Configuring Microsoft 365 & On-Premises Exchange for MailShield

To allow MailShield to protect your organisation, you need to tell the internet to route your incoming emails through our security filters, and configure your Microsoft Exchange environment (whether cloud-hosted or on-premises) to route your outgoing emails through our secure gateway.

Do not worry if this sounds highly technical. It is essentially like filing a change-of-address form with the post office, and the process only takes a few minutes.

Setting up inbound protection (MX Records)

Mail Exchange (MX) records dictate where your incoming mail is delivered. We need to point them to MailShield so we can intercept threats before they reach your inboxes.

Step 1: Update your DNS Records
If your DNS is managed directly within Microsoft 365:

1. Log into the Microsoft 365 Admin Center.
2. Navigate to Settings > Domains.
3. Select your primary domain and go to the DNS records tab.
4. Delete existing records: Select your existing Exchange MX record and delete it. If you leave your old records active, spammers will bypass our security filters.
5. Add the new record: Click Add record. Select MX as the type.
6. In the Host name field, type @.
7. In the Points to address field, paste the incoming server address provided in your MailShield dashboard (typically seg-in.cadmuscyber.com).
8. For Priority, type 10. Click Save.

Important Note for Microsoft 365 Users: After updating your MX records, the Microsoft 365 Admin Center may display a warning about "Possible service issues" next to your domain. This is completely normal and expected. Microsoft expects MX records to point directly to their servers, but we are intentionally routing traffic through MailShield first. You can safely ignore this warning.

(Note: If you run an On-Premises Exchange Server or manage your DNS externally at a registrar like GoDaddy or Cloudflare, you will need to update your MX records there instead).

Step 2: Lock Down Your Firewall (On-Premises Exchange Only)
If you host your own physical or virtual Exchange server, updating your MX records is not enough. You must also configure your corporate firewall to only accept inbound SMTP traffic (Port 25) from MailShield's IP addresses. If you leave Port 25 open to the world, attackers will bypass the MX records and deliver spam directly to your server's public IP address.

Securing outbound emails

To protect your outgoing emails and ensure they do not end up in your clients' junk folders, you must route your outbound mail through MailShield.

1. Generate your Smart Host credentials

1. In the MailShield portal, navigate to the Outbound Setup page and click Generate Outbound Profile.
2. The system will provide you with a Smart Host address (e.g., seg-out.cadmuscyber.com).
3. For On-Premises Exchange Only: The system will also provide a username and secure SMTP password. Copy this password immediately. (Microsoft 365 does not require a password, as MailShield authenticates your tenant automatically).

2. Create a Send Connector
If you use Microsoft 365 (Exchange Online):

1. Open the Exchange Admin Center.
2. Navigate to Mail flow > Connectors.
3. Click Add a connector.
4. Set the connection from Office 365 to Partner Organization. (Ensure these exact directions are selected, otherwise the routing options will not appear). Click Next.
5. Name the connector "MailShield Outbound Gateway" and ensure "Turn it on" is checked. Click Next.
6. Under Use of connector, choose Only when email messages are sent to these domains and enter * (an asterisk) to route all external mail. Click Next.
7. Under Routing, select Route email through these smart hosts. Click the plus icon and paste your MailShield Smart Host address (seg-out.cadmuscyber.com). Click Next.
8. Under Security restrictions, leave Always use Transport Layer Security (TLS) enabled. Click Next.
9. Follow the prompts to validate the connector with an external email address, then save.

If you use On-Premises Exchange Server:

1. Open the Exchange admin center (EAC).
2. Navigate to mail flow > send connectors.
3. Edit your existing internet-facing send connector, or create a new one routing to the internet (*).
4. Under the Delivery or Network routing options, select Route mail through smart hosts and click the add icon.
5. Enter your MailShield Smart Host address (seg-out.cadmuscyber.com) and save.
6. Click Smart host authentication. Select Basic authentication, check the box for Offer basic authentication only after starting TLS, and enter the username and password you generated in the MailShield portal.
7. Save the connector.

3. Updating your SPF and DKIM records
Finally, you must authorise MailShield to send on your behalf.

1. In your DNS settings, edit your existing SPF (v=spf1) record to include MailShield.
   • For M365, it should look like: v=spf1 include:spf.protection.outlook.com include:_spf.cadmuscyber.com -all
   • For On-Prem, it should look like: v=spf1 ip4:[Your-Server-IP] include:_spf.cadmuscyber.com -all
2. Add a new TXT record. Set the Name to cadmus._domainkey.
3. Paste the long cryptographic DKIM key from your MailShield dashboard into the Value field and save.

Waiting for the changes

Once you have saved these records, return to the MailShield Outbound Setup page and click Verify DNS.

The internet acts like a giant, slow-updating address book. It can take anywhere from a few minutes to a few hours for these DNS changes to spread globally. Your MailShield dashboard will automatically confirm once everything is perfectly aligned.