Properly configured inbound connectors are a trusted source of incoming mail to Microsoft 365 or Office 365. But in complex routing scenarios where email for your Microsoft 365 or Office 365 domain is routed somewhere else first, the source of the inbound connector is typically not the true indicator of where the message came from. Complex routing scenarios include:
Third-party cloud filtering services
Managed filtering appliances
Hybrid environments (for example, on-premises Exchange)
Mail routing in complex scenarios looks like this:
As you can see, the message adopts the source IP of the service, appliance, or on-premises Exchange organization that sits in front of Microsoft 365. The message arrives in Microsoft 365 with a different source IP address. This behavior isn't a limitation of Microsoft 365; it's simply how SMTP works.
In these scenarios, you can still get the most out of Exchange Online Protection (EOP) and Microsoft Defender for Office 365 by using Enhanced Filtering for Connectors (also known as skip listing).
After you enable Enhanced Filtering for Connectors, mail routing in complex routing scenarios looks like this:
As you can see, Enhanced Filtering for connectors allows IP address and sender information to be preserved, which has the following benefits:
Improved accuracy for the Microsoft filtering stack and machine learning models, which include:
Heuristic clustering
Anti-spoofing
Anti-phishing
Better post-breach capabilities in Automated investigation and response (AIR)
Able to use explicit email authentication (SPF, DKIM, and DMARC) to verify the reputation of the sending domain for impersonation and spoof detection. For more information about explicit and implicit email authentication, see Email authentication in EOP.
For more information, see the What happens when you enable Enhanced Filtering for Connectors? section later in this article.
Use the procedures in this article to enable Enhanced Filtering for Connectors on individual connectors. For more information about connectors in Exchange Online, see Configure mail flow using connectors.
Note
We always recommend that you point your MX record to Microsoft 365 or Office 365 in order to reduce complexity. For example, some hosts might invalidate DKIM signatures, causing false positives. When two systems are responsible for email protection, determining which one acted on the message is more complicated.
The most common scenarios that Enhanced Filtering is designed for are Hybrid environments; however, the mail destined for on-premises mailboxes (outbound mail) will still not be filtered by EOP. The only way to get full EOP scanning on all mailboxes is to move your MX record to Microsoft 365 or Office 365.
Except for linear inbound routing scenarios where MX points to on-premises servers, adding your on-premises hybrid server IPs to the enhanced filter skip list is not supported in a centralized mail flow scenario. Doing this can cause EOP to scan your on-premises hybrid server emails, adding a compauth header value, and may result in EOP flagging the message as spam. In a configured hybrid environment, there is no need to add them to the skip list. The skip list is primarily intended to address scenarios where there is a third-party device/filter before your Microsoft 365 tenant. For more information, see MX record points to third-party spam filtering.
Do not put another scanning service or host after EOP. Once EOP scans a message, be careful not to break the chain of trust by routing mail through any non-Exchange server that is not part of your cloud or on-premises organization. When the message eventually arrives at the destination mailbox, the headers from the first scanning verdict might no longer be accurate. Centralized Mail Transport should not be used to introduce non-Exchange servers into the mail flow path.