As you are aware, properly configured inbound connectors to Exchange Online is very important to ensure proper and secure mail flow (including capability to fight against spam and phishing emails).
While the trusted source is usually identified as the IP address(es), in complex scenario – such as third party hygiene solution, Exchange Hybrid implementation or managed appliance – this IP address is not always to correct indicator.
To help you increase your mail hygiene implementation while ensuring mail flow continue to works, Office 365/Exchange Online now has an enhanced filtering capability.
In complex routing scenarios where you must point your MX record to something other than Office 365, Enhanced Filtering for Connectors allows EOP to overlook, or skip, your internal (trusted) IP addresses to find the last known external (untrusted) IP address of the message. This previous IP should be the actual source IP address of the message. This feature is known as skip listing.
To start implementing this enhanced filtering feature, logon to your Security and Compliance portal (https://protection.office.com/) and reach out the Threat management\Policy blade
There you will find the new Enhanced Filtering option
When you access the Enhanced Filtering it will list your existing inbound connector and the status of the filtering option – default is Disabled
When you click on one of these connectors, you will then have the ability to configure the enhanced filtering as well as to which users this will apply
It is recommended to first apply to a subset of your users to monitor and learn how it goes
You can also use the Security and Compliance PowerShell command
Set-InboundConnector -Identity <inboundconnector> [-EFSkipLastIP <$true | $false>] [-EFSkipIPs <IPAddresses>] [-EFUsers “emailaddress1″,”emailaddress2”]
The Security and Compliance portal can help you identify if you have domain(s) failing under such complex scenario by checking the Threat Management\Dashboard using the Domains where email isn’t routed to Office 365 widget which then gives you the list of ‘impacted’ domains and where there are pointing to
NOTE this checks if the MX record is set to point to Office 365; if you point it to a CNAME which then point to Office 365, the domain will be identified as in the ‘complex routing’ scenario