Recap: Getting started with Sophos Email - Session 1

On February 26, we hosted session 1 of our 3-part Getting started with Sophos Email webinar series. We covered comprehensive insights into Sophos Email deployment types, mailbox syncing, and domain setup. 

For those unable to attend or are looking to revisit, you can find the webinar recording below. Additional resources can be found at the bottom of this post. 

Interested in learning more?

This was the first session of a 3-part series designed to enhance your journey with Sophos Email. Future sessions include:    

• Session 2: Configure email security and data control, March 25, 2025 
• Session 3: Troubleshooting and mail management, April 23, 2025  

REGISTER NOW 

Can’t attend live? Register anyway to receive the recording after the live event.   

Related resources

• Sophos Email onboarding page
• Techvids - Sophos Email: Get Started with Sophos Email — Part 3 - Mailflow Mode
• Techvids - Sophos Email: Get Started with Sophos Email — Part 1 - Gateway Mode
• Techvids - Sophos Email: Configure External Dependencies in M365 Part 1 — Inbound Settings
• Sophos IP and DNS Record Information 

Additional Support resources

• Support Portal – for access to product resources, knowledge base articles, documentation, and much more.
• Sophos Status – sign up for updates on system and product statuses and maintenance.
• Sophos Techvids – for troubleshooting guides, product demos, and foundational knowledge videos.

Follow-up Q&A 

1. Could you please share the specific documentation for setting up DKIM SPF in M365 under Mode Mailflow.
   1. If you are using mailflow mode, you do not want to change your SPF or DKIM records as these would likely already include Microsoft as it is the edge device. Use the following Microsoft article to help you configure this if it was not already done:
      1. For SPF please see: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-spf-configure
      2. For DKIM please see: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure 
         
         
2. What are the differences between Sophos Firewall email and Sophos Email features?
   1. There are a number of features available for both products. Here are the current features available for Sophos Email: https://assets.sophos.com/X24WTUEQ/at/f84fgz64xhf87tckpk3jk59k/sophos-email-ds.pdf
   2. Sophos Firewall also offers a number of email protection options which can be found here (including how-to and configuration guides): https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/index.html 
      
      
3. Can you also touch base on the custom branding and what license is required? How is it different from the UTM email protection?
   1. Custom branding is for the encryption portal only, which requires a separate add-on license. Compared to the UTM firewall, the Sophos Email encryption portal is hosted in the cloud and provides improved password recovery processes.
      
      
4. Is there any way of manually removing a mailbox license within Sophos?
   1. You can’t remove a license manually, but you can delete the mailbox,remove the license. Otherwise, if the mailbox does not receive/send an email in 30 days, the license will be automatically removed for that mailbox.
      
      
5. Is Gateway the most common setup?
   1. For users using M365, the majority are using Mailflow mode; however, since Gateway mode covers more products (on-prem, Google Workspace) this mode is more common.
                      
6. If I have 200 mailboxes in my organization but I want to protect only 10, is it possible?
   1. This would depend if your domain is configured in Gateway mode or mailflow. In mailflow it’s possible by configuring specific groups in Azure and then configuring mailflow in Sophos Central with the specific group. See Mailflow Groups for more information
      
      
7. I have purchased four mailbox licenses, is it possible to replace a mailbox among the four I already have?
   1. If you, for example, have mailbox1@domain.com, mailbox2@domain.com, mailbox3@domain.com, mailbox4@domain.com, and you want to add a new one, but only have four licenses, then you can remove, for example, mailbox4@domain.com and add mailbox5@domain.com
   2. Keep in mind since you have removed mailbox4 all emails to and from this mailbox will be rejected.
      
      
8. With mail flow mode,  all the Microsoft logs are wrong, because MS sees the emails twice, and the second time the email comes from Sophos (or from MS itself if we checked outside filtering). Is there a solution for that?
   1. Due to the nature of the email flow and as you mentioned, emails may be seen twice from Microsoft's perspective. The easiest way to trace an email for troubleshooting purposes would be to use the unique message-id of an email. This remains constant and doesn’t change as it goes through the different email systems and would provide you with the full picture of the email path.
      
      
9. Para el caso de un dominio de Gmail ¿Existe una ventana  de tiempo necesaria, en la cual el servicio deja de operar?
   Translation: For Gmail (Google workspace) setup, is there a downtime window needed?
   1. Take a look at the following Google Workspace videos where we show you how to minimize downtime:
      Sophos Email: Setup Google Workspace - Part 1 - Inbound Routing: https://techvids.sophos.com/watch/9jZ7qyGQa7ERwhHjW7c7sP
      Sophos Email: Setup Google Workspace - Part 2 - Outbound Routing: https://techvids.sophos.com/watch/RZJPCMYeuoZ5jcUwLYHMTL
      
      
10. I synced my Active Directory with Sophos, but instead of migrating my groups and distribution lists correctly, it listed users under them. How can I fix this?
    1. When adding filters for specific groups in AD sync, it is expected to also fetch all the users within the group. Both the individual users or the group itself can then be applied to a policy. From a Sophos Email perspective, distribution lists are treated like standard mailboxes. If that is still not showing correctly, you may be using the incorrect filters.
    2. Take a look at: https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/DirectoryService/SetUpSynchronizationWithActiveDirectory/index.html#ldap-filters
    3. This Sophos Techvids video may also help (starting at 5:56 mark) :https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/DirectoryService/SetUpSynchronizationWithActiveDirectory/index.html
    4. If the issue persists please open a case with Sophos Support to investigate further.
       
       
11. Right now we are using Sophos Email as the gateway for on prem exchange. We are moving to M365, apart from setting up M365, I dont think we need to do do a lot of changes  like dkim, spf, demarc. Am I correct based on today's session?
    1. Since you’ve likely already updated your SPF and DKIM records to include Sophos you will still need to update these to include Microsoft (and remove the Sophos records). Depending on your DMARC record, its likely this doesn’t need to change provided your DKIM and SPF is up to date and includes Microsoft IPs once you fully switch over (as its now the edge server).
       
       
12. What about onboarding NON-MS365/G-Workspace, ie. locally hosted Mail servers
    1. For locally hosted mailserver instructions, please see inbound configuration for all other clientsfor inbound and outbound configuration for all other clients for outbound setups. As there are a lot of on-premise solutions and believe it would be beneficial to have specific instructions for your use-case, let us know in the comments and we’ll look into the possibility of creating specific articles or help guides.
       
       
13. With M365, do cross-tenant emails go through the Sophos email gateway if using gateway mode with Email Protection.  Or, do they natively stay within the M365 network?
    1. By default, for cross-tenant email behavior, M365 will send emails to the published MX record location (Sophos). As you are in gateway mode, this means emails will be sent to Sophos (leave Microsoft network) for scanning first, then routed back to Microsoft for delivery if it’s accepted.
    2. For domains within the same tenant, by default this natively stays within the M365 network. However, you can choose to route those emails to Sophos first by creating a new send connector.
       
       
14. Do I need a license to use Sophos Email besides the licenses for the mailboxes?
    1. No additional licenses are required to protect your mailboxes. There are add-ons to use some features, such as portal encryption, which does require additional licensing.
       
       
15. Is there a way to move a domain to another account?
    1.  You will need to first delete the domain from the original account. If you are using gateway mode or mailflow mode, this will need to be done prior to following the same setup instructions. If the new account is in a different region, you will also be required to update any DNS records as most are regionally specific.