Use cases
Configure GMail using Google Workspace for GravityZone Security for Email
Follow these procedure to integrate GravityZone Security for Email with Google Workspace Gmail, for inbound and outbound email delivery.:
To configure GravityZone Security for Email for use with Google Workspace follow the steps below:
Configuring Inbound Mail
Go to Products > GravityZone Security for Email > Product Configuration.
Go to Inbound Mail.
Click the Add button
to add a new delivery route.
Select your Domain from the drop-down list.
Under Cost set route priority to
5
.The cost defines route priority for multiple routes.The lower the number, the higher the priority.
Under Route enter the following:
ASPMX.L.GOOGLE.COM
Update to save changes.
Repeat steps 3 to 7 to add the following routes and associated costs:
ALT1.ASPMX.L.GOOGLE.COM
with the cost of10
ALT2.ASPMX.L.GOOGLE.COM
with the cost of15
ALT3.ASPMX.L.GOOGLE.COM
with the cost of20
ALT4.ASPMX.L.GOOGLE.COM
with the cost of25
The final routes should look similar to the ones in the screenshot below.
Configuring Outbound Mail
Go to Products > GravityZone Security for Email > Product Configuration.
Go to Outbound Mail.
Click the Add
button.
Under Hostname enter the following hostname:
spf://_spf.google.com
Update to save changes.
You should configure GMail using Google Workspace to block any inbound email that does not originate from the GravityZone Security for Email (EMS) product. However, you will need to do this via a two-step process. This section is split into two sections – prior MX record change and post MX record change.
Prior to changing MX records
Before changing MX records it is recommended that the GravityZone Security for Email IP addresses are added to the inbound gateway so that when MX records are changed all messages are not quarantined.
Note
You may already have inbound gateway entries listed. If this is the case you need to append the entries below to the existing list and then remove the existing entries once the MX records have been changed.
Follow the steps below:
Login to the Google Workspace Admin Console with an administrators account.
Click on the Menu button
.
Select Admin > Apps > Google Workspace.
Click on GMail to take you to Settings for Gmail.
Click on Advanced Settings at the bottom of the page.
Scroll down to Spam, phishing, and malware and configure/edit the Inbound Gateways.
Add a Name to the Inbound setting.
Add the IP addresses for our service and click Save.
Note
You can find a list of our IP addresses here:
The entries should look like this if using the EU servers:
Note
Ensure you do not check the Reject all mail not from gateway IPs box.
At the bottom of the Advanced Settings page, click Save to apply the changes.
Ensure that this configuration is replicated to Google Workspace before changing any MX records.
Note
It can take up to an hour for changes to propagate to user accounts for GMail using Google Workspace You can track changes in the Admin console audit log.
Post MX record change
Once MX records have been changed and replicated to the internet email should start flowing through the GravityZone Security for Email product. You can verify this via the GravityZone Security for Email Activity reports and charts. You can also check this in the Google Workspace portal by following these steps:
Login to the Google Workspace Admin Console with an administrators account.
Click on the Menu button
.
Select Admin > Apps > Google Workpace.
Click on GMail to take you to Settings for Gmail.
Click on Setup.
Check that the MX records match the below:
Additional Options
By default, Gmail using Google Workspace will still scan all emails for spam. If you do not want Google Workspace to quarantine any of the messages, you can whitelist the GravityZone Security for Email service IP’s. To do this follow these steps:
Login to the Google Workspace Admin Console with an administrators account.
Click on the Menu button
.
Select Admin > Apps > Google Workpace.
Click on GMail to take you to Settings for Gmail.
Click on Advanced Settings at the bottom of the page.
Scroll down to Spam, phishing, and malware and under Email whitelist add the GravityZone Security for Email service IP addresses:
The entries should look like this if using the EU servers:
At the bottom of the Advanced Settings page, click Save to apply the changes
Warning
If there are valid reasons for inbound messages to be delivered direct to Google Workspace the IP addresses of the sending servers should be added to the Inbound Gateways section prior to making this change. Failure to do so will block messages coming from those servers.
Login to your Google Workspace Admin Console with an administrator account.
Click on the Menu button
.
Select Admin > Apps > Google Workpace.
Click on GMail to take you to Settings for Gmail.
At the bottom of the page, click Advanced Settings.
Go to Hosts > Add Route.
Enter a Name for the route, such as GravityZone Security for Email Outbound.
In the Specify email server select Multiple hosts.
Add a primary entry for each of the outbound servers based on your region.
For US and ROW open ports
25
and587
and add the following hosts:smtp1.us.scanscope.netsmtp2.us.scanscope.net
For EU open ports
25
and587
and add the following hosts:smtp1.scanscope.netsmtp2.scanscope.net
Click Save.
Navigate back to General settings > Routing > Routing section.
Click Configure for routing.
The Add settings option appears.
Enter a Name for the rule, such as GravityZone Security for Email Outbound Rule.
Under Messages to affect(section 1), select Outbound.
Under For the above types of messages, do the following(section 3), select Change route.
Change Normal routing to GravityZone Security for Email Outbound Rule, created above.
(Optional)Under Encryption (onward delivery only), select Require Secure Transport (TLS).
Click Add Settings or Save if you are editing an existing configuration.
At the bottom of the Advanced Settings page, click Save to apply changes.
Note
It can take up to one hour for your settings to come into effect. You can track changes in the Admin console audit log.
Login to the Google Workspace Admin Console with an administrators account.
Click on the Menu button
.
Select Admin > Apps > Google Workpace.
Click on GMail to take you to Settings for Gmail.
Click on Hosts section.
Click on the Add Route button.
Give the route a Name like “Google Internal”.
In the Specify Email server select Multiple hosts.
Add a primary entry for each of the GMail Servers listed below:
aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com
Click Save.
Go to the General setting tab and scroll to the Routing setting in the Routing section.
Click on Add Another for Routing. This will open up a new Add setting option.
Enter a name like Internal Route.
Select the checkbox for Internal – Sending in Messages to affect.
Select only affect specific envelope recipients and define a REGEX for your internal domain.
Note
For multiple domains you can add them into the regex in this format:
.*@firstdomain\.com|.*@seconddomain\.co\.uk
Select Change route in For the above types of messages, to do the following.
Change the Normal routing to the one created above.
Click on Show Options at the bottom of this page and Select Users and Groups” under Account types to affect:
Click the Add Setting button, then click Save.
At the bottom of the Advanced Settings page, click Save.
Note
Now all internal mail is routed directly to Google servers, and all other mail routes through the GravityZone Security for Email Outbound Gateway.
Video tutorials
Configure outbound DKIM
DomainKeys Identified Mail (DKIM) adds a digital signature to safeguard the email content of your outbound source. Configuring DKIM increases your domain reputation with different providers.
Each domain covered by GravityZone Security for Email will have its own key, so each domain will need to be configured before it can be DKIM-enabled.
Note
GravityZone Security for Email comes with a default system Message Rule called Apply DKIM which is enabled by default; however, outbound messages won't be signed unless you have configured outbound DKIM, by following the steps below.
Go to Products > Product Configuration > Domains.
To view the DKIM public key, click on the view
button. Click the icon next to the domain you wish to configure to display the DKIM.
Write a DNS txt entry for the domain.
Note
You need to create a txt record for
ussems._domainkey.xxxxxx
, where xxxxxx is your domain name.Here is an example of what should be seen on a
nslookup
. This entry should match the entry found in step 2.Repeat steps 1 to 3 for all of your domains and then wait for the domain TTL to expire.
Return to the Domains section and click the Verify and Enable DKIM button. The DKIM status will be updated to Success if the DKIM key can be verified against the domain DNS. At least one domain must have DKIM verified in order to enable DKIM on your account.
Note
If you remove all DKIM verified domains, or wish to disable DKIM on your account please remember to verify DKIM again. If no domains can be verified then DKIM will be fully disabled.
If you want outbound mail to be DKIM-signed for some, but not all, of the domains on your account, follow the steps below.
Go to Products > Custom Rule Data.
Click the New button at the bottom of the screen and select Rule Data
Enter a name, and Click Update.
Add the domain(s) for which you would like to enable DKIM under Value.
Note
Keep each domain as a separate line.
Click Save.
A window appears with your domain’s DKIM key (public key).
Go to Products > Message Rules.
Click the Add Rule button.
Enter a name click the Add button.
Configure the new rule:
Add the following conditions:
Condition name
Match type
Condition value
Direction
Matches
Outbound
DKIM Enabled
Matches
Enabled
Sender
Matches
Select the Custom Rule Data previously created at step 3.
Add the following action:
Action name
Value
DKIM Signing
RSA Key
Click Save.
Drag the rule to top of the Message Rules list to give it the highest priority.
Search for the Apply DKIM signing system message rule in the Message Rule list and click the On button to turn the rule off.
Configure outbound email for Exchange 2016
It is important that you configure your Exchange connectors to send outbound email out through the MailSafe service. This ensures that both your outbound traffic is scanned and your traffic is profiled to help improve spam filtering. This article explains how to configure your connectors correctly.
Login to the Microsoft Exchange Server as an administrator.
Open Exchange Admin Center by visiting https://your-exchange-servers-hostname/ecp.
In the left Pane, select mail flow ⟶ Connectors.
Select the + icon to create a new send connector.
Enter an identifiable name for your connector such as Email Security Mail Relay.
Ensure the type is set to Custom.
Select Next.
Specify the mail to be relayed by the option Route mail through smart hosts.
Select the +” icon to create a new smart host.
Create connectors for each sending hosts in the appropriate cluster - either US or EU.
Select Next.
Ensure Smart Host Authentication is set to None.
Select Next.
For the Address space, select the + button to add a domain.
Enter the FQDN as
*
and change the cost to10
.Click Save.
On the Source Server page, add any other Exchange Servers that should be able to send email to this connector by hitting the + button. In most cases where there is only one server, the server will already be added. Click Next.
Click Finish.
Configure outbound DMARC
GravityZone Security for Email provides the ability to participate in DMARC (Domain Message Authentication Reporting and Conformance) for email authentication.
Note
For more information refer to How DMARC works.
Before configuring any DMARC DNS entry, you must ensure that the following are true:
You have enabled DKIM for each domain in your account.
You have enabled SPF for each domain in your account.
Note
For more information on SPF records see:
Create a DNS Resource Record of type TEXT
with a record name like _dmarc.domain.TLD
. For example, the Resource Record name for domain testdomain.co.uk
is _dmarc.testdomain.co.uk
.
Note
The record name must start with _dmarc
(including the underscore).
The text content of a simple starter record should be similar to:
v=DMARC1; p=none; ruf=mailto:[email protected]; aspf=s
aspf=s
specifies "strict" checking of SPF (the default is "relaxed").ruf=
provides the email address to which DMARC failure reports should be sent.p=none
specifies a policy of "none" - the recipient should not reject or quarantine any messages simply because they do not align with this DMARC policy. The recipient could of course reject or quarantine the messages for other reasons.
You should start to receive reports to the email address you specified every 24 hours. After reviewing the reports and confirming that valid messages from your domains do pass evaluation, you may then request that recipients act on messages that do not align with the policy, by changing the policy to quarantine or reject.
Receive notifications for add on licensing expiration
Configure Inbound mail on Office 365 to reject non-EMS emails
You should configure Office 365 to block any inbound email that does not originate from GravityZone Security for Email product. There are two options available discussed below. The option best suited to you depends on your environment and requirements.
This method will allow the GravityZone Security for Email server IP addresses to deliver emails even if spam filtering is enabled in Office 365. This will ensure emails processed by the GravityZone Security for Email product are delivered without delay and do not land in the junk mailbox folder for Office 365 users.
Note
Your EMS account must have an inbound TLS rule for this option to complete successfully.
Login to Office 365 Exchange Admin Center and go to Admin Centers > Classic Exchange Admin Center.
Go to Protection > Connection Filter.
Edit the Default entry and navigate to the Connection Filtering tab.
In the Allowed IP Address section, add all of the IP addresses for the GravityZone Security for Email region you are using - see Europe, United States.
Click Enable Safe List and then Save.
Note
Office 365 is now configured to block any email that does not originate from EMS.
Using a rule provides more flexibility than just using IP address, for example you could control based on email address or attachment Depending on your requirements or environment this may be the best option, if you have other means to restrict direct connection to your Office 365 tenant other than just IP address.
Log in to the Office 365 Admin Center, and go to Admin Centers > Exchange.
In the left-hand pane, click Mail Flow and then Rules.
Click + and then click Create a new rule.
In the New Rule page, enter a Name to represent the rule. For example,
Email Security IP restriction
.Scroll down and click More options.
From the Apply this rule if drop-down menu, select The Sender, Is External/Internal and Outside the organization.
From the Do the following drop-down menu, select Block the message and Reject the message with the Explanation.
Click Enter text and enter the message that you want to include in the non-delivery report (NDR) that will be sent to the email's sender. For example:
IP restricted, not using MX record. Please ensure your DNS is up-to-date and try sending this message again.
Click Add exception.
Select Sender and then Sender's IP address is in the range or exactly matches, and enter the GravityZone Security for Email IP for your cluster - see Europe, United States.
Click + to add each of the IP addresses for your region.
Once all the IP addresses have been added, click OK.
Scroll to the Properties of the rule section. Under Match sender address in message, select Header or Envelope.
Click Stop processing more rules.
Click Save.
Verify that the new rule displays at the top of the list of mail flow rules. If it's not at the top, select the rule and use the Up arrow to move it.
Note
Office 365 is now configured to block any email that does not originate from EMS.
Working with LinkScan
LinkScan is a feature that adds an additional security layer to incoming e-mails. All contained URLs are rewritten to redirect users to the LinkScan domain, where the URL is scanned and checked for threats, including deep redirect scanning and document detection.
GravityZone Security for Email implements this feature through the LinkScan action, which, when triggered, rewrites all the URLs contained in an email. To implement the feature, you need to have a Message Rule set in place that applies this action to your messages based on specific conditions.
Rewriting URLs
URLs inside emails are rewritten so that they will pass through the linkscan.io
domain before taking the user to the original destination. A rewritten URL has the following format:
https://lsems.gravityzone.bitdefender.com/scan/<string>
When a user clicks a rewritten URL, the LinkScan service checks the underlying URL against multiple threat intelligence feeds:


Creating a LinkScan rule
To create a new LinkScan rule, follow the steps below:
Go to Products > GravityZone Security for Email > Message Rules.
Click the Add Rule
button at the upper right side of the screen.
Add a descriptive name for the rule and click the Add
button.
Add a Direction condition and set it to Inbound.
(optional) Add a Sender In List condition and set it to Does Not Match: All Safe Lists.
Note
This condition will exclude all emails received from senders included in your Safe lists from LinkScan URL rewriting and is not mandatory for the rule to function properly.
Add a LinkScan action and set it to Click to Continue, Block on threat, Hide target URL with Doc Scan.
Note
This is the most restrictive setting. You can find more information on the other available settings here.
Click the Save
button.
Creating exclusions
You can exclude emails from specific users by adding the user's email address to your company's Safe lists. URLs contained in emails received from this user will not be rewritten.
To exclude a specific URL follow the steps below:
Go to Products > GravityZone Security for Email > Custom Rule Data.
Click the Add New button at the upper lower side of the screen and select Rule RegEx.
Give the rule a descriptive name and click Update.
Add the URL you want excluded in the following format:
\b(URL)\b
. Add a forward slash/
before each period.
character and use|
to separate multiple URLs.Example 6. Exclude google.com\b(google\.com)\b
Example 7. Exclude google.com and www.yahoo.com\b(google\.com)\b|\b(www\.yahoo\.com)\b
Click the Save button.
Go to Products > GravityZone Security for Email > Message Rules.
Start editing the LinkScan rule by double-clicking it.
Add a Body condition, set it to Does not match and select the name of the Custom Rule Data you created.
Click the Save button in the upper rights side of the screen.
Configure Office 365 for GravityZone Security for Email
Follow these procedures to integrate GravityZone Security for Email with Office 365, for inbound and outbound email delivery.
To configure GravityZone Security for Email for use with an Office 365 account follow the steps below:
1. Configure GravityZone Security for Email Inbound Mail
Go to Products > GravityZone Security for Email > Product Configuration.
Go to Inbound Mail.
Click Add to add a new delivery route.
Select your Domain from the drop-down list.
Under Cost set route priority.
The cost defines route priority for multiple routes.The lower the number, the higher the priority.
Under Route enter the 0365 domain name (e.g.
domain-com.mail.protection.outlook.com
)Note
This can be found under O365 > Settings > Domains > Domain Details > MX Value
Update to save changes.
2. Configure GravityZone Security for Email Outbound Mail
Go to Products > GravityZone Security for Email > Product Configuration.
Go to Outbound Mail.
Click Add.
Under Hostname enter the following hostname:
spf://spf.protection.outlook.com
Update to save changes.
Please follow the steps in this article to restrict Office 365 and then return to this article to continue configuration.
Follow the steps below to configure Office 365 to always send messages using the EMS server:
Log in to your Office 365 Admin Center, and go to Admin Centers > Exchange.
In the left-hand pane, click Mail Flow > Connectors.
Click + to add a new connector.
In the From: field, select Office 365.
In the To: field, select Partner Organization.
Give the new connector a sensible name.
Click Next.
Under When do you want to use this connector? select Only when email messages are sent to these domains, then click the + icon and enter
*
.Click Next.
Under How do you want to route email messages, select Route email through these smart hosts.
Add hosts according to the correct addresses for your cluster - see Europe, United States.
Click Next and then click Confirm to create the connector.
Note
If you wish to verify the connector, be sure not to use an internal address. For example, use a personal email address which is not a domain configured for your customer.
If the validation fails check the settings below before contacting technical support:
The connector is enabled.
The default domain is the domain configured in EMS domain settings (MailFlow > Accepted Domains).
Video tutorials
Enable editing DNS for your domain in Office 365
By default, the ability to add or update DNS records for managed domains in Office 365 is disabled. In order to configure and use GravityZone Security for Email you need to be able to edit your domain's DNS record to point to the service region you are using. To enable editing DNS records, follow the steps below:
Log in to Office 365 Admin center.
In the menu on the left side of the screen go to Settings > Domains.
Check the box next to your domain name then click on Manage DNS.
Click Continue.
Uncheck the Exchange and Exchange Online box and click Continue.
Click Done.
You will now be able to add and update the DNS records for your domain.
Install the Microsoft Outlook Add-in for Email Security
You can use Microsoft Outlook Add-in for Email Security to report messages as spam or phishing attacks directly from your inbox. Once reported, the message will be sent to Bitdefender and analyzed.
Requirements
The add-in is only accessible from a primary mailbox. You cannot use the add-in on a shared mailbox.
Compatible outlook versions:
Outlook 2013 or later for Windows
Outlook 2016 or later for Mac
Outlook on the web for Exchange 2013 on-premises and later versions
Outlook on iOS
Outlook on Android
Outlook on the web in Office 365 and outlook.com
Copy the this add-in manifest URL :
Go to the Office 365 admin center Add-in page and sign in.
Click Deploy Add-in.
Click Next.
Select Upload custom apps.
Select the I have a URL for the manifest file option and paste in this URL:
https://download.bitdefender.com/business/EmailSecurity/OutlookAdd-in/emsaddinmanifest.xml
Select Upload.
Select the users you want to assign the add-in:
Everyone - all users in your company will have access to the add-in.
Specific users / groups - only the selected users will have access to the add-in.
Just me - only you will access to the add-in.
Select the deployment method:
Fixed - the add-in will deploy automatically to all assigned users. Only you will be able to remove the add-in.
Available - users will have access to the add-in but will need to deploy it manually. All users will be able to remove the add-in.
Optional - the add-in will deploy automatically to all assigned users. All users will be able to remove the add-in.
Click Deploy.
If successful, the following message will appear:

The add-in should now appear in the list:

In Outlook, go to File > Manage Add-ins.
Go to My add-ins.
Under Custom Add-ins click Add a custom add-in and select Add from URL....
Enter this URL:
https://download.bitdefender.com/business/EmailSecurity/OutlookAdd-in/emsaddinmanifest.xml
Click OK.
If successful, the Add-in will appear under My add-ins > Custom Addins

Using the add-in to report an email
Once installed, the a button will appear in your Outlook interface:
For web version
For desktop app
To report an email follow the steps below:
Select the email you wish to report.
Click the Bitdefender add-in button.
Select either Report spam or Report phishing.
Stop receiving marketing emails
To stop marketing emails, including those marked as high and medium reputation, you can follow one of the steps below:
Use the link provided in each email to unsubscribe. This will only stop emails sent by that specific sender.
Filter out the emails by creating a rule in Outlook. Set all emails containing one or both tags in the subject line to be sent to a specific folder or to Trash.
Create a new rule in GravityZone Security for Email to filter out these emails for one or more users.
Exclude synchronized Azure Active Directory mailboxes from billing
All mailboxes added to GravityZone Security for Email as a result of synchronizing with Azure Active Directory (AAD) are identified by default as standard users, making them subject to billing. To be able to exclude o exclude shared mailboxes from billing, you need to provide the synchronization service with additional permissions to be able to read information from the Exchange API.
Grant access to synchronize Azure Active Directory shared mailboxes through Azure Active Directory
Note
This applies only to new Azure Active Directory connections. If you already have an existing Azure Active Directory connection, please assign the Office 365 Exchange Online API permission to it before continuing.
Sign in to Azure Active Directory with an Administrator account.
In the menu on the right side of the page, select Roles and administrators.
Use the search box to locate the Security Reader role and check the box next to it.
Note
This will grant the Unified Security Service Active Directory sync access to read extended information about Azure AD objects.
Important
Due to a recent Microsoft Azure update, you may not be able to assign this role via the Azure portal. As an alterntive, please use Azure CLI or PowerShell.
Click on the
button on the right side of the screen and select Description.
Select the Assignments page from the menu on the right side of the screen and click Add assignments.
Search for USS AzureAD, click on it to select it, and then click on Add.
The necessary permissions have now been granted to the synchronization service.
Note
If the Azure portal does not allow you to assign the role to the USS AzureAD application, you can use the Azure CLI tool or PowerShell as an alternative.
Grant access to synchronize Azure Active Directory shared mailboxes through Azure CLI
Start the Azure CLI tool:
docker run -it mcr.microsoft.com/azure-cli
Log in as a user with permission to assign roles:
az login
Follow the prompts to open a browser and authenticate the CLI
Find the Object ID of USS AzureAD (this can also be found in the Azure > Enterprise Applications > USS AzureAD section):
az ad sp list --all --query "[].{objectId:objectId}" --filter "displayName eq 'USS AzureAD'"
Assign the Security Reader role to USS AzureAD (where
$objectId
is the Object ID from step 3):az rest --method post --url https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments --body "{\"principalId\":\"$objectId\",\"roleDefinitionId\":\"5d6b6bb7-de71-4623-b4af-96380a352509\",\"directoryScopeId\":\"/\"}"
Grant access to synchronize Azure Active Directory shared mailboxes through PowerShell
Download and install the AzureAD PowerShell module.
Log in to your tenant as a Global Administrator:
Connect-AzureAD
Get the service principal ObjectID using the command:
Get-AzureADServicePrincipal
View the Object ID’s of the Azure AD Directory Roles:
Get-AzureADDirectoryRole | sort DisplayName
Note
This will also display the available directory roles.
Set a directory role to Service Principal:
dd-AzureADDirectoryRoleMember -ObjectId -RefObjectId
Note
ObjectId
is the object ID of the directory role from step 4 andRefObjectId
is the object ID of the Service Principal from step 3.Check the current directory roles assigned for the Service Principal:
Get-AzureADServicePrincipalMembership -ObjectId
Note
ObjectId
is the object ID of the Service Principal from step 3.
It may take up to 15 minutes for changes to propagate.
Add the Exchange Online API permission to an existing Azure Active Directory connection
Note
Only follow this procedure for Azure Active Directory connections created prior to 21st October 2020.
Sign in to Azure Active Directory with an Administrator account.
In the menu on the right side of the page, select Enterprise applications.
Search for USS AzureAD and select it.
In the menu on the right side of the page, select Permissions.
Click the Grant admin consent for <company name> button.
Proceed with the authentication and click Accept.
The Office 365 Exchange Online permission will now appear in the Admin Consent tab.
Configure outbound email for Exchange 2007/2010
It is important that you configure your Exchange connectors to send outbound email out through the MailSafe service. This ensures that both your outbound traffic is scanned and your traffic is profiled to help improve spam filtering. This article explains how to configure your connectors correctly.
Login to the Microsoft Exchange Server as an administrator.
Go to Start > All Programs > Microsoft Exchange 2010 > Exchange Management Console to open the Exchange Management Console.
In the left Pane, go to Microsoft Exchange > Organization Configuration.
Select Hub Transport.
In the middle pane, select the Send Connectors tab. A list of send connectors will be displayed.
Delete any Send Connectors that are destined for the internet. This will normally be all of them.
Create connectors for each sending hosts in the appropriate cluster - either US or EU.
In the right pane, select the New Send Connector link.
Enter the Name as per the cluster list, and select the Intended use as Internet.
Select Next.
On the Address Space page, select the Add button to add an SMTP Address Space.
Enter the Address Space as
*
and the Cost as10
. Click OK to create the connector, and then click Next to continue.On the Network Settings page, select Route Mail Through the following Smart Hosts.
Click the Add button to add a smart host.
When prompted, select Fully Qualified Domain Name and the first hostname from the appropriate cluster - either US or EU.
Click Next.
On the Configure Smart Host Authentication settings page, select None and then click Next.
On the Source Server page, add any other Exchange Servers that should be able to send email to this connector. In most cases, where there is only one server, the server will already be added. Click Next.
On the final page, click New to create the connector.
Click Finish.
Safelist GravityZone Security for Email IP addresses in Office 365
If you are using GravityZone Security for Email and delivering clean emails to Office 365, it is essential to bypass Exchange Online Protection (EOP) to ensure smooth delivery of emails. Failure to add the bypass rules will allow Office 365 to interfere with email delivery, causing unexpected results and behavior for end users.
Note
Even with the EOP bypass rules in place Office 365 will still provide anti-malware scanning
Log in to Office 365 and go to Admin > Exchange Admin Center.
Select Rules under the Mailflow section. Click the + icon and select Create a new rule...
Enter a name for the new rule (for example, Spam exclusion for Email Security).
Select More Options.
From the Apply this rule if... drop down menu, expand The sender... menu option and select IP address is in any of these ranges or exactly matches. In the dialog that opens, enter in each of the IP addresses based on the GravityZone Security for Email region in use.
You can find a list of our IP addresses here:
From the Do the following... drop down menu, expand the Modify the message properties... menu option and select set the spam confidence level (SCL) option to Bypass spam filtering.
Note
The final rule should look similar to the example below:
Click Save to save the rule
Clutter is a feature that moves low-priority emails out of user's inbox to a folder called Clutter. Clutter analyzes user's email habits, and based on past behavior, it determines the messages that the user most likely to ignore. To make sure that emails are always delivered to the user's inbox, you must bypass the Clutter. To do this amend the above rule and add the following entries.
Select Add Action and then expand Modify the message properties... and select set a message header.
Click the first Enter text link and paste the following exactly as it appears (case sensitive):
X-MS-Exchange-Organization-BypassClutter
Click the second Enter text link and paste the following exactly as it appears (case sensitive):
true
The rule should now look similar to the example below:
Click Save to save the changes.
Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: Focused and Others. To make sure the email messages are always delivered to the user's Focused inbox, you must bypass the evaluation. To do this, create a new rule:
Click the + icon and then select Create a new rule....
Give the rule a name (for example Bypass Focused Inbox evaluation).
Click on More Options.
From the Apply this rule if... drop down menu, expand The sender... menu option and select IP address is in any of these ranges or exactly matches. In the dialog that opens, enter in each of the IP addresses based on the GravityZone Security for Email region in use.
You can find a list of our IP addresses here:
From the Do the following... drop down menu, expand the Modify the message properties... menu and select set a message header.
Click the first Enter text link and paste the following exactly as it appears (case sensitive):
X-MS-Exchange-Organization-BypassFocusedInbox
Click the second Enter text link and paste the following exactly as it appears (case sensitive):
true
The rule should now look similar to the example below:
Warning
Ensure that the Focused Inbox rule has a higher priority than the rule to bypass Office 365 spam protection