Restoring Microsoft 365 Defender Features with Enhanced Filtering for Connectors (EFC)
Introduction
Many organisations integrate Microsoft 365 with third-party email security gateways to enhance threat protection, continuity, and encryption. However, routing email through a secure email gateway (SEG) can unintentionally disrupt native Microsoft Defender for Office 365 (MDO) features such as the First Contact Safety Tip and sender-based detection mechanisms.
This article outlines why these issues occur and how to properly configure Microsoft 365 to restore full security feature functionality.
The Problem with Third-Party Gateways
Microsoft Defender for Office 365 provides user-facing features such as:
"You don't often get email from this sender."
These features rely on Microsoft being able to:
Accurately identify the original sender IP address
Perform SPF/DKIM/DMARC validation
Detect new or suspicious senders based on recipient interaction history
When a third-party SEG (e.g., Mimecast, Proofpoint, Barracuda) is used, Microsoft 365 only sees the SEG's IP address. This can prevent it from:
Correctly evaluating SPF (fails or becomes misleading)
Identifying the true sender
Detecting "first contact" situations
As a result, features like the “First Contact Safety Tip”, may not display, and sender-based risk analysis may degrade.
Solution: Use Enhanced Filtering for Connectors (Skiplisting)
Microsoft provides a mechanism to address this issue called Enhanced Filtering for Connectors (EFC).
As per Microsoft:
"Configure Exchange Online Protection (EOP) scanning to work correctly when your domain's MX record doesn't route email to EOP first."
Source: Microsoft Learn - Enhanced Filtering for Connectors in Exchange Online.
What EFC Actually Does:
EFC instructs Exchange Online Protection (EOP) to:
Ignore the connecting IP address (the SEG).
Evaluate the previous IP in the
Received:header chain.
This allows Microsoft 365 to assess the original source of the message for:
SPF validation.
Anti-spam and anti-phishing evaluation.
Reputation analysis.
This functionality restores the effectiveness of features such as:
First Contact Safety Tips.
Spoofing and impersonation detection.
Automated threat detection and ML-based scoring.
This tells Microsoft to trust the header information added by the secure email gateway and extract sender metadata from the earlier stages of the mail delivery path.
Step-by-step configuration:
Access the Microsoft Defender (Security & Compliance) portal.
- Log in to https://security.microsoft.com
Navigate to:
- Email & Collaboration > Policies & Rules > Threat Policies > Rules > Enhanced Filtering.
Under “Enhanced Filtering for Connectors”:
Select your inbound connector used by the SEG.
Choose one of the following options:
Automatically detect and skip the last IP address (recommended).
Manually specify IP addresses to skip (if SEG uses variable IPs).
Save the changes and allow some time for propagation.
Verify the Configuration:
Send a test email from an external sender that has never previously contacted your organisation. Check the following:
In Outlook (Web or Desktop), see if the First Contact Safety Tip appears.
Review message headers for:
X-MS-Exchange-ConnectorSkiplistingVerdict: Skiplisted
Authentication-Results: spf=pass dkim=pass ...
This confirms that Microsoft is now evaluating the correct sender information.
Additional Recommendations:
1. Enable ARC (Authenticated Received Chain)
Ensure your SEG supports and applies ARC headers. This allows Microsoft to trust original SPF/DKIM results even after relaying.
In the Microsoft Defender portal, navigate to:
Policies & Rules > Threat Policies > Email authentication settings > Trusted ARC sealers.
Create a new record such as:
dkim.mimecast.com
2. Use DKIM Signing
Ensure outbound messages are signed with DKIM either at the SEG or in Microsoft 365.
3. Monitor DMARC Reports
Use aggregate DMARC reports to validate alignment and detect anomalies.
Conclusion
Third-party gateways add critical layers of email protection but can interfere with Microsoft Defender for Office 365 functionality when misconfigured. By enabling Enhanced Filtering for Connectors, organisations restore Microsoft's ability to correctly analyse the sender's identity and reputation.
This ensures features such as the First Contact Safety Tip, anti-spoofing, and reputation-based filtering remain effective — even in complex mail routing scenarios.
Correct configuration of Enhanced Filtering is a best practice for any organisation routing mail through an external gateway before it reaches Microsoft 365.
