A properly configured inbound connectors are a trusted source of incoming mail to Microsoft 365 or Office 365. However, there are times where you may prefer using an Enhanced Filtering Connector vs. an Inbound connector when using a third-party filtering solution.
Inbound Connectors - Explicitly trust the IP's and the messages from the IP's listed in the connector. This includes DKIM / SPF / DMARC / Spam checking.
Enhanced Filtering Connectors - Allow 365 to look beyond the IPs of the third party in order to evaluate the reputation, content and technical configuration of the originating IPs.
As you can see, Enhanced Filtering for connectors allows IP address and sender information to be preserved, which has the following benefits:
- Improved accuracy for the Microsoft filtering stack and machine learning models, which include:
- Heuristic clustering
- Better post-breach capabilities in Automated investigation and response (AIR)
- Able to use explicit email authentication (SPF, DKIM, and DMARC) to verify the reputation of the sending domain for impersonation and spoof detection.
Use the Security & Compliance Center to configure Enhanced Filtering for Connectors on an inbound connector
In the Security and Compliance Center, go to Threat Management > Policy, and then choose Enhanced Filtering.
In the Enhanced Filtering for Connectors page that opens, do the following steps:
- Select the connector that's responsible for receiving inbound mail from the third-party service, device, or on-premises Exchange.
- In the connector details fly out that opens, configure one of the following settings
- Automatically detect and skip the last IP address: We recommend this option if you have to skip only the last message source.
- Skip these IP addresses that are associated with the connector: Select this option to configure a list of IP addresses to skip.
- Disable Enhanced Filtering for Connectors: Turn off Enhanced Filtering for Connectors on the connector.
When you're finished, click Save.
Use Exchange Online PowerShell or Exchange Online Protection PowerShell to configure Enhanced Filtering for Connectors on an inbound connector
Set-InboundConnector -Identity "phishprotection" -EFSkipLastIP $true
In this example, the EFSkipLastIP parameter is ignoring the last message source (which is a default configuration should be the gateway) This is the preferred implementation method.
EFSkipLastIP: Valid values are:
$true: Only the last message source is skipped.
$false: Skip the IP addresses specified by the EFSkipIPs parameter. If no IP addresses are specified there, Enhanced Filtering for Connectors is disabled on the inbound connector. The default value is
However, if you would prefer to explicitly list all of the IPs assigned to the gateway
Set-InboundConnector -Identity "phishprotection" -EFSkipLastIP $false -EFSkipIPs 126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199/24
To open the Security & Compliance Center, got to https://protection.office.com.
To go directly to the Enhanced Filtering for Connectors page, open https://protection.office.com/skiplisting.
Please review the original source material before making changes to your connectors: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#what-happens-when-you-enable-enhanced-filtering-for-connectors