Moving mx records to O365

%3CLINGO-SUB%20id%3D%22lingo-sub-3505298%22%20slang%3D%22en-US%22%3EMoving%20mx%20records%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3505298%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20medium%20sized%20company%2C%20around%207000%20mailboxes.%20We%20own%20several%20domains%20that%20we%20accept%20email%20for.%20Currently%20all%20mx%20records%20point%20to%20IronPorts.%20The%20emails%20are%20go%20through%20the%20messaging%20hygiene%20at%26nbsp%3B%20the%20ironports%20and%20then%20the%20message%20is%20delivered%20to%20Exchange%20online.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20move%20all%20mx%20records%20to%20O365.%20What%20i%20would%20like%20to%20understand%2C%20is%20what%20is%20the%20best%20strategy%20to%20do%20this%3F%20Should%20i%20move%20a%20domain%20that%20doesn't%20receive%20a%20high%20volume%20of%20mail%20traffic%20first.%20I%20think%20doing%20this%20will%20allow%20for%20fine%20tuning%20of%20the%20O365%20filtering%20polices%2C%20and%20give%20us%20me%20some%20indication%20regarding%20how%20successful%20the%20move%20was%20and%20what%20the%20success%20rate%20will%20be%20for%20future%20domain%20moves.%20Also%20how%20should%20i%20construct%20my%20anti%20spam%2C%20anti%20malware%20polices%3F%20Should%20i%20start%20with%20the%20using%20Preset%20Security%20Policies%22%20%3F%20My%20concern%20with%20using%20the%20preset%20policies%20is%20you%20cant%20edit%20them.%20We%20will%20have%20a%20lot%20of%20safe%20and%20blocked%20senders%20that%20we%20will%20need%20to%20export%20from%20the%20IronPort's%20and%20import%20into%20O365.%20If%20i%20cant%20edit%20preset%20polices%2C%20then%20what%20is%20my%20best%20course%20of%20action%3F%20will%20i%20need%20to%20create%20custom%20polices%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20these%20are%20a%20lot%20of%20questions.%20I'm%20trying%20to%20understand%20how%20i%20should%20construct%26nbsp%3B%20the%20roadmap%20or%20process%20for%20moving%20domains%20to%20O365%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3505298%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConfiguration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPhishing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrevention%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3506400%22%20slang%3D%22en-US%22%3ERe%3A%20Moving%20mx%20records%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3506400%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1278179%22%20target%3D%22_blank%22%3E%40skipster311-175%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20such%20a%20great%20question%2C%20and%20I'm%20super%20glad%20to%20hear%20you're%20going%20with%20MDO!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20detailed%20migration%20guide%20here%20you%20should%20find%20useful%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fmigrate-to-defender-for-office-365%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMigrate%20from%20a%20third-party%20protection%20service%20to%20Microsoft%20Defender%20for%20Office%20365%20-%20Office%20365%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESpeaking%20from%20my%20experience%2C%20I've%20done%20both%20the%20SCL-1%20method%20detailed%20in%20the%20above%20guide%2C%20and%20your%20mentioned%20method%20of%20domain%20by%20domain.%20-%20Either%20way%20the%20desired%20outcome%20is%20the%20same%2C%20moving%20carefully%20and%20slowly%20to%20ensure%20minimal%20disruption%2C%20so%20that's%20completely%20up%20to%20you!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegarding%20your%20comment%20for%20safe%20senders%2C%20my%20advice%20is%20that%20you%20shouldn't%20need%20to%20import%20a%20single%20safe%20sender%2C%20this%20brings%20legacy%20debt%20across%20to%20your%20new%20configuration%20and%20opens%20up%20holes%20in%20your%20protection%20stack.%20The%20good%20news%20however%20is%20that%20by%20moving%20slowly%20as%20you%20plan%20to%2C%20you%20can%20address%20senders%20one%20by%20one%2C%20sending%20test%20emails%20and%20then%20fixing%20issues%20with%20things%20like%20SPF%2FDKIM%20to%20ensure%20correct%20authentication%20and%20remove%20the%20need%20for%20a%20safe%20sender%20%2F%20allow%20list%20entry.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20these%20are%20sometimes%20required%20in%20situations%20where%20you%20don't%20control%20the%20sending%20infrastructure%20and%20for%20example%20the%20company%20who%20owns%20the%20sending%20infrastructure%20may%20not%20be%20in%20a%20position%20to%20support%20DKIM%20signing%20at%20this%20point%20in%20time%20-%20so%20I'd%20recommend%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Ftenant-allow-block-list%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ETABL%3C%2FA%3E%20here%20instead.%20%3CEM%3E(if%20however%20it's%20a%20false%20positive%20from%20our%20side%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fstep-by-step-guides%2Fhow-to-handle-false-positives-in-microsoft-defender-for-office-365%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eplease%20report%20it%20to%20us%20so%20we%20can%20fix%20it!%3C%2FA%3E)%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMy%20final%20point%20is%20around%20preset%20policies%2C%20please%26nbsp%3B%3CSTRONG%3Edo%26nbsp%3B%3C%2FSTRONG%3Euse%20them%2C%20it%20keeps%20everything%20up%20to%20date%20for%20you%20as%20%2F%20when%20we%20release%20new%20protection%20features%2C%20sets%20you%20up%20for%20continued%20success%20in%20the%20long%20term.%20-%20TABL%20will%20be%20honoured%20so%20if%20you%20do%20have%20to%20add%20a%20safe%20sender%2C%20this%20will%20be%20respected%20by%20the%20policy!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20wish%20you%20a%20really%20successful%20migration%2C%20and%20would%20love%20to%20hear%20how%20you%20get%20on%2C%20don't%20afraid%20to%20ask%20any%20other%20questions%20you%20may%20have%2C%20hopefully%20this%20has%20been%20helpful!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBen.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3511667%22%20slang%3D%22en-US%22%3ERe%3A%20Moving%20mx%20records%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3511667%22%20slang%3D%22en-US%22%3EThanks%20Ben%20for%20the%20detailed%20information.%20I%20do%20like%20the%20idea%20of%20using%20preset%20security%20policies%20for%20the%20reasons%20that%20you%20mentioned%2C%20however%20if%20i%20cant%20edit%20them%2C%20then%20i%20fear%20it%20will%20open%20up%20the%20door%20to%20creating%20custom%20polices%2C%20to%20allow%20for%20things%20like%20block%20or%20allow%20bulk%20email.%20If%20i%20have%20to%20add%20a%20sender%20to%20skip%20spam%20filtering%2C%20is%20the%20recommended%20approach%20to%20use%20a%20transport%20rule%20%2C%20instead%20of%20adding%20the%20sending%20to%20allow%20list%20in%20anti%20spam%20policy%20%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello 

 

We are medium sized company, around 7000 mailboxes. We own several domains that we accept email for. Currently all mx records point to IronPorts. The emails are go through the messaging hygiene at  the ironports and then the message is delivered to Exchange online.

 

We want to move all mx records to O365. What i would like to understand, is what is the best strategy to do this? Should i move a domain that doesn't receive a high volume of mail traffic first. I think doing this will allow for fine tuning of the O365 filtering polices, and give us me some indication regarding how successful the move was and what the success rate will be for future domain moves. Also how should i construct my anti spam, anti malware polices? Should i start with the using Preset Security Policies" ? My concern with using the preset policies is you cant edit them. We will have a lot of safe and blocked senders that we will need to export from the IronPort's and import into O365. If i cant edit preset polices, then what is my best course of action? will i need to create custom polices ?

 

I know these are a lot of questions. I'm trying to understand how i should construct  the roadmap or process for moving domains to O365

 

Thank you 

 

2 Replies

@skipster311-175 - Thanks for such a great question, and I'm super glad to hear you're going with MDO!

 

We have a detailed migration guide here you should find useful: Migrate from a third-party protection service to Microsoft Defender for Office 365 - Office 365 | Mi...

 

Speaking from my experience, I've done both the SCL-1 method detailed in the above guide, and your mentioned method of domain by domain. - Either way the desired outcome is the same, moving carefully and slowly to ensure minimal disruption, so that's completely up to you!

 

Regarding your comment for safe senders, my advice is that you shouldn't need to import a single safe sender, this brings legacy debt across to your new configuration and opens up holes in your protection stack. The good news however is that by moving slowly as you plan to, you can address senders one by one, sending test emails and then fixing issues with things like SPF/DKIM to ensure correct authentication and remove the need for a safe sender / allow list entry. 

 

However, these are sometimes required in situations where you don't control the sending infrastructure and for example the company who owns the sending infrastructure may not be in a position to support DKIM signing at this point in time - so I'd recommend using TABL here instead. (if however it's a false positive from our side, please report it to us so we can fix it!)

 

My final point is around preset policies, please do use them, it keeps everything up to date for you as / when we release new protection features, sets you up for continued success in the long term. - TABL will be honoured so if you do have to add a safe sender, this will be respected by the policy!

 

I wish you a really successful migration, and would love to hear how you get on, don't afraid to ask any other questions you may have, hopefully this has been helpful!

 

Thanks

 

Ben.

Thanks Ben for the detailed information. I do like the idea of using preset security policies for the reasons that you mentioned, however if i cant edit them, then i fear it will open up the door to creating custom polices, to allow for things like block or allow bulk email. If i have to add a sender to skip spam filtering, is the recommended approach to use a transport rule , instead of adding the sending to allow list in anti spam policy ?