Set up your standalone EOP service

This article explains how to set up standalone Exchange Online Protection (EOP). If you landed here from the Office 365 domains wizard, go back to the Office 365 domains wizard if you don't want to use Exchange Online Protection. If you're looking for more information on how to configure connectors, see Configure mail flow using connectors in Office 365.

Note

This article assumes you have on-premises mailboxes and you want to protect them with EOP, which is known as a standalone scenario. If you want to host all of your mailboxes in the cloud with Exchange Online, you don't have to complete all of the steps in this article. Go to Compare Exchange Online plans to sign up and purchase cloud mailboxes.

If you want to host some of your mailboxes on premises and some in the cloud, this is known as a hybrid scenario. It requires more advanced mail-flow settings. Exchange Server hybrid deployments explains hybrid mail flow and has links to resources that show how to set it up.

What do you need to know before you begin?

Tip

Having problems? Ask for help in the Exchange Online Protection forum.

Step 1: Use the Microsoft 365 admin center to add and verify your domain

  1. In the Microsoft 365 admin center, go to Setup to add your domain to the service.

  2. Follow the steps to add the applicable DNS records to your DNS-hosting provider in order to verify domain ownership.

Tip

Add a domain to Office 365 and Create DNS records at any DNS hosting provider for Office 365 are helpful resources to reference as you add your domain to the service and configure DNS.

Step 2: Add recipients and optionally enable DBEB

Before configuring your mail to flow to and from the EOP service, we recommend adding your recipients to the service. There are several ways in which you can do this, as documented in Manage mail users in EOP. Also, if you want to enable Directory Based Edge Blocking (DBEB) in order to enforce recipient verification within the service after adding your recipients, you need to set your domain type to Authoritative. For more information about DBEB, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.

Step 3: Use the EAC to set up mail flow

Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. For detailed instructions, see Set up connectors to route mail between Microsoft 365 and your own email servers.

How do you know this task worked?

Check mail flow between the service and your environment. For more information, see Test mail flow by validating your Microsoft 365 connectors.

Step 4: Allow inbound port 25 SMTP access

After you configured connectors, wait 72 hours to allow propagation of your DNS record updates. Following this, restrict inbound port-25 SMTP traffic on your firewall or mail servers to accept mail only from the EOP datacenters, specifically from the IP addresses listed at Exchange Online Protection IP addresses. This protects your on-premises environment by limiting the scope of inbound messages you can receive. Additionally, if you have settings on your mail server that control the IP addresses allowed to connect for mail relay, update those settings as well.

Tip

Configure settings on the SMTP server with a connection time out of 60 seconds. This setting is acceptable for most situations, allowing for some delay in the case of a message sent with a large attachment, for example.

Step 5: Ensure that spam is routed to each user's Junk Email folder

To ensure that spam (junk) email is routed correctly to each user's Junk Email folder, you must perform a couple of configuration steps. The steps are provided in Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments.

If you don't want to move messages to each user's Junk Email folder, you may choose another action by editing your anti-spam policies. For more information, see Configure anti-spam policies in Office 365.

Step 6: Use the Microsoft 365 admin center to point your MX record to EOP

Follow the domain configuration steps to update your MX record for your domain, so that your inbound email flows through EOP. Be sure to point your MX record directly to EOP as opposed to having a third-party filtering service relay email to EOP. For more information, you can again reference Create DNS records for Office 365.

Note

If you must point your MX record to another server or service that sits in front of EOP, see Enhanced Filtering for Connectors in Exchange Online.

How do you know this task worked?

At this point, you've verified service delivery for a properly configured Outbound on-premises connector, and you've verified that your MX record is pointing to EOP. You can now choose to run the following additional tests to verify that an email will be successfully delivered by the service to your on-premises environment:

  • Check mail flow between the service and your environment. For more information, see Test mail flow by validating your Microsoft 365 connectors.

  • Send an email message from any web-based email account to a mail recipient in your organization whose domain matches the domain you added to the service. Confirm delivery of the message to the on-premises mailbox using Microsoft Outlook or another email client.

  • If you want to run an outbound email test, you can send an email message from a user in your organization to a web-based email account and confirm that the message is received.

Tip

When you've completed your setup, you don't have to perform extra steps to make EOP remove spam and malware. EOP removes spam and malware automatically. However, you can fine tune your settings based on your business requirements. For more information, see Anti-spam and anti-malware protection in Office 365 and Configure spoof intelligence.

Now that your service is running, we recommend reading Best practices for configuring EOP, which describes recommended settings and considerations for after you set up EOP.