Introduction
This document covers the steps required to integrate Cisco Secure Email with Microsoft 365 for inbound and outbound email delivery.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco Secure Email Gateway or Cloud Gateway
- CLI access to your Cisco Secure Email Cloud Gateway environment:
- Microsoft 365
- SMTP
- DNS
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Your Cisco Secure Email welcome letter includes your Cloud Gateway IP addresses and other pertinent information. In addition to the letter which you see below, you will also receive an encrypted email that provides you with additional details on the number of Cloud Gateway (aka ESA) and Cloud Email and Web Manager (aka SMA) provisioned for your allocation. If you have not received or do not have a copy of the letter, please contact ces-activations@cisco.com with your contact information, customer name, and domain name under service.

The IPs are dedicated to each client and are not likely to change without notification. You can use the assigned IPs or hostnames in the Microsoft 365 configuration.
Note: It is highly recommended that you test these settings well before any planned production mail cut-over, because settings may take time to replicate in the Microsoft 365 Exchange console. At a minimum, allow 1 hour for all changes to take effect.
Note: The IP addresses that you see in the screen shot above would be proportional to the number of ESA's which are provisioned to your allocation. For example, xxx.yy.157.139 would be the Data 1 interface IP address for ESA1, and xxx.yy.158.153 would be Data 1 interface IP address of ESA2. If your welcome letter does not include information for Data 2 (Outgoing interface IPs), please contact Cisco TAC to get the Data 2 interface added for your allocation
Configuring Microsoft 365 with Cisco Secure Email
Configure Incoming Email in Microsoft 365 from Cisco Secure Email
Bypass Spam Filtering Rule
- Log-in to the Microsoft 365 Admin Center (https://portal.microsoft.com)
- In the left-hand menu, expand Admin Centers
- Click Exchange
- From the left-hand menu, navigate to Mail flow > Rules
- Click [+] to create a new rule
- Select Bypass spam filtering... in the drop-down list
- Enter in a name for your new rule: Bypass spam filtering - inbound email from Cisco CES
- For “*Apply this rule if...”, select: The sender - IP address is in any of these ranges or exactly matches
- For the “specify IP address ranges” pop-up, add the IP addresses that are indicated in your Cisco Secure Email welcome letter
- Click OK
- For “*Do the following...”, the new rule has pre-selected: Set the spam confidence level (SCL) to... - Bypass spam filtering
- Click Save
Your bypass spam filtering rule should look similar to the following:

Receiving Connector
- Remain in the Exchange Admin Center
- From the left-hand menu, navigate to Mail flow > Connectors
- Click [+] to create a new connector
- In the "Select your mail flow scenario" pop-up window, choose the following:
- From: Partner organization
- To: Office365
- Click Next
- Enter in a name for your new connector: Inbound from Cisco CES
- Enter a description, if you wish
- Click Next
- Click Use the sender's IP address
- Click Next
- Click [+] and enter the IP addresses that are indicated in your Cisco Secure Email welcome letter
- Click Next
- Select Reject email messages if they aren't sent over TLS
- Click Next
- Click Save
Your receiving connector setting should have similar to the following:

Configure Mail from Cisco Secure Email to Microsoft 365
Destination Controls
Impose a self-throttle by adding a delivery domain to Destination Controls. This can be removed later, but these are “new” IPs to Microsoft 365, and we do not want any throttling by Microsoft due to their unknown reputation.
- Log-in to your Gateway
- Navigate to Mail Policies > Destination Controls
- Click Add Destination
- Use the following settings:
- Destination: enter your domain name
- Concurrent Connections: 10
- Maximum Messages Per Connection: 20
- TLS Support: Preferred
- Click Submit
- Click Commit Changes in the upper right hand of the UI to save your configuration changes
Your final Destination Control Table should look similar to:

Recipient Access Table
Next, set the Recipient Access Table (RAT) to accept mail for your domains:
- Navigate to Mail Policies > Recipient Access Table (RAT)
- Note: Make sure the Listener is for "Incoming Listener," "IncomingMail," or "MailFlow," depending on the actual name of your Listener for your primary mail flow.
- Click Add Recipient
- Add your domains in the Recipient Address field
- Select the default action of Accept
- Click Submit
- Click Commit Changes in the upper right hand of the UI to save your configuration changes
Your final RAT entry should look similar to:

SMTP Routes
You will need to set the SMTP route to deliver mail from Cisco Secure Email to your Microsoft 365 domain:
- Navigate to Network > SMTP Routes
- Click Add Route...
- Receiving Domain: enter your domain name
- Destination Hosts: add your original Microsoft 365 MX record
- Click Submit
- Click Commit Changes in the upper right hand of the UI to save your configuration changes
Your final SMTP Route Settings should look similar to:

DNS (MX record) Configuration
At this point, you are ready to cut over the domain through a Mail Exchange (MX) record change. Work with your DNS administrator to resolve your MX records to the IP addresses for your Cisco Secure Email Cloud instance as provided in your Cisco Secure Email welcome letter.
You will want to verify the change to the MX record from your Microsoft 365 console as well:
- Log-in to the Microsoft 365 Admin console (https://admin.microsoft.com)
- Navigate to Home > Settings > Domains
- Select your default domain name
- Click Check Health
You will see the current "MX Records" according to how Microsoft 365 looks up your DNS and MX records associated with your domain:

Note: In the above example, the DNS is hosted and managed from Amazon Web Services (AWS). As an administrator, you should expect to see a warning if your DNS is hosted anywhere outside of the Microsoft 365 account. You can ignore warnings similar to the above example: “We didn't detect that you added new records to your_domain_here.com. Make sure the records you created at your host exactly match the records shown here..." Following the “step-by-step instructions" will reset the MX records to what was originally configured to redirect to your Microsoft 365 account. Doing so will remove the Cisco Secure Email Gateway from the incoming traffic flow.
Testing Inbound Email
Test inbound mail by sending a message to your Microsoft 365 email address. Check to see that it arrives in your Microsoft 365 email inbox.
Validate the mail logs by using Message Tracking on your Cisco Secure Email and Web Manager (aka SMA) provided with your instance.
To see mail logs on your SMA:
- Log-in to your SMA (https://sma.iphmx.com/ng-login)
- Click Tracking
- Enter the needed search criteria and click Search; you should see results similar to:

To see mail logs in Microsoft 365:
- Log-in to the Microsoft 365 Admin Center (https://admin.microsoft.com)
- Expand Admin Centers
- Click Exchange
- Navigate to Mail flow > Message trace
- Microsoft provides Default criteria to search from. Choose "Messages received by my primary domain in the last day" to start your search query.
- Enter the needed search criteria for recipients and click Search. You should see results similar to:

Configure Outgoing Email from Microsoft 365 to Cisco Secure Email
Configure RELAYLIST on Cisco Secure Email Gateway
Please refer to your Cisco Secure Email welcome letter. A secondary interface will be specified for outbound messages via your ESA.
- Log-in to your Gateway
- Navigate to Mail Policies > HAT Overview
- Note: Make sure the Listener is for "Outgoing Listener," "OutgoingMail," or "MailFlow-Ext," depending on the actual name of your Listener for your external/outbound mail flow.
- Click Add Sender Group...
- Configure the Sender Group as:
- Name: RELAY_O365
- Comment: <<enter a comment if you wish to notate your sender group>>
- Policy: RELAYED
- Click Submit and Add Senders
- Sender: .protection.outlook.com
- Note: The "." (dot) at the beginning of the sender domain name is required
- Click Submit
- Click Commit Changes in the upper right hand of the UI to save your configuration changes
Your final SMTP Route Settings should look similar to:

Enable TLS
- Click << Back to HAT Overview
- Click the Mail Flow Policy named: RELAYED
- Scroll down and look in the Security Features section for Encryption and Authentication
- For TLS, choose: Preferred
- Click Submit
- Click Commit Changes in the upper right hand of the UI to save your configuration changes
Your final Mail Flow Policy settings should look similar to:

Configure Mail from Microsoft 365 to CES
- Log-in to the Microsoft 365 Admin Center (https://admin.microsoft.com)
- Expand Admin Centers
- Click Exchange
- Navigate to Mail flow > Connectors
- Click [+] to create a new connector
- In the “Select your mail flow scenario” pop-up window, choose the following:
- From: Office365
- To: Partner organization
- Click Next
- Enter in a name for your new connector: Outbound to Cisco CES
- Enter a description, if you wish
- Click Next
- For "When do you want to use this connector?"
- Select: Only when I have a transport rule set up that redirects messages to this connector
- Click Next
- Click Route email through these smart hosts
- Click [+] and enter the outbound IP addresses or hostnames that are indicated in your CES welcome letter
- Click Save
- Click Next
- For "How should Office 365 connect to your partner organization's email server?"
- Select: Always use Transport Layer Security (TLS) to secure the connection (recommended)
- Select Any digital certificate, including self-signed certificates
- Click Next
- You will be presented the confirmation screen
- Click Next
- Use [+] to enter in a valid email address for validating your connector and click OK
- Click Validate and allow the validation to run
- Once complete, click Close
- Click Save
Your outbound connector setting should look similar to:

Create a Mail Flow Rule
- Log-in to your Exchange admin center (https://outlook.office365.com)
- Click on mail flow; You should be on the ‘rules’ tab
- Click [+] to add a new rule
- Select Create a new rule
- Enter in a name for your new rule: Outbound to Cisco CES
- For “*Apply this rule if...”, select: The sender is located...
- For the “select sender location” pop-up, select: Inside the organization
- Click OK
- Click More options...
- Click add condition button and insert a second condition
- Select: The recipient...
- Select: Is external/internal
- For the “select sender location” pop-up, select: Outside the organization
- Click OK
- For “*Do the following...”, select: Redirect the message to...
- Select: the following connector
- And select your “Outbound to Cisco CES” connector
- Click OK
- Return to “*Do the following...”, and insert a second action:
- Select: Modify the message properties...
- Select: set the message header
- Set the message header: X-OUTBOUND-AUTH
- Click OK
- Set the value: mysecretkey
- Click OK
- Click Save
Note: To prevent unauthorized messages from Microsoft, a secret x-header can be stamped when messages leave your Microsoft 365 domain; this header is then evaluated and removed before delivery to the Internet.
Your Microsoft 365 Routing configuration should look similar to:

Finally, access the CLI for your Cisco Secure Email Gateway.
Note: CES Customer CLI Access
You will need to create a message filter to inspect the presence and value of the x-header and remove the header if exists. If no header exists, drop the message.
- Log-in to your Gateway via the CLI
- Run the Filters command
- If your Gateway is clustered, hit return to edit the filters in "Cluster" mode
- Use the New operation to create the following message filter, copy, and paste:
office365_outbound: if sendergroup == "RELAY_O365" {
if header("X-OUTBOUND-AUTH") == "^mysecretkey$" {
strip-header("X-OUTBOUND-AUTH");
} else {
drop();
}
}
- Hit return one time to create a new, blank line
- Enter "." on the new line to end creating your new message filter
- Hit return one time to exit the Filters menu
- Run the Commit command to save the changes to your configuration
Testing Outbound Email
Test outbound mail by sending a message from your Microsoft 365 email address to an external domain recipient. You can review message tracking from your Cisco Secure Email and Web Manager to assure it was routed outbound properly.
Note: You may need to review your TLS settings (System Administration > SSL Configuration) on the Gateway and the ciphers used for Outbound SMTP. Cisco Best Practices has the following cipher recommendation:
HIGH:MEDIUM:@STRENGTH:!aNULL:!eNULL:!LOW:!DES:!MD5:!EXP:!PSK:!DSS:!RC2:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES:!SSLv2:!SSLv3:!TLSv1:-aNULL:-EXPORT:-IDEA
An example of Tracking with successful delivery:

Click on More Details to see the full tracking details:

An example of message tracking where the x-header does not match:


Related Information
Cisco Support and Documentation
Security - Cisco Secure Email Gateway - Cisco
Cisco Secure Email, Formerly Email Security - Cisco