Dela via


Set up your standalone EOP service

This article explains how to set up standalone Exchange Online Protection (EOP). If you landed here from the Office 365 domains wizard, go back to the Office 365 domains wizard if you don't want to use Exchange Online Protection. If you're looking for more information on how to configure connectors, see Configure mail flow using connectors in Office 365.

Note

This article assumes you have on-premises mailboxes and you want to protect them with EOP, which is known as a standalone scenario. If you want to host all of your mailboxes in the cloud with Exchange Online, you don't have to complete all of the steps in this article. Go to Compare Exchange Online plans to sign up and purchase cloud mailboxes.

If you want to host some of your mailboxes on premises and some in the cloud, this is known as a hybrid scenario. It requires more advanced mail-flow settings. Exchange Server hybrid deployments explains hybrid mail flow and has links to resources that show how to set it up.

What do you need to know before you begin?

  • Estimated time to complete this task: One hour

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Exchange Online Protection permissions: You need the Remote and Accepted Domains role, which is assigned to the Organization Management and Mail Flow Administrator role groups by default.

    • Microsoft Entra permissions: Membership in the Global Administrator role.

      Important

      Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

  • If you aren't already signed up for EOP, visit Exchange Online Protection and choose to buy or try the service.

  • For information about keyboard shortcuts that might apply to the procedures in this article, see Keyboard shortcuts for the Exchange admin center in Exchange Online.

Step 1: Use the Microsoft 365 admin center to add and verify your domain

  1. In the Microsoft 365 admin center at https://admin.microsoft.com, go to Setup > Get your custom domain set up to add your domain to the service.

  2. Follow the steps to add the applicable DNS records to your DNS-hosting provider in order to verify domain ownership.

Add a domain to Office 365 and Create DNS records at any DNS hosting provider for Office 365 are helpful references as you add your domain to the service and configure DNS.

Step 2: Add recipients and optionally enable DBEB

Before configuring your mail to flow to and from the EOP service, we recommend adding your recipients to the service. There are different was to add recipients as documented in Manage mail users in Exchange Online (and EOP).

Also, if you want to enable Directory Based Edge Blocking (DBEB) to enforce recipient verification, you need to set your domain type to Authoritative. For more information about DBEB, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.

Step 3: Use the EAC to set up mail flow

Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. For detailed instructions, see Set up connectors to route mail between Microsoft 365 and your own email servers.

To verify mail flow between EOP and your on-premises environment, see Test mail flow by validating your Microsoft 365 connectors.

Step 4: Allow inbound port 25 SMTP access

After you configure connectors, wait 72 hours to allow propagation of your DNS record updates. Then, restrict inbound port-25 SMTP traffic on your firewall or mail servers to accept mail only from the EOP datacenters, specifically from the IP addresses listed at Microsoft 365 URLs and IP address ranges. This step protects your on-premises environment by limiting the scope of inbound messages you can receive. Additionally, if you have settings on your mail server that control the IP addresses allowed to connect for mail relay, update those settings as well.

Tip

Configure settings on the SMTP server with a connection time out of 60 seconds. This setting is acceptable for most situations, allowing for some delay in the case of a message sent with a large attachment, for example.

Step 5: Ensure that spam is routed to each user's Junk Email folder

To ensure that spam (junk) email is routed correctly to each user's Junk Email folder in on-premises Exchange, you need to do a couple of configuration steps to translate EOP spam verdicts to values that on-premises Exchange can use. The steps are provided in Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments.

If you don't want to move messages to each user's Junk Email folder, you can choose a different action by editing your anti-spam policies. For more information, see Configure anti-spam policies in Office 365.

Step 6: Use the Microsoft 365 admin center to point your MX record to EOP

Follow the domain configuration steps to update the MX record for your domain, so that your inbound email flows through EOP. Be sure to point your MX record directly to EOP as opposed to having a third-party filtering service relay email to EOP. For more information, you can again reference Create DNS records for Office 365.

Note

If you must point your MX record to another server or service that sits in front of EOP, see Enhanced Filtering for Connectors in Exchange Online.

How do you know that your MX record points to EOP?

At this point, you've verified service delivery for a properly configured Outbound on-premises connector, and you've verified that your MX record is pointing to EOP. You can now choose to run the following additional tests to verify that an email will be successfully delivered by the service to your on-premises environment:

  • Check mail flow between the service and your environment. For more information, see Test mail flow by validating your Microsoft 365 connectors.
  • Send an email message from any web-based email account to a mail recipient in your organization whose domain matches the domain you added to the service. Confirm delivery of the message to the on-premises mailbox using Microsoft Outlook or another email client.
  • If you want to run an outbound email test, you can send an email message from a user in your organization to an external email service.

Tip

After you've completed the setup steps in this article, you don't need to do extra steps for EOP to protect your organization from spam and malware. However, you can fine tune your settings based on your business requirements. For more information, see Get started with Microsoft Defender for Office 365: Step 2: Configure protection policies.