WatchGuard Email Protection Integration with Microsoft 365
Deployment Overview
This document describes the steps to integrate WatchGuard Email Protection with Microsoft 365.
Contents
Platform and Software
The platform and software used in this integration include:
- WatchGuard Email Protection administrative account
- Microsoft 365
- DNS Hosting provider
Integration Topology
This diagram shows the test topology for the WatchGuard Email Protection with Microsoft 365 integration, where Microsoft 365 Mail Server uses the domain ecosys.solutions.
Before You Begin
Before you begin these procedures, make sure that:
- Microsoft 365 Mail Server MX/TXT records are added in the DNS hosting provider.
- Microsoft 365 has added the domain (ecosys.solutions).
- Microsoft 365 Mail Server can send and receive mail using the domain (ecosys.solutions).
Configuration
Set Up the Inbound Email Traffic for Microsoft 365
Configure Email Protection
To configure Email Protection:
- Log in to Email Protection as an administrator.
- From the Scope Selection drop-down list, select the company domain you want to configure Microsoft 365 as a destination server for.
- From the navigation menu, select Security Settings > Spam and Malware Protection.
The Security Settings - Spam and Malware Protection page opens.
- Select the General Settings tab.
- From the Domain drop-down list, select the domain.
- From the Primary Environment Settings section, set the destination server of incoming email messages.
- Select IP/Hostname.
- In the Destination Server text box, type the destination server address of your Microsoft 365 environment. For steps to get the MX value, go to Get the Microsoft 365 MX and TXT Values.
- Enable IP Addresses of Relay Servers for Outgoing Emails.
- In the text box, type 1.1.1.1.
- Clear the Restrict Email Sending to the Relay Server IP Addresses and Bounce Management (Recommended) check boxes.
- From the User Check section, select SMTP.
- Disable Alternative IP Address for User Check.
- Click Save.
- From the Email Filter Settings section, keep the default settings.
Update the Domain MX Record
When you add WatchGuard Email Protection servers to the MX record for your domain, you can route incoming email messages for your domain to WatchGuard servers. WatchGuard Email Protection servers then filter the email messages and forward them to Microsoft 365. This process takes place before the email messages reach your inbox.
In this example, we use the domain ecosys.solutions and the DNS hosting provider GoDaddy.
To update the MX record for your domain:
- Log in to your DNS hosting provider. Delete the original MX record.
To identify the MX record from Microsoft 365, go to Get the Microsoft 365 MX and TXT Values.
- Add the WatchGuard Email Protection MX records shown in WatchGuard Email Protection Server MX Records. We recommend that you add all the records with different priorities in each range.
<domain.tld> is ecosys.solutions in this document
Restrict the Inbound Email Traffic of Your Microsoft 365 Mailboxes
To prevent your Microsoft 365 environment from receiving unprocessed emails by our services, you must configure a connector for inbound email traffic. This connector ensures that only messages coming from our IP address range are accepted by Microsoft 365. Any email messages that do not originate from our IP address range are rejected.
To restrict the inbound email traffic of your Microsoft 365 mailboxes:
- Log in to Microsoft 365 admin center.
- From the navigation menu, select Exchange > Mail Flow > Connectors.
- Click Add a Connector.
- From the Connection From section, select Partner Organization.
In the Connection To section, Office 365 is selected by default. - Click Next.
- In the Name text box, type the connector name. Click Next.
- Select By Verifying That the Sender Domain Matches One of the Following Domains.
- In the text box, type *. Click +.
- Click Next.
- Select the Reject Email Messages if They Aren't Sent Over TLS check box.
- Select the Reject Email Messages if They Aren't Sent from Within this IP Address Range check box.
- In the text box, type the WatchGuard Email Protection Servers IP Address Range.
- Customers in Canada must additionally enter the WatchGuard Email Protection Servers IP Address Range in Canada.
- Click Next.
- Click Create Connector.
- Click Done.
Deactivate the Microsoft 365 Spam Filter for the Email Protection IP Address Range
If you want your incoming email messages filtered by our services, you must disable the Microsoft 365 spam filter. If you do not, the Microsoft 365 spam filter classifies incoming email messages to your domains as spam. Our services filter your incoming email messages for spam.
To deactivate the Microsoft 365 spam filter for the Email Protection IP address range:
- Log in to Microsoft 365 admin center.
- Select Security.
The home page of Microsoft 365 Defender opens. - From the navigate menu, select Email & Collaboration > Policies & Rules.
- Click Threat Policies.
- From the Policies section, click Anti-spam.
- Click Connection Filter Policy (Default).
- Click Edit Connection Filter Policy.
- In the Always Allow Messages From the Following IP Addresses or Address Range: text box, type the WatchGuard Email Protection Servers IP Address Range.
- If the customer is in Canada, you must also include the WatchGuard Email Protection Servers IP Address Range in Canada.
- Click Save.
Set Up the Outbound Email Traffic for Microsoft 365
Update SPF Records
The Sender Policy Framework (SPF) records of your domains must point to Email Protection SPF records. This authorizes Email Protection to send email messages from your domain. Recipients outside your organization can use the SPF record to perform SPF checks on email messages from your domain.
In our example, we use the domain ecosys.solutions and the DNS hosting provider GoDaddy.
Add or edit the following SPF record v=spf1 include:spf.hornetsecurity.com ~all. It is appended after the Microsoft 365 TXT records. Go to Get the Microsoft 365 MX and TXT Values.
We recommend you perform domain verification in Email Protection after GoDaddy configuration is complete.
To update the SPF record and verify the domain:
- Log in to Email Protection with your administrative credentials.
- From the Scope Selection drop-down list, select the company domain for which you want to configure Microsoft 365 as a destination server.
- From the navigation menu, select Customer Settings > Domains.
- Click Add Domain.
- In the Domain text box, type your domain.
- Click Add.
- Next to the new domain, click >. Click Trigger Verification.
Activate the SPF Check
We recommend you activate the SPF check.
To activate the SPF check:
- Log in to WatchGuard Email Protection with your administrative credentials.
- From the Scope Selection drop-down list, select the company domain for which you want to configure Microsoft 365 as a destination server.
- From the navigation menu, select Security Settings > Email Authentication. Confirm the SPF status of the domain you just added.
- From the Sender Authentication section, enable Activate SPF Check.
- Select For All Incoming Emails.
Create a Connector for the Outbound Email Traffic
To create a connector for the outbound email traffic:
- Log in to Microsoft 365 admin center.
- From the navigation menu, select Admin Centers > Exchange > Mail Flow > Connectors.
- Click Add a Connector.
- From the Connection From section, select Office 365.
- From the Connection To section, select Partner Organization.
- Click Next.
- In Name text box, type the connector name.
- Click Next.
- Select Only When I Have a Transport Rule Set Up that Redirects Messages to This Connector.
- Click Next.
- Select Route Email Through these Smart Hosts.
- In the text box, type the smart host relay-cluster-eu01.hornetsecurity.com. Click +.
- Click Next.
We recommend the hostname cluster relay-cluster-eu01.hornetsecurity.com. However, customers with a customized Control Panel can instead use the hostname cluster <domain.tld>.relay.cloud-security.net where <domain.tld> is the company primary domain.
For customers in the USA, the hostname cluster relay-cluster-usa01.hornetsecurity.com applies.
For customers in Canada, the hostname cluster relay-cluster-ca01.hornetsecurity.com applies.
- In the Security Restrictions page, keep the default settings.
- Click Next.
- In the text box, type the validation email. Click +.
- Click Validate.
- If the validation is successful, click Next.
- Click Create Connector.
- Click Done.
Manually Set Up a New Transport Rule
Create a rule to forward outgoing email messages to recipients outside of your organization. The outbound email traffic connector is applied to outgoing email messages to recipients outside of the organization.
To set up a new transport rule:
- Log in to Microsoft 365 admin center.
- From the navigation menu, select Admin Centers > Exchange > Mail Flow > Rules.
- Click Add a Rule.
- Click Create a New Rule.
- In Name text box, type the rule name.
- From the Apply this Rule If drop-down list, select The Recipient > Is External/Internal > Outside the Organization >.
- Click Save.
- From the Do the Following drop-down list, select Redirect the Message to > The Following Connector > Your Outbound Connector .
- Click Save.
- Click Next.
- From the Set Rule Settings page, keep the default settings.
- Click Next.
- Click Finish.
- Click Done.
- From the Rules page, select the new rule.
- Enable the new rule.
Test the Integration
To test the integration:
- Send an email message from outside to the WatchGuard Email Protection protected mail server. (Inbound)
- Send an email message from the WatchGuard Email Protection protected mail server to outside. (Outbound)
- Verify that inbound and outbound mail sends and receives successfully.
- Verify that email messages appear in the Email Live Tracking page in WatchGuard Email Protection.
- Add a policy in WatchGuard Email Protection. For example, we added a deny list entry to deny email messages from the watchguard.com domain.
For more information about deny and allow lists, go to Deny & Allow Lists in Email Protection Help. - Verify that inbound mail is blocked by WatchGuard Email Protection according to the policy you create.
- Verify that outbound mail sends and receives successfully.
- Verify that the expected information appears in the Email Live Tracking in WatchGuard Email Protection.
Advanced Operations
Get the Microsoft 365 MX and TXT Values
To get the Microsoft 365 MX and TXT values:
- Log in to Microsoft 365 admin center.
- Select Settings > Domains > Your Domain Name > DNS records.
- Double-click MX.
- From the Points to Address or Value section, copy the MX record.
- Select Settings > Domains > Your Domain Name > DNS Records.
- Double-click TXT. The Microsoft 365 TXT record displays. The Email Protection SPF record is appended after the Microsoft 365 TXT record in the GoDaddy configuration.
WatchGuard Email Protection Server MX Records
Europe
The MX records for customers in Europe are:
Domain | Class | Type | Priority | Email server |
---|---|---|---|---|
<domain.tld> | IN | MX | 10 | mx01.hornetsecurity.com |
<domain.tld> | IN | MX | 20 | mx02.hornetsecurity.com |
<domain.tld> | IN | MX | 30 | mx03.hornetsecurity.com |
<domain.tld> | IN | MX | 40 | mx04.hornetsecurity.com |
For customers of the DNS provider 1&1, these MX records apply instead:
Domain | Class | Type | Priority | Email server |
---|---|---|---|---|
<domain.tld> | IN | MX | 10 | mx23a.antispameurope.com |
<domain.tld> | IN | MX | 20 | mx23b.antispameurope.com |
<domain.tld> | IN | MX | 30 | mx23c.antispameurope.com |
<domain.tld> | IN | MX | 40 | mx23d.antispameurope.com |
United States
The MX records for customers in the US are:
Domain | Class | Type | Priority | Email server |
---|---|---|---|---|
<domain.tld> | IN | MX | 10 | mx-cluster-usa01.hornetsecurity.com |
<domain.tld> | IN | MX | 20 | mx-cluster-usa02.hornetsecurity.com |
<domain.tld> | IN | MX | 30 | mx-cluster-usa03.hornetsecurity.com |
<domain.tld> | IN | MX | 40 | mx-cluster-usa04.hornetsecurity.com |
Canada
The MX records for customers in Canada are:
Domain | Class | Type | Priority | Email server |
---|---|---|---|---|
<domain.tld> | IN | MX | 10 | mx-cluster-ca01.hornetsecurity.com |
<domain.tld> | IN | MX | 20 | mx-cluster-ca02.hornetsecurity.com |
<domain.tld> | IN | MX | 30 | mx-cluster-ca03.hornetsecurity.com |
<domain.tld> | IN | MX | 40 | mx-cluster-ca04.hornetsecurity.com |
IP Addresses of WatchGuard Email Protection Servers
WatchGuard Email Protection Servers IP Address Range
83.246.65.0/24 | 94.100.128.0/24 | 94.100.129.0/24 | 94.100.130.0/24 | 94.100.131.0/24 |
94.100.132.0/24 | 94.100.133.0/24 | 94.100.134.0/24 | 94.100.135.0/24 | 94.100.136.0/24 |
94.100.137.0/24 | 94.100.138.0/24 | 94.100.139.0/24 | 94.100.140.0/24 | 94.100.141.0/24 |
94.100.142.0/24 | 94.100.143.0/24 | 173.45.18.0/24 | 185.140.204.0/24 | 185.140.205.0/24 |
185.140.206.0/24 | 185.140.207.0/24 |
WatchGuard Email Protection Servers IP Address Range in Canada
108.163.133.224/27 | 199.27.221.64/27 | 209.172.38.64/27 | 216.46.2.48/29 | 216.46.11.224/27 |