Microsoft 365 - Enhanced Filtering For Connectors (Skiplisting)

Are you using Microsoft 365 in conjunction with a third-party secure email gateway, email relay, or on-prem/hybrid exchange system? If so, this can pose a problem with our traditional Microsoft 365 allowlisting guidance.

When third-party email infrastructure is used in a relay-based configuration with Microsoft 365, Microsoft 365 loses all visibility on the source IP address that emails actually originate from (because the source IP address of all emails gets overwritten by the IP address of the third-party email relay).

To counteract this, you need to activate Enhanced Filtering For Connectors (Skiplisting) within Microsoft 365. A depiction of this problem and how skiplisting solves the problem is provided below for your benefit:

Traditional Microsoft 365 Email Routing Setup (No Third-Party Infrastructure):

Third-Party Email Infrastructure With Microsoft 365:

Third-Party Email Infrastructure With Microsoft 365 With Skiplisting Implemented:

Skiplisting allows you to filter email based on the actual source of messages that arrive over a Microsoft 365 email connector. Skiplisting skips the source IP addresses of the connector and looks back in the routing path to determine the actual source of the incoming messages. Supplementary information on what skiplisting can be found below:

• https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors
• https://security.microsoft.com/skiplisting

How To Implement Skiplisting Within Microsoft 365

Note: If you've setup Direct Email Injection, Skiplisting isn't required

Prerequisite: Your email relay must be configured as an Inbound Connector within Microsoft 365.

To implement skiplisting within your Microsoft 365 tenant, please follow the below guidance.

1. In the Microsoft 365 Admin Center, go to Security > Email & Collaboration > Policies & Rules > Threat Policies > Enhanced Filtering. Or just go here: https://security.microsoft.com/skiplisting
2. On the Enhanced Filtering for Connectors page, select the inbound connector that you want to configure by simply clicking on it.
   
3. In the flyout pane that appears you have two options. Please select the option that is most applicable to your email routing setup:
   • Automatically detect and skip the last IP address (Recommended): This approach is simple, easy, and also applicable to the overwhelming majority of email routing setups. Essentially Microsoft will just detect and skip the last IP address in the email routing chain, allowing it to successfully detect the true source IP address of emails.
   • Skip these IP addresses that are associated with the connector: Should only be used in complex email routing setups where there are multiple email gateways which are relaying emails multiple times (e.g. Source Email Server > Email Relay > Email Relay > Microsoft 365). In cases such as these, you can manually specify the IP address of these email relays and Microsoft will skip them.
4. Important: Once one of the above options is selected, you can specify who this configuration should apply to. To ensure there are no email deliverability issues with your greater organization, please test this configuration with a subset of users before applying it to your entire organization. Once testing has concluded, then update this configuration and apply it to everyone.
5. Click Save!

Important: Once Skiplisting is implemented, you still need to implement Allowlisting within Microsoft 365. Additionally, if you're using a third-party secure email gateway, you also need to implement allowlisting within the third-party gateway! Please see our Allowlisting Introduction for a detailed list of allowlisting guidance for dozens of different third-party secure email gateway vendors.

If you run into any issues, please feel free to contact the CanIPhish team for support!