A properly configured inbound connectors are a trusted source of incoming mail to Microsoft 365 or Office 365. However, there are times where you may prefer using an Enhanced Filtering Connector vs. an Inbound connector when using a third-party filtering solution. 

Inbound Connectors - Explicitly trust the IP's and the messages from the IP's listed in the connector.  This includes DKIM / SPF / DMARC / Spam checking. 

Mail flow diagram for complex routing scenarios

Enhanced Filtering Connectors - Allow 365 to look beyond the IPs of the third party in order to evaluate the reputation, content and technical configuration of the originating IPs.

Mail flow diagram for complex routing scenarios after Enhance Filtering for Connectors is enabled

As you can see, Enhanced Filtering for connectors allows IP address and sender information to be preserved, which has the following benefits:

  • Improved accuracy for the Microsoft filtering stack and machine learning models, which include:
    • Heuristic clustering
    • Anti-spoofing
    • Anti-phishing
  • Better post-breach capabilities in Automated investigation and response (AIR)
  • Able to use explicit email authentication (SPF, DKIM, and DMARC) to verify the reputation of the sending domain for impersonation and spoof detection.

Use the Security & Compliance Center to configure Enhanced Filtering for Connectors on an inbound connector

  1. In the Security and Compliance Center, go to Threat Management > Policy, and then choose Enhanced Filtering.

  2. In the Enhanced Filtering for Connectors page that opens, do the following steps:

    1. Select the connector that's responsible for receiving inbound mail from the third-party service, device, or on-premises Exchange.
    2. In the connector details fly out that opens, configure one of the following settings

    • Automatically detect and skip the last IP address: We recommend this option if you have to skip only the last message source.
    • Skip these IP addresses that are associated with the connector: Select this option to configure a list of IP addresses to skip.
    • Disable Enhanced Filtering for Connectors: Turn off Enhanced Filtering for Connectors on the connector.
  3. When you're finished, click Save.

Use Exchange Online PowerShell or Exchange Online Protection PowerShell to configure Enhanced Filtering for Connectors on an inbound connector

Set-InboundConnector -Identity "phishprotection" -EFSkipLastIP $true

In this example, the EFSkipLastIP parameter is ignoring the last message source (which is a default configuration should be the gateway) This is the preferred implementation method.

  • EFSkipLastIP: Valid values are:

    • $true: Only the last message source is skipped.
    • $false: Skip the IP addresses specified by the EFSkipIPs parameter. If no IP addresses are specified there, Enhanced Filtering for Connectors is disabled on the inbound connector. The default value is $false.

However, if you would prefer to explicitly list all of the IPs assigned to the gateway

Set-InboundConnector -Identity "phishprotection" -EFSkipLastIP $false -EFSkipIPs,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

To open the Security & Compliance Center, got to https://protection.office.com

To go directly to the Enhanced Filtering for Connectors page, open https://protection.office.com/skiplisting.

Please review the original source material before making changes to your connectors: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#what-happens-when-you-enable-enhanced-filtering-for-connectors