How to integrate FortiMail into Office 365


FortiMail can be integrated with Office 365 to protect your incoming and outgoing emails.

Configuring DNS in Office 365

Before getting started you’ll need to quickly configure Office 365.

 1.  Go to the Manage domains page.

 2.  Choose Add domain to start the setup wizard.

 3,  Enter your domain name.

 4.  Add your DNS records and then select Okay, I’ve added the record.

1.1 DNS

 5.  Go to your DNS server.

 6.  Change the MX record from Office 365 to FortiMail.

1.5 DNS Point

Configuring FortiMail to Accept Office 365

You will now have to configure your FortiMail unit to accept mail from your domain and then forward the mail to Office 365.

 1.  Go to Mail Settings > Domains > Domains.

2.1 FortiMail Office

 2.  Select New to create a new domain or right click a domain and select Edit to edit an existing domain.

 3.  Enter the domain name.

 4.  Enter the SMTP server.

Configuring Office 365 to Accept FortiMail


Now you’ll have to configure Office 365 to accept incoming mail from your FortiMail unit once it’s been checked.

 1.  Go to the Exchange admin center section.

 2.  Select mail flow.

 3.  Select the Plus Sign dropdown menu and select Create a new rule…

3-3 Exchange

 4.  Enter a name for the new rule.

 5.  Select More options.

3-5 More Options

 6.  Enter the IP address.

3-6 IP

 7.  Configure new rule to drop all inbound mail, unless it comes from FortiMail servers and select the Accept only from FortiMail checkbox in the rules section of the Exchange admin center section.

3-8 FML3-7 Check

Configuring Outbound Settings in FortiMail

Now that your inbound mail settings are configured in both Office 365 and FortiMail, you’ll need to configure your outbound settings in FortiMail.

 1.  Open the FortiMail CLI.

 2.  Enter the following commands:

config policy access-control receive
   edit 1
       set sender-ip mask
       set action relay
   edit 2
       set sender ip-mask
       set action relay
   edit 3
       set sender-ip-mask
       set action relay
   edit 5

<snip) etc

 3.  Add ability Office 365 as a trusted relay to FortiMail.

4-3 Relay

Configuring Outbound Settings in Office 365

Now you’ll need to make Office 365 relay outgoing mail to FortiMail

 1.  Create a new connector and enter a descriptive name and description. Select Next.

5-1 Connector

 2.  Select Office 365 from the From dropdown menu and Partner organization from the To dropdown menu. Select Next.

5-2 To From

 3.  Select the Only when I have a transparent rule set up that redirects messages to this connector radio button. Select Next.

 4.  Configure the IP or FQDN of the FortiMail. Select Next.

5-4 IP

 5.  Select the Any digital certificate, including self-signed certificates radio button. Select Next

Review the new connector settings and select Next.

 6.  Select Validate. Office will now perform the steps necessary for validation. When it is finished, select Close

The Status section should say “Succeeded” if the process was successful. Select Save.

5-6 Validate

Your incoming and outgoing messages will now be protected by FortiMail. You should now take the time to apply a FortiMail AntiVirus and AntiSpam profile.

Note: You can disable Office 365 AntiSpam services if you feel they are no longer required.

Mike Mielke

Mike Mielke

Technical Writer at Fortinet
Mike Mielke

Latest posts by Mike Mielke (see all)

  • Was this helpful?
  • Yes   No
  • Virtualman007

    What Operating Mode does the Fortimail have to be in? Gateway or transparent for on-prem deployment of Fortimail and Office365 in cloud.

  • We noticed that there are two steps left out to integrate with O365:

    1) You must enable the connector for it to work, validate does not work with the connector disabled.

    2) You must create a new transport rule that references the new connector:

    • Ted Barnes

      Thanks Stu you saved me a lot of trouble.

      • Stuart Berman

        An issue we noticed is that internal email would get routed by Office 365 to FortiMail when it should have been rerouting back through the Hybrid Connector to our on premise Exchange server.

        As an example, externally we use as our public domain.
        Internally we use
        Some servers on the internal network send email to internal users as because they were not set up properly.
        Any responses would get lost when they were sent by O365 to FortiMail.
        So we had to add those internal domains to the ‘exception list’ in the FML rules pictured above.
        We also had to create a new connector for those domains that sends all mail destined for those internal domains to the Hybrid Connector.

        The “FML connector” routes outbound mail to FortiMail instead of directly to the Internet.
        The Hybrid Mail Flow Outbound Connector send mail directly from O365 to internal Exchange. It is aware of your defined domains.
        The new internal domain connector was created for domains not registered as standard domains but required to be handled as legitimate email.
        The Hybrid Mail Flow Inbound Connector accepts mail from the internal Exchange system to O365.