Introduction


The implementation process for Mail Aegis is straightforward, but for it to be as seamless as possible, we need to prepare to make the cut over as quick and easy as possible. The migration will be in a couple of phases – first, we need to make a few minor changes (that won’t impact your users at all). We will gather other information in the background. The screenshots in this document are for illustrative purposes only. If in doubt, don’t change anything and ask for help from someone familiar with DNS. We can also provide guidance.

Enable Entra Security Defaults


This is not mandatory at this time, but strongly recommended Click here to follow the guide

Create a Connector


  1. Go to https://admin.cloud.microsoft/exchange#/connectors
  2. Click on Add a connector
  3. Select Partner organization then click Next
  4. In the Name field type CyberWarden MailAegis Inbound
  5. Optionally add a description
  6. Ensure that the “Turn it on” checkbox is enabled.
  7. Click Next
  8. Select the “By verifying that the IP address of the sending server…” radio button
  9. Enter the following IP addresses into the text box, clicking the + button after entering each one:
    • 5.250.182.9
    • 85.215.201.235
    • 212.227.232.71

connector1

  1. Click Next
  2. On the Security Restrictions Page, ensure that only the "Reject email messages if they aren't sent over TLS" checkbox is selected, then click Next
connector2
  1. On the Review Connector page, click the Create connector button, then click Done on the following page.

Configure Skiplisting


  1. Go to https://security.microsoft.com/skiplisting
  2. Click on the Cyber Warden MailAegis Inbound connector
  3. Select the Automatically detect and skip the last IP address radio button
  4. Select the Apply to entire organization radio button
  5. Click Save
skiplisting

Configure Basic Anti-Phishing Settings in M365


  1. Go to https://security.microsoft.com/antiphishing
  2. Click on the Office365 / M365 policy
  3. In the Phishing threshold & protection section, click on Edit Protection Settings
  4. Select the following options, then click Save
    • Enable mailbox intelligence
    • Enable Intelligence for impersonation protection
    • Enable spoof intelligence
  1. In the Actions section, click on Edit Actions
  2. Select the following checkbox options:
    • Honor DMARC record policy when the message is detected as spoof
    • Show first contact safety tip
    • Show user impersonation safety tip
    • Show (?) for unauthenticated senders for spoof
    • Show "via" tag
  3. Select the following dropdown options:
    • If Mailbox Intelligence detects an impersonated user: Move the message to the recipients' Junk Email folder
    • If the message is detected as spoof and DMARC Policy is set as p=quarantine : Quarantine the message
    • If the message is detected as spoof and DMARC Policy is set as p=reject : Reject the message
    • If the message is detected as spoof by spoof intelligence: Move the message to the recipients' Junk Email folder
antiphish-actions
  1. Click Save
  2. Click Close


DKIM Configuration


  1. Go to https://security.microsoft.com/authentication.
  2. On the Email authentication settings page, select the DKIM tab.
  3. On the DKIM tab, select the custom domain to configure by clicking anywhere in the row other than the check box next to the name.
DKIMSettings
  1. In the domain details flyout that opens, select the Sign messages for this domain with DKIM signatures toggle that's currently set to Disabled
  2. A Client error dialog opens. The error contains the values to use in the two CNAME records that you create at the domain registrar for the domain.
  3. In your DNS Control Panel, create the DNS records as displayed in the domain details flyout. Leave this flyout open.
TypeNameValueTTL
CNAMEselector1._domainkeyvalue from flyoutdefault
CNAMEselector2._domainkeyvalue from flyoutdefault

  1. After a while (try after 5 minutes, but this might take longer - in rare cases unto 48 hours), return to the domain properties flyout that you left open in Step 6 and select the Sign messages for this domain with DKIM signatures toggle. After a few seconds, a security dialog opens.
  2. After you select OK to close the dialog, verify the following settings on the details flyout:
    • The Sign messages for this domain with DKIM signatures toggle is set to Enabled .
    • The Status value is Signing DKIM signatures for this domain.
    • Rotate DKIM keys is available.
  3. Click Close.

MTA-STS Configuration


Create the following DNS records in your DNS Control Panel:

TypeNameValueTTL
Amta-sts77.68.124.225604800
TXT_mta-stsv=STSv1; id=202502020000604800

Once you have made these changes, please contact us to let us know when you are done so that we can check before we move on with the next steps where additional changes will be made. You will be notified by email when our systems are ready for the next steps.