Set up Sophos Mailflow
You can use Sophos Mailflow to integrate Sophos Email Security with Microsoft 365 (formerly Office 365) email domains without modifying your DNS and your MX records.
For instructions on using Sophos Gateway to connect with on-premises email systems and non-Microsoft 365 domains, see Set up Sophos Gateway.
Before you start
It's important to understand the following points before you set up Sophos Mailflow.
Mail flow rules in Microsoft 365
Sophos Mailflow uses Microsoft APIs to create mail flow rules in your Microsoft 365 environment. These mail flow rules route the emails to Sophos and back to Microsoft 365.
Warning
The Microsoft security feature "Secure by default" may flag incoming messages as malicious and quarantine them before they're routed to Sophos Email. You can review and release these messages from the Microsoft 365 Defender portal.
You can't turn off the "Secure by default" feature.
Warning
Sophos rules have a higher priority than existing mail flow rules on your Microsoft 365 domain. This is to make sure messages are scanned for threats first.
Your existing rules run, in the same order as before, after the Sophos rules have been run.
You may also see the Pre-existing Mailflow Rules Found message. To resolve this, see Fix conflicts with Microsoft 365 rules.
Included domains
Sophos Mailflow only checks email that comes from domains that you've added to Sophos Central and have been verified. You must also add the domains to the Microsoft 365 connectors you configure.
For example, if you have a backup Microsoft domain, for example <yourdomain>.onmicrosoft.com, we don't check emails coming from that domain. They're sent directly to the user.
You might want to turn off the Microsoft 365 backup domain, or add the backup domain to your Microsoft 365 connector settings.
Inbound connectors
Sophos Mailflow setup creates inbound connectors in your Microsoft 365 organization. Some Microsoft 365 subscriptions don't support inbound connectors. This means that Sophos Mailflow setup fails.
Make sure your Microsoft 365 subscription allows you to create inbound connectors before you begin.
Developer accounts
You can't use a Microsoft developer account to integrate Sophos Email Security with Microsoft 365.
See Does the instant sandbox have different capabilities than a standard Microsoft 365 E5 subscription?.
Sophos emergency inbox
Sophos Mailflow sends users' messages to the Sophos Central Self Service Portal emergency inbox after processing. If there's an issue with Microsoft's servers, Sophos Mailflow can't receive messages from Microsoft, so they don't reach the emergency inbox. The emergency inbox only holds messages that Sophos Mailflow processed before the problem occurred. See Manage settings for Sophos Central Self Service.
TLS
With Sophos Mailflow, Transport Layer Security (TLS) is always applied between Sophos Email and Microsoft 365. You must configure TLS in Microsoft 365 to make sure emails delivered and received by Microsoft 365 are secure.
Real-time block lists
Real-time block list (RBL) checks are applied early in the process of receiving email, during the SMTP commands. This means RBL checks are applied by Microsoft 365.
Set up Sophos Mailflow
You must be a Microsoft 365 administrator to set up Sophos Mailflow.
To set up Sophos Mailflow, do as follows:
- Add the mailboxes you want to protect.
-
Add and configure the email domains you want to protect.
The way you do this depends on whether you're already using Sophos Email Security or not.
-
Configure your policies and settings.
Add mailboxes
You can add mailboxes in the following ways:
- Automatically, using a directory service. You can use Active Directory and Microsoft Entra ID (Azure AD). For more information and instructions on how to set up a directory service, see Directory service.
- Manually, using the UI.
- Manually, using a CSV file.
If you want to use a Microsoft 365 group to protect a subset of your mailboxes, you must set the group up before you connect your domain. See Microsoft 365 email groups.
Accept Microsoft pop-ups
When you add and configure your domains, you must give permission for Sophos applications to access your Microsoft tenants.
To do this your browser must accept pop-ups from Microsoft. You might have to disable pop-up blockers, or make exceptions for Microsoft domains.
You must also be able to sign in to the correct domain. If your browser has stored sign-in credentials for a different domain, use an incognito or private browsing window.
Add and configure domains
The steps you take depend on whether you're already using Sophos Email Security or not.
If you don't have any Microsoft 365 domains set up for Sophos Gateway, do as follows:
- Click Email Security > Set Up Email Security.
- Click M365 Mailflow Domain Settings / Status.
- If you haven't synchronized your Active Directory, do it now. If you've already synchronized your users and mailboxes, click Proceed to Next Step.
-
In Add Domain, enter your domain details and click Setup M365 Mailflow.
Note
If you want to protect only a subset of mailboxes from the domain, create a new group in Microsoft 365 and add the mailboxes you want to protect. When you synchronize users and groups, this group is also imported. See Microsoft 365 email groups.
-
Follow the instructions to set up your domains and mail flow rules. When you've added your domain, you're redirected to Microsoft for authentication and to grant permissions. You must grant these permissions to create the necessary applications and mail flow rules.
When the migration or addition of domains is complete, M365 Mailflow Domain Settings / Status screen appears, with your list of domains.
-
To set up mail flow rules for these domains, click Connect and follow the instructions.
You're redirected to Microsoft to authenticate your domains and grant permissions.
You must grant these permissions in order to create a Microsoft 365 connector and the necessary applications and mail flow rules in your Microsoft 365 environment.
Note
When you've granted the permissions, the connector creation process can take up to ten minutes.
If you already have mail flow rules set up on your Microsoft 365 domain, you see the Pre-existing Mailflow Rules Found message. To deal with this see Fix conflicts with Microsoft 365 rules.
When your Mailflow protection is set up, a success message appears.
-
You can click Run a Quick Test to verify your Mailflow setup. Enter an email address to receive the test message. The test may take a few minutes.
Warning
After the connection is set up, Microsoft may continue to create other connections and resources in the background. If the quick test fails, wait for at least fifteen minutes and run it again before starting troubleshooting processes. See Troubleshoot Sophos Mailflow.
The domains appear in M365 Mailflow Domain Settings / Status with a green check mark.
If you're already using Sophos Gateway on your Microsoft 365 domains and want to set up Sophos Mailflow rules on a new domain, or migrate your existing domains to Sophos Mailflow, do as follows:
- In Sophos Central go to Settings. Click M365 Mailflow Domain Settings / Status.
-
In the next screen do one of the following:
- If you're migrating a domain from Sophos Gateway to Sophos Mailflow, click Copy Existing M365 Domains and Policies. You confirm your choice, then we copy any Microsoft 365 domains we've detected.
- If you're adding a domain to use with Sophos Mailflow for the first time, click Setup Domains and Policies manually and follow the instructions.
-
When the migration or addition of domains is complete, M365 Mailflow Domain Settings / Status screen appears, with your list of domains.
-
To set up mail flow rules for these domains, click Connect and follow the instructions.
You're redirected to Microsoft to authenticate your domains and grant permissions.
You must grant these permissions in order to create a Microsoft 365 connector and the necessary applications and mail flow rules in your Microsoft 365 environment.
Note
When you've granted the permissions, the connector creation process can take up to ten minutes.
If you already have mail flow rules set up on your Microsoft 365 domain, you see the Pre-existing Mailflow Rules Found message. To deal with this see Fix conflicts with Microsoft 365 rules.
When your Sophos Mailflow protection is set up, a Success! message appears.
-
You can click Run a Quick Test to verify your Sophos Mailflow setup. Enter an email address to receive the test message. The test may take a few minutes.
Warning
After the connection is set up, Microsoft may continue to create other connections and resources in the background. If the quick test fails, wait for at least fifteen minutes and run it again before starting troubleshooting processes. See Troubleshoot Sophos Mailflow.
The domains appear in M365 Mailflow Domain Settings / Status with a green check mark.
If you migrated your existing domains, verify that the mail flow rules are working and then remove the Sophos Gateway setup for each domain. This might include removing MX records that point to Sophos. See Prevent duplicate scans.
Configure policies and settings
Go to Email Security > Policies to configure, edit or delete Email Security and Data control policies.
Go to Email Security > Settings to configure, edit or delete Email Security settings.
Delete Sophos Gateway connections
If you're an existing user and the domain you've connected to Sophos Mailflow was previously connected to Sophos Gateway, we recommend you delete the connection to Sophos Gateway as soon as possible. This might include removing MX records that point to Sophos.
If you don't disconnect and delete the Sophos Gateway connection your messages could be scanned twice. See Prevent duplicate scans.
More resources
This video explains how to set up Sophos Mailflow to integrate your Microsoft 365 email domains with Sophos Central.
You can also view this video on the Sophos Techvids page. See Sophos Email: Get Started with Sophos Email.
We also have other videos that take you through setting up Sophos Email Security.