Ensuring mail delivery: Bypass 3rd Party filters with Receive Connector

In many cases, allowing Hoxhunt to deliver emails directly to your email tenant (e.g. M365) is the best way to ensure most reliable mail delivery of Hoxhunt training emails.

 

Setting up a Receive Connector with Hoxhunt contains two steps:

1. Create a Partner Receive Connector in Exchange/M365
2. Provide Hoxhunt with the MX tenant records of your mail server

 

What is a Receive Connector?

Receive Connector is a way to establish a "pipe" between two mail servers, for example Hoxhunt and your organization's Exchange Online tenant in M365.

Please check the following articles from Microsoft for further information:

Configure mail flow using connectors in Office 365

Set up connectors for secure mail flow with a partner organization

 

Why does Hoxhunt recommend a Receive Connector?

To bypass third-party systems

In some scenarios Hoxhunt may need to bypass additional filtering systems (e.g. email scanners) that might affect normal mail flow to your mail server. Receive Connector is a feature that makes it possible for Hoxhunt to send simulation emails directly to your email system (e.g. O365 or on-premise Exchange). Receive Connector is always recommended for hybrid environments to minimise mail flow issues.

IMPORTANT: Although it's possible to bypass many filter systems with allowlisting, Hoxhunt strongly recommends to configure a Receive Connector. Some filter vendors won't guarantee 100% deliverability for Hoxhunt training emails due to the filter system's design principles.

For more information on allowlisting different filter systems, please check our Knowledge base or contact your filter system vendor. 

Receive_connector_diagram.png

Figure 1: Receive Connector is configured at "OFFICE365" to let "HOXHUNT" bypass other systems in the way.

 

To mitigate throttling and greylisting

In M365, Microsoft's EOP service is monitoring email sending patterns for unusual activity. In certain situations EOP service may start limiting your ability to receive Hoxhunt's emails because of changes in Hoxhunt's sending patterns. Receive Connector is one way to mitigate (minimise) this issue.

 

Step 1. Create a Partner Receive Connector

NOTE: User interface may differ between on-premise Exchange Admin Center and M365 Exchange Admin Center. The following instructions and screenshots are based on M365 user interface.

  1. Go to M365 Exchange Admin Center.
  2. Navigate to Mail Flow > Connectors, and select + Add a connector.
    M365_EAC_Add_connector.png

  3. In New Connector screen, select Partner organization and click Next.
    M365_EAC_New_Connector.png
    NOTE: If you are configuring receive connector for an on-premise Exchange server, please select "Exchange" from the "To" field.


  4. In Connector name screen, provide a name for your Hoxhunt connector.
  5. Under What do you want to do after the connector is saved?, tick Turn it on and click Next.
    M365_EAC_Name.png

  6. In Authenticating sent email screen, select the second option to authenticate by sender IP address.
  7. Add the following IP addresses separately, and click + button to add them to the list below.
    35.156.0.138
    37.139.12.94
  8. Click Next.
    M365_EAC_Authenticating_sent_email.png

  9. Under Security restrictions screen, use the default values (see screensho) and click Next.
    M365_EAC_Security_restrictions.png


  10. Under Review connector screen, verify the configuration is correct and click Create connector.
    M365_EAC_Review_connector.png
You have now successfully configured Hoxhunt Receive Connector.
 
TIP: You can also use the following Powershell command to configure Receive Connector in M365 (Exchange Online):
New-InboundConnector -Name “Hoxhunt Receive Connector” -Enabled $true -SenderDomains * -RequireTls $true -SenderIPAddresses 35.156.0.138,37.139.12.94
 
 

Step 2. Provide Hoxhunt with the MX tenant records of your mail server

1. Go to M365 Admin Center.

2. Navigate to Settings > Domains.

3. Click on your default domain.
M365_AC_Settings_Domains.png


4. Switch to DNS records tab and click on the MX record.

5. In MX Record screen, next to Expected record, locate <MX-token>.mail.protection.outlook.com in column.

6. Provide the value in Points to address or value to Hoxhunt.

 

Example:

Your registered public domain name is company.com

-->

Your M365 tenant's MX record is company-com.mail.protection.outlook.com

 

Note: With on-premise Exchange Server, the MX record is likely derived from the server's FQDN.

 

For more detailed instructions, please check these instructions (Microsoft) or these instructions (O365info.com).

 

Special scenarios

We have more than one tenant configured to our Hoxhunt organization. We cannot receive all training emails via single tenant / Receive Connector.

Hoxhunt is able to support separate Receive Connectors for each of your domains. Please contact Hoxhunt Support for assistance.

 

Increase the amount of allowed simultaneous inbound connections (on-premise Exchange only).

After you have configured a Receive Connector for Hoxhunt in your on-premise Exchange server, it might have a default limit of only 20 simultaneous inbound connections per sender. This can sometimes create sending issues for Hoxhunt.


To see the values of these Receive connector message throttling settings in Exchange, run the following command in the Exchange Management Shell:

Get-ReceiveConnector | Format-List Name,Connection*,MaxInbound*,MessageRate*,TarpitInterval


It’s possible to increase the value via Set-ReceiveConnector cmdlet. We suggest to increase MaxInboundConnectionPerSource value to 200 or more.
Here’s a great article about the default limits for different Receive Connector types:
https://docs.microsoft.com/en-us/exchange/mail-flow/message-rate-limits?view=exchserver-2019#message-throttling-on-receive-connectors

 

 

For more information about Receive connector please contact Hoxhunt Support.

Was this article helpful?

18 out of 18 found this helpful

Have more questions? Submit a request