Enhanced Filtering for Connectors in Exchange Online
Properly configured inbound connectors are a trusted source of incoming mail to Microsoft 365 or Office 365. But in complex routing scenarios where email for your Microsoft 365 or Office 365 domain is routed somewhere else first, the source of the inbound connector is typically not the true indicator of where the message came from. Complex routing scenarios include:
- Third-party cloud filtering services
- Managed filtering appliances
- Hybrid environments (for example, on-premises Exchange)
Mail routing in complex scenarios looks like this:
As you can see, the message adopts the source IP of the service, appliance, or on-premises Exchange organization that sits in front of Microsoft 365. The message arrives in Microsoft 365 with a different source IP address. This behavior isn't a limitation of Microsoft 365; it's simply how SMTP works.
After you enable Enhanced Filtering for Connectors, mail routing in complex routing scenarios looks like this:
As you can see, Enhanced Filtering for connectors allows IP address and sender information to be preserved, which has the following benefits:
- Improved accuracy for the Microsoft filtering stack and machine learning models, which include:
- Heuristic clustering
- Better post-breach capabilities in Automated investigation and response (AIR)
- Able to use explicit email authentication (SPF, DKIM, and DMARC) to verify the reputation of the sending domain for impersonation and spoof detection. For more information about explicit and implicit email authentication, see Email authentication in EOP.
For more information, see the What happens when you enable Enhanced Filtering for Connectors? section later in this article.
Use the procedures in this article to enable Enhanced Filtering for Connectors on individual connectors. For more information about connectors in Exchange Online, see Configure mail flow using connectors.
- We always recommend that you point your MX record to Microsoft 365 or Office 365 in order to reduce complexity. For example, some hosts might invalidate DKIM signatures, causing false positives. When two systems are responsible for email protection, determining which one acted on the message is more complicated.
- The most common scenarios that Enhanced Filtering is designed for are Hybrid environments; however, the mail destined for on-premises mailboxes (outbound mail) will still not be filtered by EOP. The only way to get full EOP scanning on all mailboxes is to move your MX record to Microsoft 365 or Office 365.
- Except for linear inbound routing scenarios where MX points to on-premises servers, adding your on-premises hybrid server IPs to the enhanced filter skip list is not supported in a centralized mail flow scenario. Doing this can cause EOP to scan your on-premises hybrid server emails, adding a compauth header value, and may result in EOP flagging the message as spam. In a configured hybrid environment, there is no need to add them to the skip list. The skip list is primarily intended to address scenarios where there is a third-party device/filter before your Microsoft 365 tenant. For more information, see MX record points to third-party spam filtering.
- Do not put another scanning service or host after EOP. Once EOP scans a message, be careful not to break the chain of trust by routing mail through any non-Exchange server that is not part of your cloud or on-premises organization. When the message eventually arrives at the destination mailbox, the headers from the first scanning verdict might no longer be accurate. Centralized Mail Transport should not be used to introduce non-Exchange servers into the mail flow path.
Configure Enhanced Filtering for Connectors
What do you need to know before you begin?
Include all of the trusted IP addresses that are associated with the on-premises hosts or the third-party filters that send email into your Microsoft 365 or Office 365 organization, including any intermediate hops with public IP addresses. To get these IP addresses, consult the documentation or support that's provided with the service.
If you have mail flow rules (also known as transport rules) that set the SCL to -1 for messages that flow through this connector, you must disable those mail flow rules after you enable Enhanced Filtering for Connectors.
To configure Enhanced Filtering for Connectors, you need to be a member of one of the following role groups:
Enhanced Filtering for Connectors is not supported in hybrid environments that use Centralized Mail Transport.
Use the Microsoft Defender portal to configure Enhanced Filtering for Connectors on an inbound connector
In the Microsoft Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies page > Rules section > Enhanced filtering.
On the Enhanced Filtering for Connectors page, select the inbound connector that you want to configure by clicking on the name.
In the connector details flyout that appears, configure the following settings:
IP addresses to skip: Choose one of the following values:
Disable Enhanced Filtering for Connectors: Turn off Enhanced Filtering for Connectors on the connector.
Automatically detect and skip the last IP address: We recommend this value if you have to skip only the last message source.
Skip these IP addresses that are associated with the connector: Select this value to configure a list of IP addresses to skip.
- Entering the IP addresses of Microsoft 365 or Office 365 is not supported. Do not use this feature to compensate for issues introduced by unsupported email routing paths. Use caution and limit the IP ranges to only the email systems that will handle your own organization's messages prior to Microsoft 365 or Office 365.
- Entering any private IP address defined by RFC 1918 (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) is not supported. Enhanced Filtering automatically detects and skips private IP addresses. If the previous hop is an email server that's behind a network address translation (NAT) device that assigns private IP addresses, we recommend that you configure NAT to assign a public IP address to the email server.
If you selected Automatically detect and skip the last IP address or Skip these IP addresses that are associated with the connector, the Apply to these users section appears:
Apply to entire organization: We recommend this value after you've tested the feature on a small number of recipients first.
Apply to a small set of users: Select this value to configure a list of recipient email addresses that Enhanced Filtering for Connectors applies to. We recommend this value as an initial test of the feature.
- This value is only affective on the actual email addresses that you specify. For example, if a user has five email addresses associated with their mailbox (also known as proxy addresses), you'll need to specify all five of their email addresses here. Otherwise, messages that are sent to the four other email addresses will go through normal filtering.
- In hybrid environments where inbound mail flows through on-premises Exchange, you must specify the targetAddress of the MailUser object. For example, email@example.com.
- This value is only affective on messages where all recipients are specified here. If a message contains any recipients that aren't specified here, normal filtering is applied to all recipients of the message.
Apply to entire organization: We recommend this value after you've tested the feature on a few recipients first.
When you're finished, click Save.
Use Exchange Online PowerShell or Exchange Online Protection PowerShell to configure Enhanced Filtering for Connectors on an inbound connector
To configure Enhanced Filtering for Connectors on an inbound connector, use the following syntax:
Set-InboundConnector -Identity <ConnectorIdentity> [-EFSkipLastIP <$true | $false>] [-EFSkipIPs <IPAddresses>] [-EFUsers "emailaddress1","emailaddress2",..."emailaddressN"]
EFSkipLastIP: Valid values are:
$true: Only the last message source is skipped.
$false: Skip the IP addresses specified by the EFSkipIPs parameter. If no IP addresses are specified there, Enhanced Filtering for Connectors is disabled on the inbound connector. The default value is
EFSkipIPs: The specific IP addresses to skip when the EFSkipLastIP parameter value is
$false. Valid values are:
- A single IP address: For example,
- An IP address range: For example,
- Classless Inter-Domain Routing (CIDR) IP: For example,
See the Skip these IP addresses that are associated with the connector description in the previous section for limitations on IP addresses.
- A single IP address: For example,
EFUsers: The comma-separated email address of recipient email addresses that you want to apply Enhanced Filtering for Connectors to. See the Apply to a small set of users description in the previous section for limitations on individual recipients. The default value is blank (
$null), which means Enhanced Filtering for Connectors is applied to all recipients.
This example configures the inbound connector named From Anti-Spam Service with the following settings:
- Enhanced Filtering for Connectors is enabled on the connector, and the IP address of the last message source is skipped.
- Enhanced Filtering for Connectors only applies to the recipient email addresses firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
Set-InboundConnector -Identity "From Anti-Spam Service" -EFSkipLastIP $true -EFUsers "email@example.com","firstname.lastname@example.org","email@example.com"
Note: To disable Enhanced Filtering for Connectors, use the value
$false for the EFSkipLastIP parameter.
For detailed syntax and parameter information, see Set-InboundConnector.
What happens when you enable Enhanced Filtering for Connectors?
The following table describes what connections look like before and after you enable Enhanced Filtering for Connectors:
|Before Enhanced Filtering is enabled
|After Enhanced Filtering is enabled
|Email domain authentication
|Implicit using anti-spoof protection technology.
|Explicit, based on the source domain's SPF, DKIM, and DMARC records in DNS.
|This header is stamped if skip listing was successful, enabled on the connector, and recipient match happens. The value of this field contains information about the true source address.
|This header is stamped if skip listing was enabled on the connector, irrespective of recipient matches. The value of this field contains information about the true source address. This header is used primarily for reporting purposes and to help understand WhatIf scenarios.
You can view the improvements in filtering and reporting by using the Threat protection status report in the Microsoft Defender portal. For more information, see Threat protection status report.