mxHERO Email Routing
Office 365 Configuration Guide
ARC Sealing • DKIM • SPF • DMARC • Exchange Connectors
1. Overview
mxHERO acts as an email processing intermediary: it receives messages, modifies content in transit, and re-delivers them to the final destination. This guide covers all Office 365 configuration required to ensure reliable mail flow and correct email authentication (SPF, DKIM, DMARC) throughout the mxHERO processing hop.
mxHERO uses ARC (Authenticated Received Chain) sealing to cryptographically preserve the original authentication state of every message it processes. This means Office 365 can correctly validate authentication even after mxHERO has modified the message body or headers.
Deployment Architectures
This guide covers the following deployment patterns:
- Inbound — Loopback: External sender → O365 (hop 1) → mxHERO (hop 2) → O365 (hop 3) → Recipient mailbox
- Inbound — Border System: External sender → Proofpoint / Barracuda / other gateway → mxHERO → O365 → Recipient mailbox
- Outbound — Standard: Sender (O365) → mxHERO → External recipient MX
- Outbound — Loopback: Sender (O365) → mxHERO → O365 → External recipient
Steps marked “Loopback only” apply when O365 routes mail to mxHERO via a mail flow rule (inbound and/or outbound loopback). Steps without that label apply to all architectures.
2. mxHERO Connection Details
Use the following endpoints and IP addresses when configuring connectors and spam bypass policies. These values are required in several steps throughout this guide.
2.1 SMTP Endpoints
Inbound (mail flowing into mxHERO for processing): smtp-in.mxhero.com
Outbound (mxHERO delivering to external recipients): smtp.mxhero.com
(alias: smtp-relay.mxhero.com)
Use smtp-in.mxhero.com for inbound connectors and smtp.mxhero.com for outbound connectors. Mixing these up is a common source of misconfiguration.
2.2 mxHERO IP Addresses
Use these IPs when configuring connector IP restrictions and spam bypass rules:
54.208.111.28 54.236.184.32 54.165.252.128 54.165.253.193 3.211.77.148 52.22.51.97 54.209.222.83 107.23.152.206
Your mxHERO account team will notify you if new IPs are added. Keep connector IP restrictions and bypass rules in sync with any changes.
3. Prevent TNEF Encapsulation
Office 365 can wrap outbound messages in TNEF (Transport Neutral Encapsulation Format), a proprietary Microsoft format that produces unreadable .winmail.dat attachments at non-Microsoft recipients. This interferes with mxHERO’s content processing and must be disabled.
Run the following in Exchange Online PowerShell:
# Exchange Online PowerShell Set-RemoteDomain Default -TNEFEnabled $false
Web admin alternative — Exchange Admin Center:
Exchange Admin Center → Mail flow → Remote domains → Default → Edit Under “Exchange rich-text format (TNEF)”: Use Exchange rich-text format: Never
4. ARC Trusted Sealers
This is the primary authentication configuration. It instructs Office 365 to honor the ARC seals placed by mxHERO, allowing DMARC to pass even when content modification has broken the original DKIM signature.
Run the following command in Exchange Online PowerShell:
# Exchange Online PowerShell Set-ArcConfig -Identity Default -ArcTrustedSealers mxhero.com # Verify: Get-ArcConfig | Select-Object Identity, ArcTrustedSealers
Web admin alternative — Microsoft Defender portal:
Location: https://security.microsoft.com/authentication?viewid=ARC (Microsoft Defender portal → Email & Collaboration → Policies & Rules → Threat Policies → Advanced delivery → ARC tab) Add trusted ARC sealer: mxhero.com
Once applied, Office 365 evaluates authentication based on mxHERO’s ARC seal rather than the raw SPF/DKIM result at the final delivery hop. This works for both loopback and border system inbound architectures.
5. Inbound Configuration
The steps in sections 5.1, 5.2, and 5.5 are required regardless of whether you are using a loopback or border system architecture — they configure O365 to correctly accept and authenticate mail that has been processed by mxHERO.
5.1 Inbound Connector
Create an inbound connector so that Office 365 accepts and trusts mail arriving from mxHERO’s servers. The connector is matched by mxHERO’s IP addresses, but the domain restriction flag is off — so other inbound paths in the same tenant (border systems, direct delivery for non-mxHERO accounts) are unaffected and continue to work through their own connectors.
Location: Exchange Admin Center → Mail flow → Connectors → + Add a connector From: Partner organization To: Office 365 Name: mxHERO Tenant Connector Sender IPs: <mxHERO IP ranges — see section 2.2> Require TLS: Yes
PowerShell equivalent:
# Exchange Online PowerShell
New-InboundConnector `
-Name "mxHERO Tenant Connector" `
-ConnectorType Partner `
-SenderIPAddresses @("54.208.111.28","54.236.184.32","54.165.252.128","54.165.253.193", `
"3.211.77.148","52.22.51.97","54.209.222.83","107.23.152.206") `
-RequireTls $true `
-Enabled $true
5.2 Connection Filter — IP Allow List
Adds mxHERO’s IP addresses to the Exchange Online Protection Connection Filter allow list. Mail arriving from these IPs bypasses spam filtering entirely, which also suppresses anti-spoofing alerts triggered by mxHERO’s re-delivery.
Microsoft 365 Defender portal (recommended):
Location: Microsoft 365 Defender portal → Email & collaboration → Policies & rules
→ Threat policies → Anti-spam → Connection filter policy (Default) → Edit
Under "IP Allow List", add each mxHERO IP address:
54.208.111.28
54.236.184.32
54.165.252.128
54.165.253.193
3.211.77.148
52.22.51.97
54.209.222.83
107.23.152.206
Alternative — Exchange Admin Center:
Exchange Admin Center → Policies & rules → Threat policies → Anti-spam → Connection filter policy (Default) → Edit → IP Allow List
PowerShell equivalent:
# Exchange Online PowerShell
# Adds mxHERO IPs to the connection filter allow list (preserves existing entries)
$mxheroIPs = @(
"54.208.111.28","54.236.184.32","54.165.252.128","54.165.253.193",
"3.211.77.148","52.22.51.97","54.209.222.83","107.23.152.206"
)
$existing = (Get-HostedConnectionFilterPolicy "Default").IPAllowList
$combined = ($existing + $mxheroIPs) | Sort-Object -Unique
Set-HostedConnectionFilterPolicy "Default" -IPAllowList $combined
5.3 Outbound Connector — Route Inbound to mxHERO (Loopback only)
Required only in loopback architecture. This connector tells Office 365 to route inbound mail to mxHERO for processing. The mail flow rule in section 5.4 directs mail through this connector.
Location: Exchange Admin Center → Mail flow → Connectors → + Add a connector
From: Office 365 To: Partner organization Name: mxHERO Inbound Route Routing: Smart host → smtp-in.mxhero.com TLS: Required When to use: Only when a mail flow rule routes to this connector
PowerShell equivalent:
# Exchange Online PowerShell
New-OutboundConnector `
-Name "mxHERO Inbound Route" `
-SmartHosts "smtp-in.mxhero.com" `
-UseMXRecord $false `
-IsTransportRuleScoped $true `
-TlsSettings CertificateValidation
5.4 Mail Flow Rule — Route Inbound to mxHERO (Loopback only)
Required only in loopback architecture, where O365 is both the first and last inbound hop. This rule intercepts inbound external mail and redirects it to mxHERO for processing before mailbox delivery.
Location: Exchange Admin Center → Mail flow → Rules → + Add a rule
Full organization — route all inbound mail
Name: Route inbound mail via mxHERO
Condition: The sender is located → Outside the organization
Condition: The recipient is located → Inside the organization
Action: Route message via → mxHERO Inbound Route connector
Action: Set the message header X-mxHero-Transport-Agent
to value: <value from mxHERO Dashboard → Settings → Gateway>
Exception: A message header includes
Header name: X-mxHero-Server
Header value: <value from mxHERO Dashboard → Settings → Gateway>
Selective routing — route only specific recipients
To limit mxHERO processing to a specific group of recipients rather than the entire organization, replace the “The recipient is located → Inside the organization” condition with a group membership condition:
Name: Route inbound mail via mxHERO (selective)
Condition: The sender is located → Outside the organization
Condition: The recipient is a member of → <mxHERO Recipients group>
Action: Route message via → mxHERO Inbound Route connector
Action: Set the message header X-mxHero-Transport-Agent
to value: <value from mxHERO Dashboard → Settings → Gateway>
Exception: A message header includes
Header name: X-mxHero-Server
Header value: <value from mxHERO Dashboard → Settings → Gateway>
Create the group in Microsoft 365 Admin Center → Teams & groups first. Add the mailboxes whose inbound mail should be processed by mxHERO. Messages to addresses outside this group will be delivered normally without going through mxHERO.
Two actions are configured on this rule: the first routes mail to mxHERO via the mxHERO Inbound Route connector; the second stamps the X-mxHero-Transport-Agent header onto the message so mxHERO can identify your tenant. The X-mxHero-Server exception is the loop prevention mechanism — mxHERO adds this header to every processed message it returns, causing the rule to skip re-routing it. Retrieve your unique hash value from the mxHERO Dashboard → Settings → Gateway.
PowerShell equivalent (full organization):
# Exchange Online PowerShell
New-TransportRule `
-Name "mxHERO - Route Inbound" `
-SentToScope InOrganization `
-ExceptIfHeaderMatchesMessageHeader "X-mxHero-Transport-Agent" `
-ExceptIfHeaderMatchesPatterns "<your-domain-hash>" `
-RouteMessageOutboundConnector "mxHERO Inbound Route" `
-SetHeaderName "X-mxHero-Transport-Agent" `
-SetHeaderValue "<your-domain-hash>"
5.5 mxHERO Dashboard — Server Configuration
Configure the Server field in the mxHERO Dashboard to tell mxHERO where to deliver processed messages. This is required for all deployments — mxHERO must know your Office 365 MX endpoint to route processed mail back to your organization. For inbound loopback, this is the endpoint where processed inbound messages are returned for mailbox delivery. For non-loopback (border system) deployments, set this to your O365 MX so that mxHERO can still route directly to Exchange when needed.
mxHERO Dashboard → Settings → Organization and domains → Domains → Edit
Server: <your-tenant>.mail.protection.outlook.com
(your Office 365 inbound MX hostname — found in Microsoft 365 Admin Center
under Settings → Domains → <your domain> → MX record)
The Server field is mandatory. If it is not set or is set incorrectly, mxHERO cannot complete inbound delivery and messages will bounce.
Border system deployments (Barracuda, Proofpoint, etc.): Even if you are not using a loopback architecture, it is strongly recommended that you configure your border appliance to add the X-mxHero-Transport-Agent header (value: your domain hash from mxHERO Dashboard → Settings → Gateway) to every message it relays through mxHERO. This header identifies your tenant to mxHERO for logging, scoping, and feature purposes. Unlike loopback deployments, border systems do not loop mail back through themselves, so you do not need to add an X-mxHero-Server exception — the header is simply stamped on outgoing relay traffic.
5.6 Summary — Inbound
|
Configuration |
Location |
Status |
Purpose |
|---|---|---|---|
|
Inbound Connector (mxHERO Tenant Connector) |
Exchange Admin Center |
✅ Required |
Accept and trust mail from mxHERO’s IP addresses |
|
ARC Trusted Sealers (mxhero.com) |
Exchange Online PowerShell |
✅ Required |
Honor mxHERO ARC seals; DMARC pass after content modification |
|
Connection Filter — IP Allow List |
Exchange Admin Center |
✅ Required |
Bypass spam filtering on mxHERO IPs; suppress anti-spoofing alerts |
|
Disable TNEF (Set-RemoteDomain Default) |
Exchange Online PowerShell |
✅ Required |
Prevent .winmail.dat wrapping that breaks mxHERO processing |
|
Outbound Connector (mxHERO Inbound Route) |
Exchange Admin Center |
⚠ Loopback only |
Send inbound mail to mxHERO for processing (loopback only) |
|
Mail Flow Rule: route inbound to mxHERO |
Exchange Admin Center |
⚠ Loopback only |
Route inbound mail through mxHERO before mailbox delivery |
|
mxHERO Dashboard → Server field |
mxHERO Dashboard |
✅ Required |
mxHERO delivers processed mail back to the O365 tenant MX |
6. Outbound Configuration
These steps configure Office 365 to route outbound mail through mxHERO for processing before delivery to the recipient.
6.1 Outbound Connector
Location: Exchange Admin Center → Mail flow → Connectors → + Add a connector
From: Office 365 To: Partner organization Name: mxHERO Outbound Route Routing: Smart host → smtp.mxhero.com TLS: Required When to use: Only when a mail flow rule routes to this connector
PowerShell equivalent:
# Exchange Online PowerShell
New-OutboundConnector `
-Name "mxHERO Outbound Route" `
-SmartHosts "smtp-relay.mxhero.com" `
-UseMXRecord $false `
-IsTransportRuleScoped $true `
-TlsSettings CertificateValidation
6.2 Mail Flow Rule — Route Outbound via mxHERO
Location: Exchange Admin Center → Mail flow → Rules → + Add a rule
Full organization — route all outbound mail
Name: Route outbound via mxHERO
Condition: The sender is located → Inside the organization
Condition: The recipient is located → Outside the organization
Exception: A message header matches
Header name: X-mxHero-Transport-Agent
Header value: <value from mxHERO Dashboard → Settings → Gateway>
Exception: A message header matches
Header name: X-mxHero-Server
Header value: <value from mxHERO Dashboard → Settings → Gateway>
Action: Route message via → mxHERO Outbound Route connector
Action: Set the message header X-mxHero-Transport-Agent
to value: <value from mxHERO Dashboard → Settings → Gateway>
Selective routing — route only specific senders
To process only a specific group of senders, add a group membership condition:
Name: Route outbound via mxHERO (selective)
Condition: The sender is located → Inside the organization
Condition: The sender is a member of → <mxHERO Senders group>
Condition: The recipient is located → Outside the organization
Exception: A message header matches
Header name: X-mxHero-Transport-Agent
Header value: <value from mxHERO Dashboard → Settings → Gateway>
Exception: A message header matches
Header name: X-mxHero-Server
Header value: <value from mxHERO Dashboard → Settings → Gateway>
Action: Route message via → mxHERO Outbound Route connector
Action: Set the message header X-mxHero-Transport-Agent
to value: <value from mxHERO Dashboard → Settings → Gateway>
PowerShell equivalent (full organization):
# Exchange Online PowerShell
New-TransportRule `
-Name "mxHERO - Route Outbound" `
-FromScope InOrganization `
-ExceptIfHeaderMatchesMessageHeader "X-mxHero-Transport-Agent" `
-ExceptIfHeaderMatchesPatterns "<your-domain-hash>" `
-ExceptIfHeaderContainsMessageHeader "X-mxHero-Server" `
-ExceptIfHeaderContainsWords "<your-domain-hash>" `
-RouteMessageOutboundConnector "mxHERO Outbound Route" `
-SetHeaderName "X-mxHero-Transport-Agent" `
-SetHeaderValue "<your-domain-hash>"
6.3 mxHERO Dashboard — Relay Server Configuration
Configure the Relay Server field in the mxHERO Dashboard when mxHERO needs to route processed outbound messages back through O365 or through an external/border relay system. This applies in outbound loopback architecture (where O365 is the final delivery hop) and in any scenario where outbound mail must transit through a border MTA before reaching external recipients:
mxHERO Dashboard → Settings → Organization and domains → Domains → Edit
Relay Server: <your-tenant>.mail.protection.outlook.com
(your Office 365 inbound MX hostname — same as the Server field
used for inbound loopback in section 5.5)
The Relay Server field tells mxHERO where to send processed outbound messages. In outbound loopback, this is your O365 tenant MX — mxHERO routes the processed message there, O365 accepts it via the inbound connector (section 3.1), and then delivers it externally. In border system deployments, this can be set to the hostname of an external/border MTA through which outbound mail must transit before reaching external recipients. The loop prevention exceptions in section 5.2 (X-mxHero-Transport-Agent and X-mxHero-Server) ensure the outbound routing rule does not fire on the returning message.
6.4 Inbound Connector for Return Trip (Loopback only)
In outbound loopback, mxHERO sends the processed message back to O365. The mxHERO Tenant Connector (section 5.1) already covers mxHERO’s IP addresses for inbound acceptance, so no additional connector is needed for outbound loopback return delivery.
From: Partner organization To: Office 365 Name: mxHERO Tenant Connector Sender IPs: <mxHERO IP ranges — see section 2.2> Require TLS: Yes
6.5 SPF Record
Required for all deployments regardless of architecture. Include mxHERO’s sending infrastructure in your domain’s SPF record so that messages originating from mxHERO IPs pass SPF checks at external recipients.
v=spf1 include:spf.protection.outlook.com include:_spf.mxhero.com ~all
The include:_spf.mxhero.com entry covers all mxHERO sending IPs. Note the leading underscore — a common mistake is using include:mxhero.com without _spf, which points to a different or missing DNS record. Merge this include into your existing SPF record rather than creating a duplicate TXT record.
6.6 Summary — Outbound
|
Configuration |
Location |
Status |
Purpose |
|---|---|---|---|
|
Outbound Connector (mxHERO Outbound Route) |
Exchange Admin Center |
✅ Required |
Route outbound mail to mxHERO |
|
Mail Flow Rule: route outbound via connector |
Exchange Admin Center |
✅ Required |
Scope routing to outbound; optionally limit to a sender group |
|
Customer SPF includes _spf.mxhero.com |
Customer DNS |
✅ All architectures |
mxHERO sending IPs authorized; safety net for all scenarios |
|
Loop prevention exceptions (X-mxHero-Transport-Agent + X-mxHero-Server) |
Exchange Admin Center |
✅ Required |
Prevent re-routing of mxHERO-processed messages (included in §5.2 rule) |
|
mxHERO Dashboard → Relay Server field |
mxHERO Dashboard |
⚠ Loopback / border relay |
Route processed outbound to O365 (loopback) or border MTA for external delivery |
|
Inbound connector for mxHERO return trip (mxHERO Tenant Connector) |
Exchange Admin Center |
⚠ Loopback only |
Accept processed mail back from mxHERO |
7. Architecture Quick Reference
|
Step |
Inbound Border System |
Inbound Loopback |
Outbound Standard |
Outbound Loopback |
|---|---|---|---|---|
|
Inbound Connector (mxHERO Tenant Connector) |
✅ |
✅ |
-- |
-- |
|
ARC Trusted Sealers |
✅ |
✅ |
-- |
-- |
|
Connection Filter — IP Allow List |
✅ |
✅ |
-- |
-- |
|
Disable TNEF Encapsulation |
✅ |
✅ |
✅ |
✅ |
|
SPF: include:_spf.mxhero.com |
✅ |
✅ |
✅ |
✅ |
|
Outbound Connector (mxHERO Inbound Route) |
-- |
✅ |
-- |
-- |
|
Mail Flow Rule → mxHERO (inbound) |
-- |
✅ |
-- |
-- |
|
mxHERO Dashboard → Server field |
✅ |
✅ |
✅ |
✅ |
|
Outbound Connector (mxHERO Outbound Route) |
-- |
-- |
✅ |
✅ |
|
Mail Flow Rule (outbound) |
-- |
-- |
✅ |
✅ |
|
Loop prevention exceptions (X-mxHero-Transport-Agent + X-mxHero-Server) |
-- |
✅ * |
✅ |
✅ |
|
mxHERO Dashboard → Relay Server field |
-- |
-- |
-- |
✅ |
|
Return-trip inbound connector |
-- |
-- |
-- |
✅ |
* Loop prevention exception is not required in inbound border system architecture because the border gateway — not O365 — routes mail to mxHERO. There is no O365 mail flow rule that could re-fire on the return trip.
8. Troubleshooting
compauth=fail reason=001 in message headers
Office 365 is evaluating authentication from scratch rather than honoring mxHERO’s ARC seal. Check:
- Run Get-ArcConfig and confirm mxhero.com appears in ArcTrustedSealers
- Verify the inbound connector lists mxHERO’s IP addresses in SenderIPAddresses (section 2.2)
- Confirm the message arrived from one of the listed mxHERO IPs
compauth=pass reason=130 in message headers
Expected success result. Office 365 accepted mxHERO’s ARC seal and authentication passed via the trusted sealer mechanism. No action required.
Messages received with .winmail.dat attachment
TNEF encapsulation is still active. Verify the command was applied: run Get-RemoteDomain Default | Select TNEFEnabled and confirm the value is False.
Mail loops (“too many hops” bounce)
The loop prevention exception is missing or not matching. Verify:
- The X-mxHero-Server exception is on the correct mail flow rule (inbound and/or outbound loopback rule)
- The header value in the exception exactly matches the value in mxHERO Dashboard → Settings → Gateway
- For outbound loopback, verify the mxHERO Dashboard → Relay Server is set to your O365 tenant MX
DKIM fail at external recipients
mxHERO modifies message content, breaking the original DKIM signature. This is expected and handled by ARC at O365. For external recipients that do not support ARC, confirm with your mxHERO account team that outbound DKIM re-signing is enabled for your domain.
SPF fail at external recipients (outbound standard)
Verify your domain’s SPF record includes include:_spf.mxhero.com (note the leading underscore). A common mistake is using include:mxhero.com without the _spf prefix, which points to a different or missing DNS record.
Selective inbound routing: a recipient is not being processed by mxHERO
Check that the recipient’s mailbox is a member of the group defined in the mail flow rule condition. In Microsoft 365 Admin Center, open the group and verify the user is listed as a member. Group membership changes may take a few minutes to propagate.
Comments