When working with customer environments it is very possible a 3rd party appliance maybe involved and for the purpose of this post I will be directly looking at Mimecast to see how its configured to work with Office 365.

Prerequsities

• An Office 365 administrator logon with permission to create a send connector.
• Your internal domains must already be registered with us.
• A Mimecast administrator logon with at view permission to the Gateway | Accepted Email menu item.

Mimecast recommend that if you are switching MX records, this task must be completed 3 days before changing the MX record to point at Mimecast. The reason for this allows Mimecast to build your Auto Allow list, based on recipients your users send messages to.

This has a positive impact on inbound email delivery speed, because many senders will already be known and consequently not be subject to our greylisting security feature.

Updating the SPF Record for your Domain(s)

You must have an SPF record for the domain(s) registered with Office 365. When implementing Mimecast with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following:

• Remove: v=spf1 include:spf.protection.outlook.com –all
• Replace with or add:  v=spf1 include:_netblocks.mimecast.com ~all

Important Note: If your outbound email is temporarily coexisting with Mimecast, you can leave the v=spf1 include:spf.protection.outlook.com –all SPF record. However, it must be removed once all your outbound email is routed through Mimecast.

Configuring Outbound Routing

Important Note: Mimecast has known issue with browsers that are not Internet Explorer and its recommend this process is completed using Internet Explorer only. All other browsers tested have issues.

Recommendation: Disable or remove any other Outbound Send Connectors. Failure to do this means your outbound email still uses these and isn’t routed through us.

Any send connectors used for other purposes (e.g archiving) may still be enabled. If in doubt, consult Mimecast Support.Any send connectors used for other purposes (login archiving) may login be enabled. If in doubt, consult Mimecast Support.

Adding the Office 365 Tenant Domain as an Internal Domain

Your Office 365 tenant domain must be added to the list of internal domains available in the Mimecast Administration Console. See the Configuring Internal Domain / Subdomains page for full details. This enables us to recognize certain auto response messages, where the sender address is not a normal internal domain. This is typically in the format @domain.onmicrosoft.com. Contact the Mimecast Support team if you have queries regarding this step.

Contact the Mimecast Support team if you have queries regarding this step.

Verifying Your Configuration

Once this step is complete, Office 365 must be added to your authorized outbounds as an umbrella account. View the Maintaining Authorized Outbound Addresses page for more information.

To verify that Office 365 is successfully routing email outbound via us:

1. Log on to the Offic 365 Administration Console.
2. Select Admin | Exchange

Select Mail Flow | Connectors
Create a Connector

Select Office 365 – From Field
Select Partner organization – To Field

Enter Name for Connector
Enter Description for Connector – Optional
Ensure “Turn it on” is ticked

Select “Only when email messages are sent to these domains”
Press the ( + )

Type the value * which will allow all outbound email to Mimecast

Press Next

Select “Route email through these smart hosts”
Press the ( + )

Now, depending on your location you will need to use the Smart Host address from the table

As shown below

Press Next

Select “Always use Transport Layer Security (TLS) to secure this connection (recommended)”
Select “Issued by a trusted certificate authority (CA)

Before pressing next please ensure that you confirm all your configured settings
Press Next

Press the ( + ) this will allow you to validate the connector

Enter an external email to send the test email

Click Validate

If everything is ok and configured correctly you should see a success message

Press save !!! and your all done

Recommendation: Disable or remove any other Outbound Send Connectors, if this is not completed it may cause email to fail as it won’t be routed through Mimecast

But if doing the above seems a bit boring, there’s always PowerShell 🙂

new-outboundconnector -name ConnectorName -smarthosts SmartHostAddress1,SmartHostAddress2 -tlssettings certificatevalidation -recipientdomains * -routeallmessagesviaonpremises $false -connectortype Partner -usemxrecord $false -whatif

or download my script for all Mimecast regions

Set-O365MimecastConnector (11 downloads)

Add your Office 365 domain as an internal domain in Mimecast

The Office 365 domain(s) must be added to the list of internal domain available in the Mimecast Administration console, if this action is missed. Mimecast are unable to recognise auto response message where the send address maybe @domain.onmicrosoft.com. Mimecast have a section about this on their website, please follow the link below.
Configuring Internal Domain / Subdomains 

Verify your configuration

To verify that Office 365 is successfully routing email outbound via us:

1. Log on to the Administration Console.
2. Click on the Administration toolbar button.
3. Select the Message Center | Accepted Messages menu item.

See the Message Center: Accepted Messages page for full details.

You should see messages from your organization’s internal users to external recipients. If you don’t see messages shortly after they’re sent, this indicates a configuration problem on your Office 365 send connector. Double check your configuration. Use the Office 365 Message Trace Tool in the Mail Flow | Message Trace menu of the Exchange Admin Center to help identify the issue.

Important Note: Once this step is complete, Office 365 must be added to your authorized outbounds as an umbrella account. View the Maintaining Authorized Outbound Addresses page for more information.

Regards
The Author – Blogabout.Cloud