New Mailflow setup

I see the new Mailflow functionality is appearing in my Cloud Portal as a released feature. In the help it states:

Sophos Mailflow doesn't currently support the following:

What do you mean by it does not support TLS? What elements of the email transmission are not encrypted using TLS connections exactly?

After switching to the Mailflow method from the Gateway method do I also need to:

1. Remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules?

2. Remove the Secure Connector between Microsoft 365 and Sophos Gateway?

Will the new Mailflow method remove the Sophos Banners on my emails when I reply to them as part of the Outbound process?



  • I enabled this recently and had a lot of issues with valid inbound users showing as unverified users due to spf fails because gmail and other common domains don’t designate our custom outlook domain as a valid sender. When Microsoft forwards the email to Sophos, Sophos checks the spf for and gmail doesn’t have our outlook domain as a designated sender.

    I also noticed issues with emails going to quarantine on the Microsoft side and bypassing Sophos entirely. The way Microsoft handles redirects to aliases bypasses the forwarding to Sophos. I could see in our message traces in exchange that the emails were being routed to the Sophos connector but when you check for the email in Sophos, a log doesn’t exist. Even when I setup the domain in Sophos Mailflow, I experienced the same issue.

    I opened a ticket with Sophos on this and was informed by support that they haven’t been trained on Mailflow because it’s still in EAP which makes me wonder why I’m being prompted to set it up in Sophos central; I’m not registered for the Mailflow EAP either. Doesn’t seem fully baked at this point and the issue with spf fails and unverified users needs to be addressed before we can migrate fully to Mailflow. I like the idea though and definitely seems more efficient than redirecting MX. Following this thread to see if others have similar issues. 

  • I have been going back and forth with support for several weeks.  this SPF issue persists and they seem unable to escalate the issue and/or address the question head on..

  • send me an email tom.foucha (at) and let's take a look at it. @Caleb Terry you also

  • Nice meeting and working with you Michael Cassman, to update others monitoring this thread when you are dealing with Banners and click the little (i) icon next to the smart banners for an explanation. The banners are controlled by whether or not DMARC passes or not. There is an order of operation also, in order for DMARC to pass either SPF or DKIM must align, it doesn't require both, but at least one must. Once DMARC passes it doesn't matter if SPF failed or not, because DMARC and DKIM would have passed. or if DMARC passes and SPF passes but DKIM fails, again doesn't matter. The order of precedence is DMARC, SPF, DKIM. If DMARC record exists AND it is in the Allow list it will be considered Trusted and bannered accordingly. 

  • I'm just trying to understand the changes better. I think the new Mailflow method may be preferable as it removes the need to change MX records to reroute email through Sophos. We are a reseller as well as an end user so interested in the fact that Mailflow sounds easier to setup when first creating an account for a customer.

    panorama charter com

  • The changes are we automatically setup the Connectors and Rules in M365 to redirect traffic from M365 to Central and then we inspect and deliver the message back to M365 via a connector. You setup SPF, DKIM and MX to point to M365 so to the outside world Sophos is not visible in the path. 

Reply Children
No Data