









Customer Feedback
Internet mail is
routed based Mailbox or
on MX record Application
resolution (On-premises)
(False Positive/Negatives)
Quarantine
Spam Analysts
Higher Risk
High Risk Delivery Pool
Resolve host
name to EOP DC
Outbound Pool
Normal Score
(contosocom.mail.protection.outlook.
com)
Virus
Scanning
Edge Blocks &
Tenant
Attribution
IP-based
block lists
Directory-based
(Recipient) Blocks
Internet mail is
routed based
on MX record
resolution
AV Engine 1
Transport Rules /
Policy
Enforcement
SPAM Protection
Allows/Rejects
Content scanning and
Heuristics
AV Engine 2
AV Engine 3
Email Encryption
Custom Rules
Outlook Safe
Sender/Recipient
Bulk Mail Filtering
Customer Delivery Pool
Mailbox
Connector-Based
Content Filter Advanced
Options
Mailbox
(O365)
(On-premises)
Deployment: Basic Mail Flow
Filtering only…
or with Exchange Online,
including Hybrid:
Filtering-only

1.
2.
3.
https://ps.protection.outlook.com/powershell-liveid/
is the correct URL to use when connecting to EOP SA
Hybrid



Exchange Online


https://outlook.office365.com/powershellliveid/
Is the correct URL to use when connecting
to Exchange Online
 Routing between Exchange on-premises & Exchange Online MUST NOT
pass through any 3rd party
 Use CBR connectors or centralized mail transport if you must for non-Hybrid mail flow
 If you keep MX record pointed to on-premises:
 EOP scanning will have reduced effectiveness
 On-premises IP reputation & ability to keep the bad stuff out is critical to maintaining mail flow
Domain Validation
Domain Validation – Wizard completion
Once verified, domain will appear in EOP/EXO as an
“AcceptedDomain”
 For EOP, will default to “internal relay”
 For EXO, will default to “authoritative”
Test & enable mail flow
Test


Simply VALIDATE your new connector in the Office 365 Admin Center
Or telnet to assigned host record (contoso-com.mail.protection.outlook.com) and attempt to send a
test message to on-premises mailbox
DNS changes



MX record (domain-suffix.mail.protection.outlook.com)
SPF record (v=spf1 ip4:10.1.2.3 include:spf.protection.outlook.com –all)
Do not change Autodiscover CNAME DNS entries for filtering-only customers
On-premises changes


Create smart host from on-premises environment to EOP
Restrict on premises firewall to only accept port 25 traffic from EOP
When you are done:
HINT: Keep your on-premises IP addresses in here too!
Recommend: Enable Directory Synchronization
On-premises
Office 365 Directory Sync
Exchange Online
Protection
• Automated user/group
management
• Ease of administration for
rules based on addresses
• Synchronize Outlook
safe/block sender lists
• Enable directory-based
edge (recipient) blocking
Protection: Anti-Spam &
Anti-Malware
Setting expectations
 May see a change in email patterns
 Every product needs to be tuned to your environment
 Features may function differently
Porting configuration
 Good opportunity to trim old safe/block lists
 Spam filtering rules may not be needed
 Review filtering policies (transport rules)
Spam and Policy customization
 EOP and the Junk Mail folder
 Standalone only (should not be required for proper Hybrid deployment):
 Set-OrganizationConfig –SCLJunkThreshold 4
 At least two rules need to be added to the on premises environment:
 New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -
HeaderContainsWords "SFV:SPM" -SetSCL 6
 New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" HeaderContainsWords "SFV:SKS" -SetSCL 6
 Make sure Outlook updates are always applied to prevent false negatives (SCL -1
is not recognized without update and will take the spam action)
 It is EASY to educate end users to use the Junk Mail folder in Outlook!
 EOP and the quarantine
 Messages are kept in EOP datacenters away from the user’s view.
 Administrator can grant access to the quarantine for end-user self-
management.
 Administrator can also configure end-user spam notifications (ESNs)
Publish an SPF record (Sender Policy Framework)
 Include EOP IPs and on-premises public IPs
 Use the Microsoft Configuration Wizard
 Avoid safe-listing own domains - this by-passes the SPF check and negates the
check’s effectiveness
Publish a DMARC policy (Domain-based Message Authentication,
Reporting and Conformance)
 If you can’t publish p=reject or p=quarantine, you can still publish p=none and
collect feedback.
Publish a DKIM signature (DomainKeys Identified Mail)
Recommend reporting Spam to Microsoft
 Get the Junk email reporting tool
 Attach to a new email, copy headers into body of new email and send to
junk@office365.microsoft.com
Recommend reporting False Positives to Microsoft
 Attach to a new email, copy headers into body of new email and send to
not_junk@office365.Microsoft.com
A new email filtering service coming this summer
Protection against unknown malware and viruses
 Through a feature called Safe Attachments
Real time, time-of-click protection against
malicious URLs
 Through a feature called Safe Links
Rich reporting and URL trace capabilities
Receiving

Microsoft has begun to get more aggressive against bulk email

New anti-spam header X-Microsoft-AntiSpam

Improvements to bulk email filtering:

Bulk Complain Levels (BCL) – use it today
Sending
X
✓
X
✓
✓
Have application send via EOP
Find a 3rd party in the business of sending email
Use same on-premises IPs as core business emails
Use a separate domain or subdomain for mass emails
Make sure SPF record(s) include all apps & 3rd parties
Monitor and fine tune
 Make adjustments to rules or settings as needed
 Evaluate effectiveness of spam settings
 Did you report that to the Microsoft Anti-spam team?
 Reports (Office 365 Portal or Mail Protection Reports for Office
365) – Updates Coming!
 Transport Layer Security (TLS)
 Great for securing email between Office 365 and on-premises or with specific partner/external
servers
 All Office 365 SMTP is defaulted to opportunistic; TLS 1.0-1.2 secure ciphers
 Office 365 Message Encryption

Allows recipient to be external and on any device; if recipient’s mailbox can be accessed,
then the message can be decrypted
 Information Rights Management (Azure AD)

Keys held on RMS server; organization can set usage rights and custom templates; requires
organizational authentication; does not get in the way of e-Discovery
 S/MIME

Secure from client-to-client, as long as the private keys remain secure
Who can fix it?
Indicates error
details
Who generated
the NDR?
joe@contoso.com
Message Header Analyzer
Remote Connectivity Analyzer
(http://testconnectivity.microsoft.com)
Message Header Analyzer
Can be added to OWA & Outlook as an app
Message Trace
 Find out everything about a message
that Office 365 handled
 Search up to 90 days
 Get routing details
Message Trace
Two features
“Basic” Message Trace
“Extended” Message Trace
(Historical Search)
Data Set
Between approx. 15 minutes & 7 days
Between approx. 8 hours & 90 days
View Results
In UI
Download
Results
In seconds
In minutes/hours (can configure
notification email address)
Routing Details
Basic detail only
Full detail optional
Maximum Size
500
5,000 (3,000 for detail)
Max Queries / Day
Reasonable limits
15 per tenant
Finding Message Trace
 Go to Exchange Admin Center
 Click mail flow
 Click message trace
Using the UI
 Two features share
the same UI for
simplicity
Using Historical Search
 After selecting a period
outside of 7 days, new
options appear
 “Include message
events and routing
details with report”
 Enter Notification email
address
Completed Historical Search
 Click to see running &
completed reports
 Reports available for 10
days
 Results of 5000 (or 3000 for
detailed) should not be
trusted to be complete
(truncated warning message)
 Scroll to bottom to
download the results
Reviewing Historical Search Results
 Recommend using
Excel
 DATA -> Filter
 Sort by date_time
 More information
about the fields &
value meanings:
http://technet.micros
oft.com/enus/library/bb124375(v
=exchg.150).aspx
PowerShell
 Basic: Get-MessageTrace, Get-MessageTraceDetail
 Extended: Start-HistoricalSearch, Stop-HistoricalSearch,
Get-HistoricalSearch
 Pull results inside of (and shorter than) 7 days (but still >8 hours)
 Search on advanced criteria such as find all messages that hit a
particular DLP rule
Start-HistoricalSearch [[-Organization] <OrganizationIdParameter>] -ReportType <HistoricalSearchReportType>
{MessageTrace | MessageTraceDetail | DLP | TransportRule | SPAM | Malware} -ReportTitle <string> -StartDate
<datetime> -EndDate <datetime> [-NotifyAddress <MultiValuedProperty[string]>] [-DeliveryStatus <string>]
[-SenderAddress <MultiValuedProperty[string]>] [-RecipientAddress <MultiValuedProperty[string]>]
[-OriginalClientIP <string>] [-MessageID <MultiValuedProperty[string]>] [-DLPPolicy <MultiValuedProperty[guid]>]
[-TransportRule <MultiValuedProperty[guid]>] [-Locale <cultureinfo>] [-Direction <MessageDirection> {All | Sent |
Received}]
Scenario: Inbound
 Check to see if there is any record of the message
(if no record, then you’ll need to check with the
sender)
 Check hygiene results
 Look for hints about where it may have gone
(forwards, rules, etc.)
Scenario: Outbound
 Make sure the message was received from Outlook
client (if not, troubleshoot Outlook)
 Look for SMTP SEND Event
http://myignite.microsoft.com
Internet mail is
routed based Mailbox or
on MX record Application
resolution (On-premises)
Customer Feedback
Mailbox SMTP Client
(O365) Submission
(EXO only)
(False Positive/Negatives)
Quarantine
Spam Analysts
Higher Risk
High Risk Delivery Pool
Resolve host
name to EOP DC
Outbound Pool
(smtp.office365.com)
(contosocom.mail.protection.outlook.
com)
Virus
Scanning
Edge Blocks &
Tenant
Attribution
IP-based
block lists
Directory-based
(Recipient) Blocks
Internet mail is
routed based
on MX record
resolution
AV Engine 1
Normal Score
Transport Rules /
Policy
Enforcement
SPAM Protection
Allows/Rejects
Content scanning and
Heuristics
AV Engine 2
AV Engine 3
Email Encryption
Custom Rules
Outlook Safe
Sender/Recipient
Bulk Mail Filtering
Customer Delivery Pool
Mailbox
Connector-Based
Content Filter Advanced
Options
Mailbox
(O365)
(On-premises)
 Links
EOP TechNet content http://technet.microsoft.com/en-us/library/jj723137.aspx
EOP best practices http://technet.microsoft.com/en-us/library/jj723164(v=exchg.150).aspx
EOP FAQ http://technet.microsoft.com/en-us/library/jj871669.aspx
False positive/negative submissions http://technet.microsoft.com/en-us/library/jj200769.aspx
EOP Datacenter IP addresses http://technet.microsoft.com/enus/library/dn163583(v=exchg.150).aspx
 Hybrid deployment http://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspx






http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/OFC-B322#fbid

http://technet.microsoft.com/library/exchange-online-limits.aspx

http://technet.microsoft.com/en-us/library/jj710171.aspx













http://myignite.microsoft.com
Mail Protection Reports for Office 365

http://www.microsoft.com/en-us/download/details.aspx?id=30716
Failover configuration

Using a second MX record to accomplish failover
Contoso.com has 3 on-premises IPs:
Site A - 10.0.0.5 & 10.0.0.6, Site B - 10.1.1.5, Site C - 10.2.2.5
Contoso.com wants mail to route to Site A but if it is down wants mail to go to Site B, and Site C as last resort.
Specify onprem.contoso.com in the outbound connector smart host field & create the following DNS records:
contoso.com
MX preference = 10
contoso-com.mail.protection.outlook.com (routes all mail for contoso.com)
onprem.contoso.com
onprem.contoso.com
onprem.contoso.com
MX preference = 10
MX preference = 20
MX preference = 30
mail-a.contoso.com
mail-b.contoso.com
mail-c.contoso.com
mail-a.contoso.com
mail-b.contoso.com
mail-c.contoso.com
A
A
A
10.0.0.5, 10.0.0.6
10.1.1.5
10.2.2.5

You do/type this
Server responds with this
Telnet tenantDomainMxRecordHere 25
220
HELO your_sending_server_fqdn
250 (followed by human readable message)
MAIL FROM: you@host.com
250 Sender OK
RCPT TO: recipient@domain.com
250 Recipient OK
DATA (followed by the enter key)
Tells you to send data and how to end.
SUBJECT: Test (hit enter twice)
Hitting enter twice conforms to the standard.
Enter the body message. To end put a single period on a line by itself and
press enter.
You should see something about message accepted or message queued.
QUIT