WatchGuard Email Protection Integration with Microsoft 365

Deployment Overview

This document describes the steps to integrate WatchGuard Email Protection with Microsoft 365.

Contents

• WatchGuard Email Protection Integration with Microsoft 365
• Deployment Overview
• Contents
• Platform and Software
• Integration Topology
• Before You Begin
• Configuration
• Set Up the Inbound Email Traffic for Microsoft 365
• Configure Email Protection
• Update the MX Record of Your Domain
• Restrict the Inbound Email Traffic of Your Microsoft 365 Mailboxes
• Deactivate the Microsoft 365 Spam Filter for the Email Protection IP Address Range
• Set Up the Outbound Email Traffic for Microsoft 365
• Update SPF Records
• Activate the SPF Check
• Create a Connector for the Outbound Email Traffic
• Manually Set Up a New Transport Rule
• Test the Integration
• Advanced Operations
• Get the Microsoft 365 MX and TXT Values
• WatchGuard Email Protection Server MX Records
• Europe
• United States
• Canada
• WatchGuard Email Protection Servers IP Address
• WatchGuard Email Protection Servers IP Address Range
• WatchGuard Email Protection Servers IP Address Range in Canada

Integration Topology

This diagram shows the test topology for the WatchGuard Email Protection with Microsoft 365 integration, where Microsoft 365 Mail Server uses the domain ecosys.solutions.

Before You Begin

Before you begin these procedures, make sure that:

• Microsoft 365 Mail Server MX/TXT records are added in the DNS hosting provider.
• Microsoft 365 has added the domain (ecosys.solutions).
• Microsoft 365 Mail Server can send and receive mail using the domain (ecosys.solutions).

Configuration

Set Up the Inbound Email Traffic for Microsoft 365

Configure Email Protection

To configure Email Protection:

1. Log in to Email Protection with your administrative credentials.

2. From the Scope Selection drop-down list, select the company domain you want to configure Microsoft 365 as a destination server for.
   
3. From the navigation menu, select Security Settings > Spam and Malware Protection.

4. Select the General Settings tab.
5. From the Domain drop-down list, select the domain.
6. From the Primary Environment Settings section, set the destination server of incoming email messages.
   1. Select IP/Hostname.
   2. In the Destination Server text box, type the destination server address of your Microsoft 365 environment. For steps to get the MX value, go to Get the Microsoft 365 MX and TXT Values.
7. Enable IP Addresses of Relay Servers for Outgoing Emails.
8. In the text box, type 1.1.1.1.

9. Clear the Restrict Email Sending to the Relay Server IP Addresses and Bounce Management (Recommended) check boxes.
10. From the User Check section, select SMTP.
11. Disable Alternative IP Address for User Check.
12. Click Save.
13. From the Email Filter Settings section, keep the default settings.

Update the MX Record of Your Domain

When you add WatchGuard Email Protection servers to your domain's MX record, you can route incoming email messages for your domain to our servers. Our servers then filter the email messages and forwards them to Microsoft 365. This process takes place before the email messages reaches your in-box.

In this example, we use the domain ecosys.solutions and the DNS hosting provider GoDaddy.

To update the MX Record of your domain:

1. Log in to your DNS hosting provider. Delete your original MX record.
   To identify the MX record from Microsoft 365, go to Get the Microsoft 365 MX and TXT Values.

2. Add the WatchGuard Email Protection MX records displayed in WatchGuard Email Protection Server MX Records. We recommend that you add all the records with different priorities in each range.
   <domain.tld> is ecosys.solutions in this document

Restrict the Inbound Email Traffic of Your Microsoft 365 Mailboxes

To prevent your Microsoft 365 environment from receiving unprocessed emails by our services, you must configure a connector for inbound email traffic. This connector ensures that only messages coming from our IP address range are accepted by Microsoft 365. Any email messages that do not originate from our IP address range are rejected.

To restrict the inbound email traffic of your Microsoft 365 mailboxes:

1. Log in to Microsoft 365 admin center.
2. From the navigation menu, select Exchange > Mail Flow > Connectors.
   
3. Click Add a Connector.

4. From the Connection From section, select Partner Organization.
   In the Connection To section, Office 365 is selected by default.
5. Click Next.

6. In the Name text box, type the connector name. Click Next.

7. Select By Verifying That the Sender Domain Matches One of the Following Domains.
8. In the text box, type *. Click +.
9. Click Next.

10. Select the Reject Email Messages if They Aren't Sent Over TLS check box.
11. Select the Reject Email Messages if They Aren't Sent from Within this IP Address Range check box.
12. In the text box, type the WatchGuard Email Protection Servers IP Address Range.
13. Customers in Canada must additionally enter the WatchGuard Email Protection Servers IP Address Range in Canada.
14. Click Next.

15. Click Create Connector.
16. Click Done.

Deactivate the Microsoft 365 Spam Filter for the Email Protection IP Address Range

If you want your incoming email messages filtered by our services, you must disable the Microsoft 365 spam filter. If you do not, the Microsoft 365 spam filter classifies incoming email messages to your domains as spam. Our services filter your incoming email messages for spam.

To deactivate the Microsoft 365 spam filter for the Email Protection IP address range:

1. Log in to Microsoft 365 admin center.
2. Select Security.
   The home page of Microsoft 365 Defender opens.
3. From the navigate menu, select Email & Collaboration > Policies & Rules.

4. Click Threat Policies.

5. From the Policies section, click Anti-spam.

6. Click Connection Filter Policy (Default).

7. Click Edit Connection Filter Policy.

8. In the Always Allow Messages From the Following IP Addresses or Address Range: text box, type the WatchGuard Email Protection Servers IP Address Range.
9. If the customer is in Canada, you must also include the WatchGuard Email Protection Servers IP Address Range in Canada.
10. Click Save.

Set Up the Outbound Email Traffic for Microsoft 365

Update SPF Records

The SPF records of your domains must point to Email Protection SPF records. This authorizes Email Protection for other email servers to send email messages on behalf of your domain. Your outgoing email messages are not classified as spam by other email servers in the future if they are sent from our servers.

In our example, we use the domain ecosys.solutions and the DNS hosting provider GoDaddy.

Add or edit the following SPF record v=spf1 include:spf.hornetsecurity.com ~all. It is appended after the Microsoft 365 TXT records. Go to Get the Microsoft 365 MX and TXT Values.

We recommend you perform domain verification in Email Protection after GoDaddy configuration is complete.

To update the SPF record and verify the domain:

1. Log in to Email Protection with your administrative credentials.
2. From the Scope Selection drop-down list, select the company domain for which you want to configure Microsoft 365 as a destination server.
   
3. From the navigation menu, select Customer Settings > Domains.
4. Click Add Domain.
5. In the Domain text box, type your domain.



6. Click Add.

7. Next to the new domain, click >. Click Trigger Verification.

Activate the SPF Check

We recommend you activate the SPF check.

To activate the SPF check:

1. Log in to WatchGuard Email Protection with your administrative credentials.
2. From the Scope Selection drop-down list, select the company domain for which you want to configure Microsoft 365 as a destination server.
   
3. From the navigation menu, select Security Settings > Email Authentication. Confirm the SPF status of the domain you just added.

4. From the Sender Authentication section, enable Activate SPF Check.
5. Select For All Incoming Emails.

Create a Connector for the Outbound Email Traffic

To create a connector for the outbound email traffic:

1. Log in to Microsoft 365 admin center.
2. From the navigation menu, select Admin Centers > Exchange > Mail Flow > Connectors.
   
3. Click Add a Connector.

4. From the Connection From section, select Office 365.
5. From the Connection To section, select Partner Organization.
6. Click Next.

7. In Name text box, type the connector name.
8. Click Next.

9. Select Only When I Have a Transport Rule Set Up that Redirects Messages to This Connector.
10. Click Next.

11. Select Route Email Through these Smart Hosts.
12. In the text box, type the smart host relay-cluster-eu01.hornetsecurity.com. Click +.

We recommend the hostname cluster relay-cluster-eu01.hornetsecurity.com. However, customers with a customized Control Panel can instead use the hostname cluster <domain.tld>.relay.cloud-security.net where <domain.tld> is the company primary domain.

For customers in the USA, the hostname cluster relay-cluster-usa01.hornetsecurity.com applies.

For customers in Canada, the hostname cluster relay-cluster-ca01.hornetsecurity.com applies.

13. Click Next.

14. In the Security Restrictions page, keep the default settings.
15. Click Next.

16. In the text box, type the validation email. Click +.
17. Click Validate.
18. If the validation is successful, click Next.

19. Click Create Connector.
20. Click Done.

Manually Set Up a New Transport Rule

Create a rule to forward outgoing email messages to recipients outside of your organization. The outbound email traffic connector is applied to outgoing email messages to recipients outside of the organization.

To set up a new transport rule:

1. Log in to Microsoft 365 admin center.
2. From the navigation menu, select Admin Centers > Exchange > Mail Flow > Rules.
   
3. Click Add a Rule.

4. Click Create a New Rule.

5. In Name text box, type the rule name.

6. From the Apply this Rule If drop-down list, select The Recipient > Is External/Internal > Outside the Organization >.
7. Click Save.

8. From the Do the Following drop-down list, select Redirect the Message to > The Following Connector > Your Outbound Connector .





9. Click Save.



10. Click Next.

11. From the Set Rule Settings page, keep the default settings.
12. Click Next.
13. Click Finish.
14. Click Done.



15. From the Rules page, select the new rule.

16. Enable the new rule.

Test the Integration

To test the integration:

1. Send an email message from outside to the WatchGuard Email Protection protected mail server. (Inbound)
2. Send an email message from the WatchGuard Email Protection protected mail server to outside. (Outbound)
3. Verify that inbound and outbound mail sends and receives successfully.
4. Verify that email messages appear in the Email Live Tracking page in WatchGuard Email Protection.



5. Add a policy in WatchGuard Email Protection. For example, we added a deny list entry to deny email messages from the watchguard.com domain.
   For more information about deny and allow lists, go to Deny & Allow Lists in Email Protection Help.
6. Verify that inbound mail is blocked by WatchGuard Email Protection according to the policy you create.
7. Verify that outbound mail sends and receives successfully.
8. Verify that the expected information appears in the Email Live Tracking in WatchGuard Email Protection.

Advanced Operations

Get the Microsoft 365 MX and TXT Values

To get the Microsoft 365 MX and TXT values:

1. Log in to Microsoft 365 admin center.
2. Select Settings > Domains > Your Domain Name > DNS records.
3. Double-click MX.
4. From the Points to Address or Value section, copy the MX record.
   

5. Select Settings > Domains > Your Domain Name > DNS Records.
6. Double-click TXT. The Microsoft 365 TXT record displays. The Email Protection SPF record is appended after the Microsoft 365 TXT record in the GoDaddy configuration.

WatchGuard Email Protection Server MX Records

Europe

The MX records for customers in Europe are:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx01.hornetsecurity.com
<domain.tld>	IN	MX	20	mx02.hornetsecurity.com
<domain.tld>	IN	MX	30	mx03.hornetsecurity.com
<domain.tld>	IN	MX	40	mx04.hornetsecurity.com

For customers of the DNS provider 1&1, the following MX records apply instead:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx23a.antispameurope.com
<domain.tld>	IN	MX	20	mx23b.antispameurope.com
<domain.tld>	IN	MX	30	mx23c.antispameurope.com
<domain.tld>	IN	MX	40	mx23d.antispameurope.com

United States

The MX records for customers in the US are:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx-cluster-usa01.hornetsecurity.com
<domain.tld>	IN	MX	20	mx-cluster-usa02.hornetsecurity.com
<domain.tld>	IN	MX	30	mx-cluster-usa03.hornetsecurity.com
<domain.tld>	IN	MX	40	mx-cluster-usa04.hornetsecurity.com

Canada

The MX records for customers in Canada are:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx-cluster-ca01.hornetsecurity.com
<domain.tld>	IN	MX	20	mx-cluster-ca02.hornetsecurity.com
<domain.tld>	IN	MX	30	mx-cluster-ca03.hornetsecurity.com
<domain.tld>	IN	MX	40	mx-cluster-ca04.hornetsecurity.com

WatchGuard Email Protection Servers IP Address

WatchGuard Email Protection Servers IP Address Range

83.246.65.0/24	94.100.128.0/24	94.100.129.0/24	94.100.130.0/24	94.100.131.0/24
94.100.132.0/24	94.100.133.0/24	94.100.134.0/24	94.100.135.0/24	94.100.136.0/24
94.100.137.0/24	94.100.138.0/24	94.100.139.0/24	94.100.140.0/24	94.100.141.0/24
94.100.142.0/24	94.100.143.0/24	173.45.18.0/24	185.140.204.0/24	185.140.205.0/24
185.140.206.0/24	185.140.207.0/24

WatchGuard Email Protection Servers IP Address Range in Canada

108.163.133.224/27

199.27.221.64/27

209.172.38.64/27

216.46.2.48/29

216.46.11.224/27