You can configure Microsoft 365 with Email Gateway Defense as your inbound and/or outbound mail gateway.
If you make changes to the settings, allow a few minutes for the changes to take effect.
You can specify Email Gateway Defense as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Microsoft 365 account. Email Gateway Defense filters out spam and viruses, then passes the mail on to the Mirosoft 365 mail servers. Use the Configure Inbound Mail Flow instructions below to configure.
You can also specify Email Gateway Defense as the outbound mail gateway through which all mail is sent from your domain via your Microsoft 365 account to the recipient. As the outbound gateway, Email Gateway Defense processes the mail by filtering out spam and viruses before final delivery. By configuring Microsoft 365 as described in Configure Outbound Mail Flow below, you instruct the Microsoft 365 mail servers to pass all outgoing mail from your domain to Email Gateway Defense (the gateway server).
Step 1. Launch the Email Gateway Defense Setup Wizard
The setup wizard includes steps to identify your email server, add MX records, and remove MX records. Each of the domains where you want to filter email must be verified by Email Gateway Defense for proof of ownership; Email Gateway Defense does not process email for a domain until the verification process is complete.
Log into Barracuda Cloud Control. If this is your first time launching the Email Gateway Defense setup wizard, you will be redirected to the Barracuda Trials Hub page. Click Set Up under Email Gateway Defense.
Alternatively, if you have started the setup wizard but did not complete it, after logging into Barracuda Cloud Control, select Email Gateway Defense on the left side. In the top banner, click Set Up Now to launch the setup wizard.
The Email Gateway Defense wizard launches.
Select the Region for your data center. Then click Confirm region.
Enter a valid email address from the email server domain you want to protect with Email Gateway Defense. Click Detect email server.
The system automatically auto-fills your destination mail server. If this is not the correct server, click Edit, enter the correct details, and then click Update.
After you have determined that the settings are correct, click Verify server.
- Once your email server is verified, a green check mark will appear at Step 1 and the Status will show . You can now move on to Step 2 Add new MX records.
- To add new MX records:
- Log into your DNS hosting account.
- Add the primary and backup MX records shown in the Add new MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.
Add the MX records with a low priority, for example, 99. Adding the new MX records to your existing list should look similar to this:
Verify that the new Email Gateway Defense MX records have been added by clicking on the Verify records button.
Once your MX records are added, a green check mark will appear at Step 2 and the Status will show . You can now move on to Step 3 Remove old MX records.
- To remove old MX Records:
- Log into your DNS hosting account.
Remove the existing MX records shown in the Remove old MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.
- Verify that your non-Barracuda Networks MX records have been removed by clicking on the Verify update button.
Once your MX records are removed, a green check mark will appear at Step 3 and the Status will show .
After you have successfully completed all the steps in the Email Gateway Defense setup wizard, click the Complete setup button. To exit the wizard and come back at a later time, click Save & exit.
Step 2. Add Additional Email Domains (Optional)
You configured your primary email domain in Step 3 of the wizard, above.
Use the steps in the following section if you want to protect additional domains with Email Gateway Defense. If you are only protecting one domain, continue below with Step 3.
Obtain the hostname:
- Log into the Microsoft 365 admin center.
- In the left pane, click Settings > Domains.
- In the Domains table, click on your domain.
- Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com
Enter the hostname:
- Log into the Barracuda Cloud Control as administrator. In the left panel, click Email Gateway Defense. Select the Domains tab, then click Add Domain.
- Enter the domain name and destination mail server hostname obtained from your Microsoft 365 account:
- Click Add Domain; the Domain Settings page displays, listing the new domain.
- Verify that the domain is yours. Follow the instructions in How to Set Up MX Records for Domain Verification. Make sure that you see that the domain is successfully verified, then return to this page.
Repeat these steps, as needed, for additional Microsoft 365 domains before continuing with Step 3 below.
Step 3. Create Transport Rule to Bypass Spam Filtering
Barracuda Networks recommends using powershell commands to create a transport rule to bypass spam filtering.
Alternatively, you can use the Microsoft 365 admin center to create a transport rule to bypass spam filtering.
Step 4. Deploy Partner Connector
The steps in this section enhance the security of the connection between Email Gateway Defense and Microsoft 365. Creating a partner connector will allow you to enforce security policies to ensure that all inbound email originates from Barracuda's servers.
Create Inbound Connector
To get started, create your inbound connector.
- Install Exchange Online module.
- If you have already installed Exchange Online module, proceed to the next step.
- To install Exchange Online module, open Windows PowerShell as an administrator and enter the following command:
Install-Module -Name ExchangeOnlineManagement
- Connect to Exchange Online Powershell and log in with your Microsoft 365 administrator account using the following command:
Connect-ExchangeOnline
- Find the correct IP range based on the region selected when setting up your Barracuda Networks instance. Refer to the Email Gateway Defense IP Ranges Used for Configuration for the IP ranges corresponding to your region.
After you connect to Exchange Online PowerShell, run the appropriate PowerShell script based on your region:
PowerShell Script for the Australia Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 3.24.133.128/25
PowerShell Script for the Canada Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 15.222.16.128/25
PowerShell Script for the German Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.157.190.224/27
PowerShell Script for the UK Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.176.92.96/27
PowerShell Script for the US Region
New-InboundConnector -ConnectorType Partner -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 209.222.80.0/24,209.222.81.0/24,209.222.82.0/24,209.222.83.0/24,209.222.84.0/24,209.222.85.0/24,209.222.86.0/24,209.222.87.0/24
Validate Mail Flow (Optional)
The new inbound partner connector you just created will be used to enforce restrictions on your Microsoft tenant to prevent emails from bypassing your Barracuda Networks gateway defenses. Prior to enforcing those restrictions, it is important to validate your inbound mail flow to ensure there are no external senders that are sending emails directly to your Microsoft tenant.
For instructions on how to validate mail flow, see Validating Mail Flow Before Restricting Access.
Restrict Access
To update your Barracuda partner connector to require inbound mail to flow through Email Gateway Defense, connect to Exchange Online and run the following PowerShell command:
Set-InboundConnector -Identity "Barracuda Inbound Connector" -RestrictDomainstoIPAddresses $true
Step 5. Configure Sender Policy Framework for Outbound Mail
To ensure Barracuda Networks is the authorized sending mail service of outbound mail from Email Gateway Defense, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Networks instance.
For more information, see Email Gateway Defense Outbound IP Ranges.
AU (Australia)
include:spf.ess.au.barracudanetworks.com -all
CA (Canada)
include:spf.ess.ca.barracudanetworks.com -all
DE (Germany)
include:spf.ess.de.barracudanetworks.com -all
UK (United Kingdom)
include:spf.ess.uk.barracudanetworks.com -all
US (United States)
include:spf.ess.barracudanetworks.com -all
For more information, see Sender Authentication.
- If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Networks instance. For example:
include:spf.ess.barracudanetworks.com -all
- If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARD Fail SPF for your domain based on your Barracuda Networks instance. For example:
v=spf1 include:spf.ess.barracudanetworks.com -all
Step 6. Configure User Accounts and User Lists
Follow the steps in the appropriate links, based on your organization's setup.
How to Configure User Authentication Using LDAP
How to Configure User Authentication with Azure AD
Step 7. Configure Outbound Mail
Step 8. Disable RTF (Rich Text Format) (Optional)
Customers sending outbound mail through Email Gateway Defense can consider disabling Rich Text Format (RTF) on their outbound external mail. When a message is formatted as Rich Text, the attachments will be formatted with TNEF, a Microsoft proprietary encoding that can be configured at the client or organization level. RTF refers to the message format and TNEF refers to the attachment format. RTF encoding can cause issues with attachments converting to winmail.dat
files which can only be read by other Outlook clients. This can cause problems for outbound content/DLP policies that examine attachments. For example, if an end user sends an email with a PDF attachment that contains a SSN and the email is sent with RTF encoding, Email Gateway Defense would not be able to scan the PDF and identify the SSN to apply a DLP policy. By disabling RTF at the account level, it will force all outbound external mail to be HTML encoded instead.
To disable RTF on Exchange Online and Exchange 2013 and newer, use one of the following methods.
Powershell Command
Set-RemoteDomain -Identity Default -TNEFEnabled $false
Exchange Admin Center
- Log into the Microsoft 365 Exchange Admin Center.
- In the left pane, click Mail flow > Remote domains.
- Edit the Default remote domain.
- Under Text and character set, select Never for Use rich-text format.
- Click save.
Your deployment is now complete! Learn more about Email Gateway Defense.