Restrict Inbound Mail to O365 Not Originating From Hosted Email Security

The following steps will lock down O365 to accept email from only Sonicwall Hosted Email Security

Log in to the Office 365 admin center, and go to Admin centers > Exchange.

In the left pane, click mail flow, and click rules.

Click the + symbol, and click Create a new rule.

In the new rule page, enter a Name to represent the rule.

From the Apply this rule if... drop down, select The sender is located...

Another pop-up window will appear, select Outside the organization on the select sender location drop down.

From the Do the following drop-down menu, select Reject this message with the explanation.

Enter the message you want included in the non-delivery report (NDR) that is sent to the sender and click OK.

EXAMPLE: You have attempted to bypass our Email Security Service. Please ensure your DNS is up-to-date and try sending your message again.

Click More options... to add an exception.

Hover over The Sender... to access the fly out menu and select IP address is in any of these ranges or exactly matches.

Enter the HES IP ranges and click OK.

NOTE: For North America customers, the IP ranges are 173.240.210.0/24, 173.240.213.0/24, & 204.212.170.0/24

NOTE: For EU customers, the IP range is 173.240.221.0/24

Scroll down and check the box next to Stop processing more rules and click Save.

The new rule will be prioritized last, click the up arrow until it is priority 0.

Once configured, all Office 365 content filtering can be disabled as all email not originating from the HES service IP ranges will be blocked.