Sophos Email Mailflow EAP Guide

We’re pleased to announce, all Sophos Email customers using Office 365 can now integrate directly with Office 365 for inbound and outbound email protection without the need to redirect their MX records. Read the Sophos Email Mailflow Early Access Program (EAP) announcement article here for more details and follow the instructions below to get started.

How to take part

You can join the EAP by signing in to Sophos Central and following these simple steps.

  1. Click your account name and select Early Access Programs.

  2. Find Office 365 Mailflow, click Join, and follow the instructions.

 

Set up domains for use with Mailflow

Your next steps depend on your existing setup.

  • If you're already using Sophos Email and want to set up Mailflow rules on a new domain or migrate existing domains from Gateway to Mailflow, go to Existing Sophos Email user.
  • If you've just subscribed to Sophos Email, and have no domains set up yet, go to New Sophos Email user.

 

Existing Sophos Email user

To set up Mailflow rules if you're already using Sophos Email, do as follows:

  1. In Sophos Central go to Settings. Click O365 Mailflow Domain Settings / Status.



  2. Your choice in the next screen depends on whether you're migrating a domain or adding a new one.

    1. If you're migrating a domain from Gateway to Mailflow, choose Copy existing O365 Domains and Policies. This copies any detected O365 domains.

    2. If you're adding a domain, click Setup Domains and Policies manually and follow the instructions.

  3. When the process is complete you see the O365 Mailflow Domain Settings / Status screen, showing your domains.

  4. To set up Mailflow Rules for these domains, click Connect and follow the instructions.



  5. You are redirected to Microsoft to authenticate your domains and grant permissions. You must accept these permissions in order to create the necessary applications and mailflow rules.

 
When your Mailflow for Office 365 protection is set up, the domain status shows a green tick. You can also do a quick test to validate your mailflow rules.

Once you have verified that your mailflow rules are functioning properly, remove the gateway setup for the domain and change the MX records back to O365.

Your mailflow rules are now up and running.

 

New Sophos Email user

If you don't have any domains set up for Sophos Email protection, do as follows:

  1. After you've joined the EAP, go to settings and click O365 Mailflow Domain Settings / Status.

  2. If you haven’t synchronized your active directory, you can do it now. If you have synchronized your users and mailboxes, click Proceed to Next Step.



  3. Follow the instructions to set up your domains and mailflow rules.

    Note: if you want to protect only a subset of mailboxes from the domain, create a new group in O365 and add the mailboxes you want to protect. When you synchronize users and groups, this group is also imported.

  4. Once your new domain is added, you are redirected to O365 for authentication and to grant permissions. You must accept these permissions to create the necessary applications and mailflow rules.


When your Mailflow for Office 365 protection is set up, the domain status shows a green tick. You can also run a quick test to validate your mailflow rules.



Your mailflow rules are now up and running.

Anonymous
  • I’m also experiencing issues like this. I notice that emails still get delivered to quarantine in M365 due to other domain aliases such as onmicrosoft.com. I guess the solution would be to add the onmicrosoft.com domain to Sophos but since this is a default domain, I’m not sure how that affects other services microsoft relies on. I’m also noticing that emails from gmail.com will get marked as an unverified sender because the header says that gmail.com doesn’t designate our outlook domain as a sender; When Microsoft uses the outbound connector to Sophos, Sophos checks gmail.com’s spf record and since our custom outlook domain isn’t on Gmail’s SPF, we get a soft fail. 

  • when testing the connection the test email is blocked and quarantined.  any thoughts?

  • "you are redirected to O365 for authentication and to grant permissions"

    • What permissions does the user need to be able to grant these?
    • What happens if the user's O365 password changes?
    • Does this authentication expire at some point, and needs to be redone?
  • I cannot see the EAP in my overview, only the "New macOS Endpoint Protection Features" one.

    Do I need to get an invitation code for the Mail EAP?