It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Gateway Defense
formerly Email Security

Validating Mail Flow Before Restricting Access

  • Last updated on

As part of the initial deployment for Email Gateway Defense, you are required to create a new inbound partner connector within Microsoft 365. This connector is used to enforce restrictions on your Microsoft tenant to prevent emails from bypassing your Barracuda Networks gateway defenses. 

Prior to enforcing those restrictions, it is important to validate your inbound mail flow to ensure there are no external senders that are sending emails directly. 

Create Inbound Connector

To get started, follow the instructions in the deployment guide to create your inbound partner connector. 

Collect Data

After creating the Barracuda Networks partner connector, let the new data collect over the next few days.  

Generate Inbound Report

Once you have sufficient data, generate an inbound mail flow report. 

  1. Log in to your Exchange admin center and navigate to Reports > Mail flow.
  2. Select Inbound messages report.
  3. Select Request report and fill in the following details:
    • Enter a Report name.
    • Fill in the desired Start and End dates. The start date is when you first enabled the connector, and the end date is the current date or the newest date available to select. 
    • Enter an email address for the Recipients to receive the inbound message report.
    • Set Direction to Received.
    • Set Connector type to All, including no connector.
    • Set TLS version to All, including no TLS.


  4. After the report is generated, you will receive an email from Microsoft with the report attached.
  5. Within the report, focus on the entries that do not have a connector associated to them. These are the messages that did not come through Barracuda Networks and will be blocked once the restrictions are enabled.

Run a Microsoft message trace on the message ID from your report to get more information on the message(s).


Emails shown as not coming through a connector will no longer be accepted once the connector restrictions are enforced. Ensure you have the senders use MX records to route mail to your tenant. Alternatively, if the source of the email is a trusted third party, you can create a partner connector within Microsoft.

As long as inbound emails either flow through the Barracuda connector or any of your other inbound (partner) connectors, the mail will not be rejected by the connector restrictions.

Restrict Access

Once you have validated your inbound mail flow, you will need to update the partner connector to enforce the IP restrictions.

Connect to Exchange Online and then run the following PowerShell command:

Set-InboundConnector -Identity "Barracuda Inbound Connector" -RestrictDomainstoIPAddresses $true