How to Configure Office365 to Only Accept Email From a 3rd Party Spam Filter

If you want to use a 3rd party spam filtering service rather than utilising the built in protection provided by office 365, then you need to ensure that Office365 only accepts mail from that filtering service. If you don’t it’s too easy for spam bots to bypass the filter and deliver spam messages direct into your office 365 account potentially unfiltered!

Setting up is easy so lets look at the steps.

Step 1: Get a list of your spam filter providers public IP addresses. They will usually list a range of addresses from within their portal.

Step 2: Edit the default connection filter properties

Step 3: Create and configure a mail flow rule

Let’s look at each step in detail:

Step 1: Get a list of all your spam filter provider’s public IP address ranges which can usually be found from the main portal page on the providers website. Here I login to ours and on the main page there is a link to all the pubic IP addresses they use


Make a note of these IP addresses and ranges.


Step 2: Log into Office 365 as a tenant administrator and go to the Exchange admin portal and click on connection filter.



Now we must edit the existing connection filter so that it always accepts emails from our 3rd party spam filter. Click on the pencil edit symbol to edit the filter.


Click on connection filtering and then add all the spam filter providers IP addresses or Ranges. Either just enter a full IP or enter ranges using the slash notation as shown below. Once you have added all of them click Save.


Step 3:

In this step, we configure a rule which will delete all emails unless they come from the 3rd party spam filter provider’s servers. Go into the Exchange admin center, click mail flow then rules. Now create a new rule by clicking the plus symbol and select ‘Create a new rule’.


Complete the rule as shown but feel free to call it what you wish. The rule will apply to all emails send from people outside of our organisation and delete the email. We then need to configure an exclusion to this rule by again entering all the public IP addresses and ranges used by our 3rd party spam filter.

Click on More options to get to the exception options.


Once you click More options you can then add an exception to this rule by clicking add exception.


Select ‘The sender’ and click ‘IP address is in any of these ranges or exactly matches’.


Enter all the public IP addresses and ranges used by your 3rd party spam filter and press OK


Click on Save to save and activate the rule.


Congratulations your Office365 tenant is now configured to only accept email which comes from your 3rd party spam filter. No one will be able to bypass your MX records and try to deliver email direct to Office365.

Hope you found this useful please comment below if you did 🙂

[email-download download_id=”14741″ contact_form_id=”9351″]

Author: Ian@SlashAdmin

Share This Post On
468 ad


  1. Thanks for this, just what I needed!

    Post a Reply
  2. Will this work to force other Office 365 tenants to be routed through our third party spam filter?

    Post a Reply
    • Hi Jim,

      I’ve heard people say that 365 routes internally if it knows a domain is in 365 but never seen proof of this. I’ll do a trace tomorrow on a few of my Tennant’s and see if any route internally. Never seen that happen before so I suspect they won’t.

      Post a Reply
  3. Setup a connector from Office 365 to your org’s email server to smarthost all outbound email to your external filter.

    Also, you must setup a connector for partner domains if you want to route directly to another domain intentionally after enabling the smarthosting to your external filter.

    Post a Reply
  4. Office 365 tenant’s always sending emails internally, except if they are using smarthost

    Post a Reply
  5. I have this rule in test mode and am noticing that Auto Replies trigger the rule even when they are internal. I’ve also seen messages trigger then they pass from On Prem to Cloud mailboxes.
    Ever seen this or have suggestions to get around it?

    Post a Reply
    • @Dan I’ve seent he same issue, you can add an exception to the rule for Message Type of Automatic Replies and that fixes that issue but you’ll see other types of messages still trigger the like message recall notifications etc. I’ve been unable to find a rule that does what I want, block external messages only unless they came through my 3rd party!

      Post a Reply
      • I have this problem as well. Our rule is limited to only accept email from external senders if it comes through our 3rd party spam filter. The problem children that keep failing are internal users set their Automatic Replies to auto-forward while maintaining the headers using the ‘Leave Message Intact’ option. This makes it look like it’s coming from the original external sender but through M365 servers rather than the spam filter even though a message trace from the Exchange Admin Center still shows the auto-forward sender as the internal user. I’ve had to monitor this frequently since I still haven’t quite nailed down the right exceptions for this…

        Post a Reply


  1. These Office Spam Filter Solutions Work Better Than The Microsoft Native Solution - is designed to run on its, but there’s a very easy way to get around that. If you’re serious on…

Submit a Comment

Your email address will not be published.