Zitat von mpachmann am 21. Oktober 2025, 17:07 Uhr

Add  your domain:
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureExchange/index.html

This topic explains how to set up Microsoft Exchange and all other email clients to route email through Sophos Gateway.

Add your domain and verify ownership

You need to add your domain details.

You need to provide the following information when configuring Sophos Gateway to process and deliver email for your domain:

• Your email domain name.
• Your mail delivery destination host as a Fully Qualified Domain Name (FQDN) or IP address.
• The port number that is used to listen for SMTP traffic on the mail delivery destination host.

To add a domain in Sophos Central, do as follows:

1. Sign in to Sophos Central.
2. Go to My Products > General Settings > Gateway Domain Settings/Status.
3. Click Add Domain.
4. Enter your email domain details, direction of traffic, and delivery destination details.
5. Click Verify Domain Ownership.
6. Copy the TXT value presented in the Verify Domain Ownership dialog.

   This value is specific to your email domain.

7. Create a TXT DNS record in the root level of the domain name you entered earlier and paste the TXT value that you copied earlier. You can give it the same TXT name as shown or use @.
8. Once the new TXT DNS record entry is saved, click Verify.

When the DNS update with the correct TXT value is propagated, you receive a message indicating that the domain verification was successful.

If the DNS update hasn't propagated, or the value entered is incorrect, you receive a failure message. Confirm that the value entered is correct.

Note

The domain verification process may take some time to complete.

Add mailboxes

You can now add mailboxes to Sophos Email Security. See Add mailboxes.

When you have added your mailboxes, continue with configuring your email environment.

Restrict delivery to Sophos IP addresses

You can configure the connection to your mail host to only use our delivery IP addresses.

Restricting delivery IP addresses adds additional security to the integration between Sophos Gateway and your mail host.

Warning

Before you proceed, we strongly recommend testing email traffic and domain configuration in a non-production or test environment before making any changes to your organization's email configuration.

The specific delivery IP address you need to use depends on the region where your Sophos Central account is hosted. When you created your Sophos Central account, you chose which country to store your data in.

Warning

You must also add the Sophos IP addresses to the IP allow list for your mail server. If you don't, your users won't receive their emails.

To find out which IP addresses to use, see Sophos email gateway IP addresses.

Warning

Using an IP address other than the one specified for your region prevents mail from flowing correctly.

Change your MX records to point to Sophos Gateway

Changing your domain's MX records to point to Sophos Gateway is crucial to successful deployment and ensures all email is filtered and delivered.

If you can't make these changes yourself, contact your IT department, hosting provider, ISP, or Domain Name Service provider and arrange for the MX records for your domains to be modified.

When you created your Sophos Central account, you selected a region where you wanted to store your data. Your MX records are dependent on this region.

Change your MX records to include the record names associated with the region where you chose to store your data.

To find out which MX records to use, see Sophos MX records.

Notes

Take care with all options to ensure that the spelling and numbers are correct.

Using MX record names other than those provided prevents mail from flowing correctly.

When changing DNS entries like MX records, we recommend lowering the TTL (to 600 ms or less) well in advance of updating the entries. This allows the change to propagate quickly and provides a quick way to revert changes, if any issues arise during testing.

Test and confirm mail flow

Once you've updated your MX records, send a test message to any of your mailboxes protected by Sophos Gateway. Send your test message from an address outside your email domain.

To confirm the message flowed through Sophos Gateway, you can view the Message History report.

To access the report, do as follows:

1. Sign in to Sophos Central.
2. Go to Reports > Message History.

   If messages are flowing through the system, you see entries in this report.

If mail isn't flowing, you aren't receiving email to your test inbox. Take the following steps:

1. Verify that your MX records are correct for your region.
2. Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall, or connector.
3. Verify that the mailbox you're sending to exists in Sophos Email Security.

If you've taken all these steps and mail still isn't flowing for your domain, contact Sophos Support.

 

Sophos MX-Records:
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/EmailDomainInfo/index.html#emailmxrecords

Germany

10, mx-01-eu-central-1.prod.hydra.sophos.com 20, mx-02-eu-central-1.prod.hydra.sophos.com

 

Germany

_spf_eucentral1.prod.hydra.sophos.com

Sophos Email Gateway IPs:
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/EmailDomainInfo/index.html#emailgatewayips

Germany

52.58.166.242 52.29.100.147 94.140.18.128/26

Outbound email for Exchange:
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/OutboundExchange/index.html

This page guides you through the process of directing all outbound email via Sophos Gateway. For Exchange, this requires an SMTP Connector to be configured on your Exchange Server.

To configure outbound routing from your Exchange and other clients' accounts, do as follows:

1. Sign in to Sophos Central.
2. Go to My Products > General Settings > Gateway Domain Settings/Status.
3. Click the domain link you want to configure, then click Edit.
4. In Configure Domain, select Inbound and Outbound as the direction.
5. In Outbound Gateway, select Custom Gateway. At least one IP/CIDR (subnet range) is required.
6. Enter an IP address or CIDR, and click Add. You can add multiple IP addresses or CIDRs.
7. Click Save.
8. Click Configure External Dependencies.
9. Select Outbound Settings and copy the Outbound Relay Host address.

   Note

   The Outbound Relay Host depends on the region you chose when you signed up for Sophos Email Security. For a list of outbound relay hosts for each region, see Sophos email outbound relay.

10. To set up an SMTP connector, follow the instructions for your version of Exchange on Microsoft's help page. See Exchange 2019, Exchange 2016, Exchange 2013.

    Follow these steps to complete the configuration:

    1. If prompted, select Route mail through smart hosts and click Add.
    2. In Add smart host, paste the Outbound Relay Host address you copied earlier.
    3. Turn off or remove any other Outbound Send Connectors that were previously used for mail filtering.

       Note

       Failure to do this means your outbound email will still use the older send connectors and won't be routed through Sophos Gateway. If in doubt, consult Sophos Support.

    4. When you're finished setting up your SMTP connector, save your changes.

       Note

       Changes may take up to 24 hours to propagate.

Note

For non-Exchange mail servers or clients, consult your third-party vendor to configure outbound email delivery to Sophos Email. For a setup guide, see the Techvids video.

Updating the SPF record for your domain

If you authenticate outgoing email using an SPF record or DKIM, you may need to update your configuration.

Your organization should already have an SPF record for your domains registered with your existing email service. You need to update this record in the DNS zone for the relevant domain.

You can replace your existing SPF record or add to it, depending on your requirements.

It's normal to replace the record. However, if your outbound email is being routed through Sophos Gateway and your existing email service simultaneously for a period, you can add an include statement for Sophos Gateway to your existing SPF record.

You can use the all parameter in different ways. You must understand how to do this and the implications of your choice.

• Hard fail:

  You can use a dash (-) before the all parameter for a "hard fail". If your mail isn't sent from Sophos Gateway, and your recipients' mail servers carry out SPF checks, they'll reject your mail.

• Soft fail:

  You can use a tilde (~) before the all parameter instead, for a "soft fail". The command doesn't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. If your recipients' mail servers carry out SPF checks, they won't reject your mail.

Note

To enhance the trustworthiness of your domain and IPs, you can configure DKIM to sign and authenticate outbound emails. This helps prevent email rejection. For more information on how to configure DKIM, see DKIM keys.

Sophos SPF domains

When you replace or add to your SPF record, use the domain for the Sophos data center for your region. To find out which domain to use, see Sophos SPF domains.

Replacing your SPF record

If your outbound email is only routed through Sophos Gateway you can use the Sophos Gateway SPF record.

• Remove v=spf1 include:spf.protection.outlook.com –all.
• If you're certain that you don't have any third parties sending mail on your behalf, and all your outbound mail is routed through Sophos Gateway, you can set your record to:

  v=spf1 include:<spf-domain> -all

• If you aren't routing all your email through us, or you're unsure, use a soft fail:

  v=spf1 include:<spf-domain> ~all

Replace <spf-domain> with the SPF domain that matches your region. See Sophos SPF domains.

Example using an SPF domain that matches the United States (West) region

v=spf1 include:_spf_uswest2.prod.hydra.sophos.com -all

Adding to your SPF record

If your outbound email is being routed through Sophos Gateway and your existing email service simultaneously for a period, you can leave the original SPF record, and add an include statement for Sophos Email.

To use an include statement to add the Sophos Gateway record to your existing record, do as follows:

• Existing SPF:

  v=spf1 include:spf.protection.outlook.com -all

• Example with include:

  v=spf1 include:spf.protection.outlook.com include:<spf-domain> -all

Replace <spf-domain> with the SPF domain that matches your region. See Sophos SPF domains.

Example using an SPF domain that matches the United States (West) region

v=spf1 include:_spf_uswest2.prod.hydra.sophos.com -all

We recommend you replace your include statement with the Sophos Gateway SPF record when all your outbound email is routed through us.

Confirm that outbound mail is flowing by sending an outbound mail to an external address.

To confirm that the email has been sent, do as follows:

1. Sign in to Sophos Central.
2. Go to Reports > Message History.
3. Change the direction to outbound.
4. Refresh the screen until you can see the details of the test email you have sent.

Sophos Email relay IPs:
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/EmailDomainInfo/index.html#emailoutboundrelay

Germany

relay-eu-central-1.prod.hydra.sophos.com