture“, switch from the default (“Via Trustifi MTA“) to “Via your MTA“.
.png)
Step 4 – Adding your domain and MTA
After selecting “Via your MTA”, In the input field, enter your domain (e.g. “mydomain.com”) and MTA. In the “Port” field enter the number 25, unless you know for certain that your MTA uses a different port to send/receive emails. When all fields have been filled, click on “V” to confirm.
.png)
Step 5 – Enabling the Email Relay
First, verify your domain and MTA have been save correctly. Once ready, click on the toggle to enable the Email Relay.
Step 6 – Copying the Email Relay key
After the integration was enabled, your secret key will be generated. You can click on the “copy” button to copy the Email Relay secret key for later use.
.png)
Microsoft Exchange Admin Center
Step 7 – Navigating to the Exchange Admin Center – Mail flow Connectors
Navigate to the “Exchange admin center” via the following link –https://admin.exchange.microsoft.com/#/. After you have logged in, navigate to the “Mail flow” – “Connectors” page.
Step 8 – Adding new connector
In this section, you will have to create a new connector by clicking on the “Add a connector” button.
Step 9 – Selecting mail flow scenario
Here, you will have to select the mail flow scenario. At “From” select “Office 365”, and at “To” select “Your organization’s email server” and continue by clicking “Next”.
Step 10 – Naming and describing
In the “Name” field, enter the following name: “Trustifi Outbound Connector (Send)“, you can also add a description (optional). Continue by clicking on “Next“.
Step 11 – Use of connector
Select “Only when I have a transport rule set up that redirects messages to this connector” and continue by clicking “Next”.
Step 12 – Routing
Here we will need to add the smart host to which emails will be routed. In the input field, add the following smart host:smtp.trustifi.com Then, click on the “+” icon to add the smart host and click “Next” to continue.
Step 13 – Security restrictions
Now we will need to configure the smart host security settings:
Select “Always use TLS” (First checkbox)
Select “Issued by a trusted certificate authority (CA)”
Check the box for “Add the subject name of subject alternative name (SAN) matches this domain name”
Enter the following value into the input field: *.trustifi.com
Step 14 – Validating the connector
In this step, Exchange will need to validate the connector by sending an email through it. Enter an email for an active mailbox that’s on your email server, and click on the “Validate” button.
Step 15 – Validation results
After the connection check is done, a status of “Succeed” or “Failed” will appear for each of the validation tests. The “Check connectivity” test should succeed. If the status of this test has failed, please check that the smart host address was entered correctly. If the “Send test email” test fails, it’s OK. This is because we don’t yet have a rule set up to use this connector. Click on “Next” to continue. You may receive a warning – click “Yes” to confirm and continue.
Step 16 – Review and create connector
Here you will see a review of the connector settings. Make sure everything looks OK before clicking “Create connector“.
Step 17 – Creating the “receive” connector
First, verify the “Send” connector was created. Then, click on the “Add a new connector” button to open the “New connector” interface.
Step 18 – Selecting a mail flow scenario
Under “Connection from” select “Your organization’s mail server” and under “Connection to” select the default option “Office 365”. Continue by clicking on “Next”.
Step 19 – Naming and describing the connector
In the “Name” field enter the following name – “Trustifi Inbound Connector (Receive)”. In the “Description” field you can add any description you like (optional). Make sure the bottom 2 boxes are checked:
Turn in on
Retain internal Exchange email headers
You can continue by clicking on “Next”.
Step 20 – Authenticating sent email
Here you need to select “By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization”. Add the following IPs and click on the “+” button to add each one:
3.93.243.176
3.93.139.220
52.73.143.252
52.54.159.237
After both IPs have been added, click on “Next” to continue.
Step 21 – Reviewing the connector
Confirm that all settings are correct and finish by clicking on “Create connector”.
Modifying “Remote domains” settings
Step 22 – Navigating to the remote domains tab and editing the default
Note: For a detailed explanation of the required changes to “Remote domains“, please read this article. In this section, we will make some changes to the “Remote domains” settings. These changes are not strictly mandatory for the process but will ensure that all types of email content are delivered correctly using Trustifi. First, go to “Remote domains” under “Mail flow” and click on the default domain settings.
Step 23 – Editing the RTF settings
In the section that includes “Use rich-text format”, click on “Edit text and character set”.
Step 24 – Changing the RTF settings
Set the following:
Under “Use Rich Text format”– select “Never“
Under “MIME character set” – select “Unicode (UTF-8)“
Under “Non-MIME character set” – select “Unicode (UTF-8)“
Then, click on “Save“.
Step 25 – Editing reply types
Under “Email reply types“, click on “Edit reply types“.
Step 26 – Changing reply types
Under “Out of Office automatic reply types” – select “Allow external and legacy out of office replies“. Then, click on “Save“.
Checking “Accepted Domains” settings
Step 27 – Viewing the “Accepted Domains” settings
First, navigate to “Accepted domains” under “Mail flow“. Find the domain you are configuring the Email Relay for, and verify that the “Domain type” is set to “Authoritative” and not to “Internal relay“.
Note: the “Internal relay” configuration is almost always used in situations where the domain has at least one mail server that is not synced with O365. If this is not the situation, the recommended configuration is “Authoritative“.
Creating a mail flow rule
Step 28 – Creating a new rule
Now we will need to navigate to the Rules tab to create a new rule to use the connector.
Step 29 – Naming the rule
First, name the new mail flow rule that will be used for the Trustifi outbound relay.
Step 30 – First condition: sender domain
Under “Apply this rule if“, select “The sender“. Then, in the 2nd menu, select “domain is“.
Step 31 – selecting the sender domain
Add the domain that will be used to send emails through Trustifi Email Relay. If you have multiple domains under your tenant, add them all here. After the domain(s) has been added, click on “Save“.
NOTE: Add here all the domains you want to be connected through the Trustifi Email Relay. In case you are adding more than one domain, make sure all of these domains have been verified in Trustifi.
Step 32 – Adding new condition
Add a new condition by clicking on the “+” icon next to the first condition.
Step 33 – Second condition: sender location
Once again select “The sender” and select “Is external/internal”.
Step 34 – Selecting sender location
Under “select sender location“, choose “Inside the organization“. Then, click on “Save“.
Step 35 – First action: redirect to connector
Now we will start selecting the actions to be taken by this rule. Under “Do the following” – select “Redirect the message to” and then select “the following connector“.
Step 36 – Selecting connector redirection
Under “Select connector“, choose the Trustifi outbound connector which was created earlier. Then, click on “Save“.
Step 37 – Adding a new action
Add a new action by clicking on the “+” icon next to the first action.
Step 38 – Second action: set a message header
For the new action, select “Modify the message properties” and then select “set a message header“.
Step 39 – Setting the header name
Click on the first “Enter text” link and add the following input: x-trustifi-creds. Then, click on “Save“.
Step 40 – Setting the header value
Click on the second “Enter text” link, and there add the email relay secret key which you copied in step 6. Then, click on “Save“.
Step 41 – Adding an exception: sender IP
Here we will add an exception to this mail flow rule to avoid processing emails which have already been sent by Trustifi. This is to avoid email loops. Under “Except if“, select “Sender is” and then select “IP address is any of these ranges or exactly matches“.
Step 42 – Adding sender IPs
Add the following IPs:
3.93.243.176
3.93.139.220
52.54.159.237
52.73.143.252
Then, click on “Save“.
Step 43 – Continue to rule settings
Scroll down to the bottom of the window and click on “Next“.
Step 44 – Rule settings
Set the following additional settings:
Under “Severity” – select “High“
Check the box for “Stop processing more rules“
Check the box for “Defer the message if rule processing doesn’t complete“
Under “Match sender address in message” – select “Header and envelope“
Once finished, click on “Next“.
Step 45 – Review and finish
The next page will display a summary of the rule’s conditions, actions, exceptions, and settings. Make sure that everything looks OK and click “Finish” to create the rule.
Step 46 – Verifying the rule priority order
If you are also connected to the Trustifi inbound relay, you will need to verify the 2 Trustifi mail flow rules are in the correct priority order. To avoid issues with the deliverability of internal emails, the Trustifi inbound mail flow rule has to come after the Trustifi outbound rule, as pictured below:
If the situation is incorrect, you can use the “Move up” / “Move down” arrow buttons to change the rule order.
Step 47 – Updating your SPF record
It is highly recommended to add the following Trustifi IPs to your SPF record: 52.73.143.252, 52.54.159.237. Adding these IPs will help make sure your sent emails appear 100% authenticated.
Step 48 – Limited Scope Deployment
If you are deploying the outbound relay as a Proof of Concept (PoC), or if you simply do not wish to route all outbound traffic through Trustifi, please follow the instructions in our Limited Scope Deployment guide.