If your outbound email is being routed through Sophos Gateway and Microsoft 365 simultaneously for a period, you can leave the original SPF record, and add an include statement for Sophos Gateway. If your outbound email is only routed through Sophos Gateway you can use the Sophos Gateway SPF record to replace your existing one. To find out which domain to use, see Sophos SPF domains. When you change your SPF record you must use one of the Sophos domains. If your recipients' mail servers carry out SPF checks, they won't reject your email.įor more information on soft and hard fails, see How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing Sophos SPF domains The command doesn't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. You can use a tilde ( ~) before the all parameter instead, for a "soft fail". If your email isn't sent from Sophos Gateway, and your recipients' mail servers carry out SPF checks, they'll reject your mail. You can use a dash ( -) before the all parameter for a "hard fail".
You must understand how to do this and the implications of your choice. You can use the all parameter in different ways. However, if your outbound email is being routed through Sophos Gateway and Microsoft 365 simultaneously for a period, you can add an include statement for Sophos Gateway to your existing SPF record. You can replace your existing SPF record or add to it, depending on your requirements.
You need to update this record in the DNS zone for the relevant domain. Your organization should already have an SPF record for your domains registered with Microsoft 365 (formerly Office 365). It may take up to 24 hours for the changes to propagate. Any Send connectors used for other purposes (e.g archiving) may still need to be turned on. Failure to do this means your outbound email still uses these older Send connectors, and is not routed through Sophos Gateway.
Any digital certificate, including self-signed certificates.Always use Transport Layer Security (TLS) to Secure the Connection.Paste the text into the field and click Save.This is the text you will need to enter into the smart host webpage. Copy and paste the text in Outbound Relay Host.To retrieve the text you need to insert into the smart host, sign in to Sophos Central.Click the + icon to add the smart hosts.Select Route Email Through These Smart Hosts.Enter a value of * to route all outbound emails through Sophos.Click the + icon to add the recipient domains that should use this connector.Select Only when email messages are sent to these domains.Select this option to turn on the Connector.
Optionally, enter a description for the Connector. Select Partner Organization from the drop-down list. Select Office 365 from the drop-down list. Select Mail Flow > Connectors and create a new Connector: Option Click Outbound Settings and copy the Outbound Relay Host address.Then click Configure External Dependencies.In the Outbound Gateway drop-down list, select Microsoft Office 365 and click Save.Select Inbound and Outbound as the direction under Configure Domain.Click Email Security > Settings > Domain Settings/Status.To configure Sophos Gateway to handle outbound routing for Microsoft 365, do as follows:
This section describes how to set up outbound scanning with Sophos Gateway from your Microsoft 365 (formerly Office 365) account.