High level overview
At a high level, the setup process is as follows:
Setup Phish Protection - reduce TTL on MX record, validate configuration, import users, prepare to have email routed via Phish Protection
Setup your email server - prepare outgoing connectivity, assisted spam filters, ensure email delivered from Phish Protection to your tenant will not be “double-filtered”.
Finally, update MX records to divert email from Office365 to be delivered via Phish Protection.
Before you begin
The following will be required at various stages of the Phish Protection setup. Ensure you have the necessary details / access on-hand before beginning..
Credentials / Access
Access to add and change DNS records
Access to administer your email server
Ability to run powershell scripts (for optional importing of user details)
Portals and Websites
https://portal.duocircle.com - Main login portal for access the settings and configuration for gateway and message logs.
https://portal.phishprotection.com - You will SSO to the portal from the DuoCircle main portal. Access to all impersonation protection settings and logs.
Decisions / Details
Determine the “time of click” domain name you intend to use. This domain name will be used to rewrite any links on incoming email, so that users can be alerted to phishing attempts. Popular options are “click.<yourdomain.com>, “protection.<yourdomain.com>, etc”. Note that these links will be visible outside of your organization, on emails forwarded from your users to external parties. The most common is protection.<yourdomain.com>.
Optionally, prepare a transparent PNG with your branding details to customize the “time of click” landing page.
Identify your current DNS MX record(s). These records determine where your email is currently delivered to. Identify the TTL value on these MX records.
Any current allow/blocklists already established in existing filtering tools.
This next section is based on personal preference and is not required, however I use this as a pre-deployment snapshot to check the health of a domain, it helps to ensure that if something breaks - I can see how it was configured before, and if there are any errors before I start.
I will always open the domain in https://www.hardenize.com and review the email section. I am checking for yellow / red in the email section. At the end of your configuration, if you complete all of the steps including DKIM and MTA-STS setup your record will look like this. Everything green except for DANE.
Grey is fine, but we do not want any errors before proceeding. If you find errors, stop, resolve them, and then recheck the domain prior to proceeding.
I will always keep this page open during the configuration process. As I make DNS changes, I will rescan at each change to make sure that it has applied correctly.
Update MX Record DNS TTL (recommended)
Above, you noted the current TTL value on the DNS records. Update your DNS MX record(s) to the lowest possible TTL value, so that subsequent MX record changes can be made quickly.
To avoid any loss of email / confusion, wait at least the original TTL amount of time before completing the final MX record change in step 3 below.
Notify Users (optional)
It’s advisable to pre-warn users of a system change. A helpful template can be found at
Step 1: Setup Phish Protection
Account Portal Settings - https://portal.duocircle.com
In the portal the following items are important to complete
Set your destination server address. This is the MX record identified above. Confirmed that this is your email server and not any other 3rd party filtering. For Office 365 this is usually something.mail.protection.outlook.com
Ensure your Tag action is DELIVER - we will be sending messages identified as spam or phishing to your Admin quarantine on Office 365.
Keep this level at medium until you need to change it.
Take note of your custom MX record. It is the final step in the configuration process, to be actioned in step 3.
Accessing the Phish Protection Portal
To access the settings that are specific to Phish Protection, click on the PhishProtection button under the applications setting.
Once in the Phish Protection Portal, configure your Company Options and the email addresses associated with your account.
Time of Click DNS entry
Using your access to your DNS provider, create a CNAME record pointing your “time of click” DNS entry (i.e., protection.YOURDOMAIN.COM) to urlf.phishprotection.com.
Once the record hase been saved, use a DNS testing tool like https://www.whatsmydns.net to confirm the record is available. In the example below, the DNS record is propagating worldwide. The results should look predominantly green, maybe one of two red.
Once you have confirmed that the CNAME has propagated, you can configure that exact record in the Company Settings -> Time of Click Rewriting Domain setting. In this example the domain is
protection.outboundmagic.com your record needs to match the record created above.
Visit your “time of click” domain name in your browser. Confirm you see a landing page like this:
The system will not allow you to proceed without this record being saved. Update it, save it and then go back into the Company Settings screen.
Other Company Settings
Our suggested configuration is as illustrated below:
Rewrites URLs in plain-text messages : Yes
Rewrite URLs In HTML Emails : Yes
Configure a reporting email address
Log All Queries
Allow with Click Tracking
Follow Redirects - 6
Enable Dynamic Scanning Page
Upload a Company Logo
Enable Message Footer : No
Show External Email Warning : Yes
Show Sender Impersonation Email Warning : Yes
Show SPF Softfail Email Warning : Yes
Having configured the Company settings in Phishing Portal, create (or import from Office365) your users.
EXAMPLE do not use
It may be helpful to generate a CSV of your users from Office365, using the instructions linked below: