6. Connector- Based Customer Delivery Pool Mailbox (On-premises) Mailbox or Application (On-premises) Higher Risk High Risk Delivery Pool Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Virus Scanning AV Engine 1 AV Engine 2 AV Engine 3 Edge Blocks & Tenant Attribution IP-based block lists Directory-based (Recipient) Blocks Internet mail is routed based on MX record resolution Outbound Pool Normal Score Internet mail is routed based on MX record resolution Mailbox (O365) Transport Rules / Policy Enforcement Custom Rules Email Encryption Quarantine Allows/Rejects SPAM Protection Content scanning and Heuristics Content Filter Advanced Options Outlook Safe Sender/Recipient Bulk Mail Filtering

7. Deployment: Basic Mail Flow

8. Filtering only…or with Exchange Online, including Hybrid:

9. https://ps.protection.outlook.com/powershell-liveid/ is the correct URL to use when connecting to EOP SA

10. https://outlook.office365.com/powershell- liveid/ Is the correct URL to use when connecting to Exchange Online Migration planning is key

11.  Routing between Exchange on-premises & Exchange Online MUST NOT pass through any 3 rd party  Use CBR connectors or centralized mail transport if you must for non-Hybrid mail flow  If you keep MX record pointed to on-premises:  EOP scanning will have reduced effectiveness  On-premises IP reputation & ability to keep the bad stuff out is critical to maintaining mail flow

12. Domain Validation

13. Domain Validation – Wizard completion

14. Once verified, domain will appear in EOP/EXO as an “AcceptedDomain”  For EOP, will default to “internal relay”  For EXO, will default to “authoritative”

16. Test & enable mail flow Test  Simply VALIDATE your new connector in the Office 365 Admin Center  Or telnet to assigned host record (contoso-com.mail.protection.outlook.com) and attempt to send a test message to on-premises mailbox DNS changes  MX record (domain-suffix.mail.protection.outlook.com)  SPF record (v=spf1 ip4:10.1.2.3 include:spf.protection.outlook.com –all)  Do not change Autodiscover CNAME DNS entries for filtering-only customers On-premises changes  Create smart host from on-premises environment to EOP  Restrict on premises firewall to only accept port 25 traffic from EOPEOP

17. When you are done: HINT: Keep your on-premises IP addresses in here too!

18. Recommend: Enable Directory Synchronization Automated user/group management Ease of administration for rules based on addresses Synchronize Outlook safe/block sender lists Enable directory-based edge (recipient) blocking On-premisesExchange Online Protection Office 365 Directory Sync

19. Protection: Anti-Spam & Anti-Malware

20. Setting expectations  May see a change in email patterns  Every product needs to be tuned to your environment  Features may function differently Porting configuration  Good opportunity to trim old safe/block lists  Spam filtering rules may not be needed  Review filtering policies (transport rules)

21. Spam and Policy customization

22.  EOP and the Junk Mail folder  Standalone only (should not be required for proper Hybrid deployment):  Set-OrganizationConfig –SCLJunkThreshold 4  At least two rules need to be added to the on premises environment: At least two rules  New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" - HeaderContainsWords "SFV:SPM" -SetSCL 6  New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" - HeaderContainsWords "SFV:SKS" -SetSCL 6  Make sure Outlook updates are always applied to prevent false negatives (SCL -1 is not recognized without update and will take the spam action)  It is EASY to educate end users to use the Junk Mail folder in Outlook!

23.  EOP and the quarantine  Messages are kept in EOP datacenters away from the user’s view.  Administrator can grant access to the quarantine for end-user self- management.  Administrator can also configure end-user spam notifications (ESNs)

24. Publish an SPF record (Sender Policy Framework)  Include EOP IPs and on-premises public IPs  Use the Microsoft Configuration WizardMicrosoft Configuration Wizard  Avoid safe-listing own domains - this by-passes the SPF check and negates the check’s effectiveness Publish a DMARC policy (Domain-based Message Authentication, Reporting and Conformance)  If you can’t publish p=reject or p=quarantine, you can still publish p=none and collect feedback.

25. Publish a DKIM signature (DomainKeys Identified Mail) Recommend reporting Spam to Microsoft  Get the Junk email reporting toolJunk email reporting tool  Attach to a new email, copy headers into body of new email and send to junk@office365.microsoft.com junk@office365.microsoft.com Recommend reporting False Positives to Microsoft  Attach to a new email, copy headers into body of new email and send to not_junk@office365.Microsoft.com not_junk@office365.Microsoft.com

26. Protection against unknown malware and viruses  Through a feature called Safe Attachments Real time, time-of-click protection against malicious URLs  Through a feature called Safe Links Rich reporting and URL trace capabilities A new email filtering service coming this summer

27.  Microsoft has begun to get more aggressive against bulk email  New anti-spam header X-Microsoft-AntiSpam  Improvements to bulk email filtering:  Bulk Complain Levels (BCL) – use it today

28. Have application send via EOP Find a 3 rd party in the business of sending email Use same on-premises IPs as core business emails Use a separate domain or subdomain for mass emails Make sure SPF record(s) include all apps & 3 rd parties X ✓ X ✓ ✓

29.  Make adjustments to rules or settings as needed  Evaluate effectiveness of spam settings  Did you report that to the Microsoft Anti-spam team?  Reports (Office 365 Portal or Mail Protection Reports for Office 365) – Updates Coming! Monitor and fine tune

32.  Transport Layer Security (TLS)  Great for securing email between Office 365 and on-premises or with specific partner/external servers  All Office 365 SMTP is defaulted to opportunistic; TLS 1.0-1.2 secure ciphers  Office 365 Message Encryption  Allows recipient to be external and on any device; if recipient’s mailbox can be accessed, then the message can be decrypted  Information Rights Management (Azure AD)  Keys held on RMS server; organization can set usage rights and custom templates; requires organizational authentication; does not get in the way of e-Discovery  S/MIME  Secure from client-to-client, as long as the private keys remain secure

35. Who can fix it? Indicates error details Who generated the NDR? joe@contoso.com

37. Remote Connectivity Analyzer (http://testconnectivity.microsoft.com)http://testconnectivity.microsoft.com Message Header Analyzer

38. Can be added to OWA & Outlook as an app

40.  Find out everything about a message that Office 365 handled  Search up to 90 days  Get routing details Message Trace

41. N e w! “Basic” Message Trace “Extended” Message Trace (Historical Search) Data SetBetween approx. 15 minutes & 7 daysBetween approx. 8 hours & 90 days View ResultsIn UIDownload ResultsIn seconds In minutes/hours (can configure notification email address) Routing DetailsBasic detail onlyFull detail optional Maximum Size5005,000 (3,000 for detail) Max Queries / DayReasonable limits15 per tenant

42. Finding Message Trace  Go to Exchange Admin Center  Click mail flow  Click message trace

43. Using the UI  Two features share the same UI for simplicity

44. Using Historical Search  After selecting a period outside of 7 days, new options appear  “Include message events and routing details with report”  Enter Notification email address

45. Completed Historical Search  Click to see running & completed reports  Reports available for 10 days  Results of 5000 (or 3000 for detailed) should not be trusted to be complete (truncated warning message)  Scroll to bottom to download the results

46. Reviewing Historical Search Results  Recommend using Excel  DATA -> Filter  Sort by date_time  More information about the fields & value meanings: http://technet.micros oft.com/en- us/library/bb124375( v=exchg.150).aspx http://technet.micros oft.com/en- us/library/bb124375( v=exchg.150).aspx

47.  Basic: Get-MessageTrace, Get-MessageTraceDetail  Extended: Start-HistoricalSearch, Stop-HistoricalSearch, Get-HistoricalSearch  Pull results inside of (and shorter than) 7 days (but still >8 hours)  Search on advanced criteria such as find all messages that hit a particular DLP rule PowerShell Start-HistoricalSearch [[-Organization] ] -ReportType {MessageTrace | MessageTraceDetail | DLP | TransportRule | SPAM | Malware} -ReportTitle -StartDate -EndDate [-NotifyAddress ] [-DeliveryStatus ] [-SenderAddress ] [-RecipientAddress ] [-OriginalClientIP ] [-MessageID ] [-DLPPolicy ] [-TransportRule ] [-Locale ] [-Direction {All | Sent | Received}]

49.  Check to see if there is any record of the message (if no record, then you’ll need to check with the sender)  Check hygiene results  Look for hints about where it may have gone (forwards, rules, etc.) Scenario: Inbound

50.  Make sure the message was received from Outlook client (if not, troubleshoot Outlook)  Look for SMTP SEND Event Scenario: Outbound

53. Connector- Based Customer Delivery Pool Mailbox (On-premises) Mailbox or Application (On-premises) Higher Risk High Risk Delivery Pool Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Virus Scanning AV Engine 1 AV Engine 2 AV Engine 3 Edge Blocks & Tenant Attribution IP-based block lists Directory-based (Recipient) Blocks Internet mail is routed based on MX record resolution Outbound Pool Normal Score Internet mail is routed based on MX record resolution Mailbox (O365) Transport Rules / Policy Enforcement Custom Rules Email Encryption Quarantine Allows/Rejects SPAM Protection Content scanning and Heuristics Content Filter Advanced Options Outlook Safe Sender/Recipient Bulk Mail Filtering SMTP Client Submission (EXO only) Mailbox (O365)

60. Failover configuration  Using a second MX record to accomplish failover Contoso.com has 3 on-premises IPs: Site A - 10.0.0.5 & 10.0.0.6, Site B - 10.1.1.5, Site C - 10.2.2.5 Contoso.com wants mail to route to Site A but if it is down wants mail to go to Site B, and Site C as last resort. Specify onprem.contoso.com in the outbound connector smart host field & create the following DNS records: contoso.com MX preference = 10 contoso-com.mail.protection.outlook.com (routes all mail for contoso.com) onprem.contoso.com MX preference = 10 mail-a.contoso.com onprem.contoso.com MX preference = 20 mail-b.contoso.com onprem.contoso.com MX preference = 30 mail-c.contoso.com mail-a.contoso.comA 10.0.0.5, 10.0.0.6 mail-b.contoso.comA 10.1.1.5 mail-c.contoso.comA 10.2.2.5

61. You do/type thisServer responds with this Telnet tenantDomainMxRecordHere 25220 HELO your_sending_server_fqdn 250 (followed by human readable message) MAIL FROM: you@host.com250 Sender OK RCPT TO: recipient@domain.com250 Recipient OK DATA (followed by the enter key)Tells you to send data and how to end. SUBJECT: Test (hit enter twice)Hitting enter twice conforms to the standard. Enter the body message. To end put a single period on a line by itself and press enter. You should see something about message accepted or message queued. QUIT