As part of Barracuda Networks' ongoing commitment to providing the highest level of email security and compliance, we would like to share an important update regarding the deployment of Barracuda Email Gateway Defense (EGD) in conjunction with Microsoft Exchange Online.
What Is Changing?
For the past several years, Barracuda Networks has recommended configuring a mail flow rule in Exchange Online to set the Spam Confidence Level (SCL) to -1. This rule was designed to override Microsoft Exchange Online Protection (EOP) verdicts, ensuring that emails processed by EGD were delivered directly to users’ inboxes.
However, Microsoft has introduced Enhanced Filtering for Connectors, a feature that significantly improves the integration between third-party email security solutions and Exchange Online. Enhanced Filtering for Connectors is now the recommended best practice by Microsoft and offers several advantages over the previous SCL -1 configuration.
Why Is It Changing?
Improved Security – Enhanced Filtering for Connectors allows EOP to recognize and respect the filtering decisions made by EGD while still applying its own advanced threat protection measures. This dual-layered approach enhances overall email security.
Accurate Spam Filtering – By preserving the original sender’s IP address and other metadata, Enhanced Filtering for Connectors enables more accurate spam and phishing detection, reducing false positives and ensuring legitimate emails are delivered correctly.
Compliance with Microsoft Best Practices – Adopting Enhanced Filtering for Connectors aligns with Microsoft’s latest recommendations, ensuring that your email security setup remains up-to-date and compliant with industry standards. See also Best practices for using a 3rd party filtering service with Microsoft 365.
Seamless Integration – Given that Microsoft’s anti-spam and anti-phishing protections cannot be entirely turned off, working together with Microsoft’s Enhanced Filtering for Connectors ensures a more seamless and integrated email security solution. This approach leverages the strengths of both EGD and Microsoft EOP, providing comprehensive protection.
Sender Rewrite (SRS) – In order for SPF checks to pass and sender rewrite to work, a partner connector with enhanced filtering is required. Emails that fail SPF checks when being accepted by Microsoft will have SRS skipped, which results in an authentication failure with Barracuda servers and the message is not sent.
What Action Is Required?
To transition to Enhanced Filtering for Connectors, follow these steps:
Enable Enhanced Filtering for Connectors – Configure Enhanced Filtering for Connectors in the Exchange Online admin center. Detailed instructions can be found in the Microsoft documentation.
Note that this requires the Barracuda partner connector to be created first. If you do not have a partner connector created for Barracuda Networks, see Step 2 Deploy a Partner Connector in the Getting Started guide. The subsection Create a Partner Connector and Enable Enhanced Filtering for Connectors will create a partner connector and enable Enhanced Filtering for Connectors using PowerShell commands.
Alternatively, if you have already set up your partner connector and only need to enable Enhanced Filtering for Connectors, use the following instructions:Select Barracuda Inbound Connector, the partner connector you previously created.
Select Automatically detect and skip the last IP address and Apply to entire organization.
Click Save.
Remove the existing SCL -1 Mail Flow Rule – If you have previously configured a mail flow rule to set the SCL to -1, remove this rule from your Exchange Online settings.
Verify your configuration – Review your Microsoft anti-spam policy to ensure it’s configured to follow recommended best practices.
Log into the Microsoft Defender portal https://security.microsoft.com/.
On the left, navigate to Email & collaboration > Policies & rules.
Select Threat policies > Anti-spam.
Select Anti-spam inbound policy (Default).
Scroll down and click Edit actions.
Review your settings and click Save.
Note: The settings shown here are the default Microsoft anti-spam settings. Organizations may opt for a different level of filtering based on the needs of the organization. To learn more about Microsoft anti-spam policies, see https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about.
Who to Contact for Assistance?
We understand that this transition may require some adjustments to your current setup. Our Barracuda Networks Technical Support team is here to assist you every step of the way. If you have any questions or need help with the configuration, contact Barracuda Networks Technical Support.