Configuration of MailCleaner AntiSpam with Microsoft Office 365

MailCleaner Support
Added almost 5 years ago

Office 365

From Configuration->Domains

If you have not already created the domain, select New domain, add the domain name and submit.

Once the domain exists, you can configure the following settings through the domain configuration wizard.


From the Delivery stage of the wizard, the destination server should be configured to the MX record provided by Microsoft. This should look something like:

Address verification

Configuring proper address verification is highly recommended. If you fail to do this, messages will be accepted for all recipients during the initial transaction with the sender, this has two main consequences for addresses that don't actually exist. For messages that get flagged, additional quarantines will be generated, meaning additional licensed users and quarantine reports being generated for non-existent addresses. For messages that do not get flagged, MailCleaner will attempt to deliver it and it will be rejected at the end of the transaction. This will generate a bounce message and risks your machine getting listed for backscatter (

Configuring address verification requires extra steps with Office 365 (as it does with other versions of Exchange). as well known as the recipient verification, you have to configure both MailCleaner and Office 365.

Address verification in MailCleaner

From the Address verification step of the domain configuration wizard, simply select 'smtp' as the Callout connector method.

Address verification in Office 365

In Office 365, you have to enable the Exchange Online Protection. You have to use Global Admin or an Exchange Company Administrator account.

The Directory Based Edge Blocking (DBEB) feature from Office 365 enables users to reject messages for nonexistent recipients.

For enabling DBEB, follow these steps:

  • Ensure the domain is set to Internal Relay, by going to EAC (Exchange Admin Center)> Mail Flow > Accepted Domains > Select your domain and click Edit > check if the domain type is set to Internal relay, if not change it to Internal relay and click Save.

  • Add your valid users to office 365 via Directory synchronization, remote Windows Powershell or directly from the Exchange Admin Center (EAC).

  • Now set your domain to Authoritative. Follow the same path as above, Mail Flow > Accepted Domains > select your domain and set it to Authoritative. After you click Save, please confirm that you wish to enable Directory Based Edge Blocking.

After enabling "Authoritative" mode, please test that this works from the MailCleaner domain configuration wizard by clicking "Test configuration". If you domain was already set to "Authoritative" you may need to disable and re-enable it again to have the change take effect. Note that the MailCleaner test will test for the 'postmaster' address as a valid address. According to the SMTP specification, this address MUST exist. If you don't have that address configured, you can ignore that it is rejected. For this step it is most important that the randomly generated address is rejected.

Here is the Microsoft documentation related to this chapter:


On-demand authentication for MailCleaner using Office 365 integration also requires configuration in both MailCleaner and Office 365. For now, only SMTP AUTH integration is supported. Enabling OAuth intergations is a work in progress.

Authentication in MailCleaner

From the Authentication stage of the wizard, configure the settings as follows:

  • Authentication type: smtp
  • Authentication server:
  • Username modifier: add the domain using @ character
  • Address lookup: build address by adding the domain to the username

Authentication in Office 365

From your Exchange admin center console, select Settings then Mail flow. In the pop-out panel ensure that Turn off SMTP AUTH protocol for your organization is DISABLED and that Turn on use of legacy TLS clients is enabled:

Office 365 - Enable SMTP auth and legacy TLS

You can then test the configuration using a set of known credentials in the MailCleaner wizard.

Authentication alternative

If you would not like to enable SMTP AUTH, you can instead rely on MailCleaner's passwordless authentication. This feature is provided as a link at the top of all Quarantine reports. When this link is clicked in any recent reports, they will be automatically logged and can view/modify their quarantine. You can enable the summary reports for the Preferences stage of the MailCleaner domain configuration wizard.


Now, when you configured everything, you have to change your MX records in order to point to your MailCleaner's servers.
Do not forget to adapt your SPF entry in your DNS to include the Microsoft O365 entries according to their documentation, but also to add the IPs of your MailCleaner servers too.

Info: a warning on the Office 365 dashboard will inform you that your MX are not pointed to Microsoft. You can ignore it.

Advantages of the MailCleaner solution with Microsoft Office 365:

0365-2.png (107 KB)