O365, On-prem Exchange, and SPF Records

One of the first things you should update before integrating Exchange Online or EOP into your mail flow is your organization’s SPF record. If you plan to use EOP as your perimeter gateway you may think that the O365 IPs are all you need, and you can get away with an SPF record that looks something like this:

v=spf1 include:spf.protection.outlook.com -all

Unfortunately, that isn’t the case. When Exchange Online shuffles emails around internally between tenants, any message from your on-prem environment will still need to be validated against your SPF record. What’s even more interesting, is if you have mailboxes in Exchange Online, Exchange on-prem, and decide to put a perimeter gateway like Proofpoint in front of EOP, then you get to have three sets of IPS (Exchange Online’s, your on-prem environment’s, and your Proofpoint gateway’s) in your SPF record!


Changing Perimeter Gateways (Based on EOP to Proofpoint Experience)

About a year ago my organization decided to move away from EOP (Exchange Online Protection) and implement Proofpoint’s cloud-based Email Protection service. As I go through my notes here and recall how smoothly that migration went I’d like to share a few lessons learned from that experience:

  1. Clean up your current gateway solution. I had taken ownership of EOP from our security team about six months before we started planning the Proofpoint cutover, and during that period I was able to streamline the EOP configuration. IIRC I started with about 43 rules, and got it down into the teens by consolidating rules (I had at least three for blacklisting!). Beyond consolidation some things are just no longer needed and can be deleted.
  2. Decide which rules\policies should be actioned on the internet perimeter and which rules\policies should stay within the Organization. When using Exchange Online you may need to keep some rules there so they apply to intra-organizational emails.
  3. For every rule\policy you plan to move, have a strategy for testing it once the new gateway is configured.
  4. Test the new gateway from the outside world. You can fully configure and validate your new gateway before the cutover using various SMTP tools.
  5. Make sure your SPF record is updated with the new gateway IPs. If you are using O365 and placing a gateway in front of it, your SPF needs to have the new gateway IPs, all of the O365 IPs, and if you have an on-prem Exchange envrionment the external IPs that your Edges or Transport Servers use to communicate with Exchange Online. This can be done prior to the cutover.
  6. During the cutover window all you should have to do is update your MX records and configure your messaging environment to only accept traffic from your new gateway. And test – always test.