It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Gateway Defense
formerly Email Security

How to Configure Microsoft 365 to Scan Only Selected Domains Outbound

  • Last updated on

If you make setting changes, allow a few minutes for the changes to take effect.

Use the steps in this article if you have multiple domains within your Microsoft 365 tenant and you want to scan only certain domains outbound.

Step 1. Create the Connector

Note that the following steps use the new Exchange admin center user interface.

  1. Log into the Microsoft 365 admin center
  2. In the left pane, click Mail flow, and click Connectors.
  3. Click the Add a connector button, and use the wizard to create a new connector.
  4. For Connection from, select Office 365. For Connection to, select Partner organization.
  5. Click Next. Enter a Name and (optional) Description to identify the connector:
  6. Click Next. Select Only when I have a transport rule set up that redirects messages to this connector.
  7. Click Next. Select Route email through these smart host, and click the + symbol.  
    1. Go to Email Gateway Defense, and click the Domains tab. Copy your outbound hostname from the MX records, and enter it in the add smart host page:
  8. Click Next. Use the default settings for the Security restrictions:Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issues by Trusted certificate authority (CA):
  9. Enter an external email address to validate the connector. For this test, it is important to use an email address from outside your organization , like a gmail or yahoo email address. Click Validate
    There are two parts of the validation:
    1. Test Connectivity – If this test fails, Outbound Groups is not enabled. Contact Barracuda Networks Technical Support and request that Outbound Groups be enabled on your Email Gateway Defense account.
    2. Send Test Email – If the test fails, there is no cause for concern. The test email comes from a Microsoft domain, not from your domain, so it is rejected. If you changed your domain away from, the test should work. Note that you might still receive the email even if the test failed. 
  10. Once the validation process is complete, click Next. Review your settings and then click Create connector.

Step 2. Create Transport Rule

  1. Log into the Microsoft 365 admin center
  2. In the left pane, click mail flow, and click rules.
  3. Click Add a rule.
  4. Select Create a new rule.
  5. In the new rule page, enter a Name to represent the rule.
  6. Under Apply this if, select The sender > is external/internal > Inside the organization.
  7. Click the + to add a new condition.
  8. From the drop-down menu, select The sender's domain is....
  9. Enter the domains you want to route through Email Gateway Defense.
  10. Under Do the following, select Redirect the message to… > the following connector, and select the connector you defined in Step 1. Create the Connector.
  11. Under Except if, select The Recipient > is external/internal > Inside the organization.
  12. Click Next.
  13. Under Match sender address in message, select Header or envelope.
  14. Click Next.
  15. Review the settings and then click Finish.