DBTN Blog - FortiMail & Office 365 Integration Guide

1 Public DNS Record Changes

Point your domain's email to FortiMail for initial processing. This directs all incoming mail to your new secure gateway.

yourdomain-com.mail.protection.outlook.com

mail.yourdomain.com

(Your FortiMail's public FQDN or IP)

Authorize FortiMail as a valid sender for your domain to prevent your emails from being marked as spam.

v=spf1 include:spf.protection.outlook.com -all

v=spf1 ip4:your_fortimail_public_ip include:spf.protection.outlook.com -all

Create a rule to trust emails that have been processed by your FortiMail appliance.

Go to Mail flow > Connectors and click Add a connector.
Set Connection from: to Partner organization.
Name the connector (e.g., FortiMail Inbound).
Authenticate by verifying the sender's IP address, and add your FortiMail's public IP.
For security, enable "Reject email messages if they aren't sent over TLS".

Configure O365 to route all outgoing mail through FortiMail for scanning.

Create a new connector with Connection from: Office 365 and Connection to: Partner organization.
Name the connector (e.g., FortiMail Outbound).
Under "Use of connector", select "Only when I have a transport rule...".
Route emails to a smart host: add your FortiMail's FQDN or public IP.
Configure TLS security settings as required.

Create the transport rule that activates the outbound connector for all outgoing messages.

Go to Mail flow > Rules and create a new rule.
Name the rule (e.g., Route Outbound via FortiMail).
Set Apply this rule if... to The sender is located 'Inside the organization'.
Set Do the following... to Redirect messages to... the outbound connector you just created.
Important: Add an exception to prevent mail loops. The exception should be if a Received message header includes your FortiMail's hostname.