Microsoft 365 ships with Exchange Online Protection (EOP), and as a baseline it’s fine. But its stronger protection is a paid, per-user add-on, and plenty of teams would rather not pay per seat for email security, or tie that security to the same vendor that runs their mail. Putting a secure email gateway in front of Microsoft 365 gives you independent filtering at a flat, per-server cost, plus real defense-in-depth. This guide walks through how that works with Hermes Secure Email Gateway, a self-hosted, open-source gateway, including the parts people most often get wrong (connector lock-down and ARC).
Why put a gateway in front of Microsoft 365?
For most teams the honest headline reason is cost, followed by independence and control.
- Stop paying per user for security add-ons. Microsoft’s stronger email protection isn’t in base M365, it lives in Defender for Office 365 (Plan 1/Plan 2), a per-user, per-month add-on that provides Safe Links (time-of-click URL protection) and Safe Attachments (sandboxing). A gateway lets you drop that add-on and replace it with a flat per-server license that doesn’t scale with headcount, and Hermes Pro‘s Link Guard is the direct equivalent of Safe Links. (Straight talk: Hermes does anti-malware with ClamAV and managed feeds, which is robust, but it isn’t a 1:1 replacement for Safe Attachments’ cloud detonation/sandboxing.)
- Defense-in-depth. A separate filtering engine catches what EOP’s baseline misses, before mail reaches your tenant. Two different engines beat one.
- Vendor independence. Your security policies, logs, and quarantine aren’t locked to your mailbox provider. If you ever leave M365, the gateway and its rules come with you.
- Data ownership & control. Filtering, logs, and quarantine stay on hardware you control, with full DKIM/DMARC/ARC tooling EOP does thinly or not at all.
- Encryption that stays in the mailbox. Hermes can automatically encrypt outbound and decrypt inbound mail at the gateway (S/MIME, PGP, TLS, encrypted-PDF), so messages arrive as normal, searchable mail in the user’s mailbox on your infrastructure. Microsoft’s Purview Message Encryption (formerly OME) instead delivers external recipients an HTML attachment that opens a browser-based viewer where they sign in or enter a one-time passcode. (M365 supports S/MIME too, but it requires per-user certificate management.) See the S/MIME & PGP encryption guide.
How the architecture works
A gateway sits at the edge of your mail flow. Inbound mail is filtered before it reaches Microsoft, and outbound mail is routed back out through the gateway so it can be signed and processed:
MX → Hermes (spam, malware, policy, link rewriting) → relay to Microsoft 365 → mailbox.Outbound: Microsoft 365 → outbound connector →
Hermes (DKIM signing, disclaimers, encryption) → Internet.
The two halves are configured independently, and both matter: inbound filtering is pointless if attackers can deliver straight to your tenant and bypass it, and outbound routing is what lets you sign and brand mail consistently.
Inbound: filter before Microsoft 365
You point your domain’s MX records at Hermes. Hermes accepts, filters, and then relays clean mail to your tenant’s Microsoft endpoint, the host Microsoft assigns each domain, in the form yourdomain-com.mail.protection.outlook.com. In Hermes you add the domain as a relay domain and set that endpoint as the delivery destination.
The critical second step is locking the tenant down so it only accepts inbound mail from your gateway. Otherwise a spammer who knows your .mail.protection.outlook.com address can deliver directly to mailboxes and skip filtering entirely. In M365 you do this with an inbound connector that identifies your gateway (by IP or certificate) plus a transport rule that rejects external mail arriving from anywhere else. Enabling Enhanced Filtering for Connectors (a.k.a. skip listing) is also worth it: it lets EOP see the true originating IP behind your gateway instead of treating Hermes as the source.
Outbound: route Microsoft 365 through Hermes
Create an outbound connector in Microsoft 365 that routes sent mail to Hermes as a smart host. Hermes then signs the message with DKIM, applies organizational disclaimers or signatures (Pro), enforces any encryption policy, and delivers to the internet. Routing outbound through one gateway is what makes DKIM signing and branding consistent for every sender in the org.
Getting email authentication right
This is where front-of-M365 deployments most often break, so it’s worth being deliberate.
- SPF. Because outbound mail now leaves from Hermes rather than directly from Microsoft, your SPF record must authorize the gateway’s sending IP (and you can drop
include:spf.protection.outlook.comif mail no longer egresses M365 directly). Keep the record within the 10-DNS-lookup limit. - DKIM. Hermes signs outbound mail with your domain’s DKIM key; publish the matching public key as a
selector._domainkey.yourdomainTXT record so receivers can verify it. - DMARC. With SPF and DKIM aligned through the gateway, publish a DMARC policy (start at
p=noneto monitor, then tighten toquarantineorreject).
Set-ArcConfig Exchange Online PowerShell cmdlet (e.g. Set-ArcConfig -Identity default -ArcTrustedSealers "yourgateway.example.com"), so M365 honors that seal instead of failing the message. Configure this and a whole class of “good mail landing in junk” problems disappears. → Trusted ARC Sealers. Microsoft 365
What you’ll need
- A server or VPS to run Hermes (one Docker Compose stack, see installation).
- Control of your domain’s DNS (MX, SPF, DKIM, DMARC records).
- Microsoft 365 admin access (to create inbound/outbound connectors and a transport rule).
Step by step
- Stand up Hermes and complete first-run setup. → Installation
- Add your domain as a relay domain and set the delivery target to your tenant’s
yourdomain-com.mail.protection.outlook.comendpoint. → Email Relay - In Microsoft 365, create the connectors: an inbound connector that trusts your gateway, an outbound connector that smart-hosts to Hermes, and a transport rule that rejects external mail not coming from the gateway. Turn on Enhanced Filtering for Connectors.
- Set up authentication: publish SPF for the gateway, enable DKIM signing and publish the key, and add a DMARC record. → SPF Settings
- Configure ARC: enable ARC sealing on Hermes and add it as a trusted ARC sealer in M365. → Trusted ARC Sealers. Microsoft 365
- Repoint MX to Hermes once you’ve tested the flow (see cutover note below).
The exact, screen-by-screen Hermes configuration lives in the Administrator Guide. This page is the architecture and the decisions; the docs are the field-by-field reference.
Common pitfalls
- Leaving the tenant open. If you filter inbound but don’t restrict M365 to gateway-only delivery, attackers simply deliver direct to
.mail.protection.outlook.comand bypass you. - Skipping ARC. The single most common cause of legitimate mail failing DMARC after putting a gateway in front of M365.
- Stale SPF. Forgetting to authorize the gateway’s IP (or blowing the 10-lookup limit) causes your own outbound to fail SPF.
- Hard cutover. Flipping MX before testing, with a high DNS TTL, leaves no fast rollback.
A note on cutover
Email is production-critical, so don’t flip MX on a whim. Stand Hermes up in parallel, test inbound and outbound flow with a pilot domain or a few mailboxes, confirm spam/malware scoring plus SPF/DKIM/DMARC/ARC alignment, then cut over MX once you’re satisfied. Lower your DNS TTL ahead of time so you can roll back quickly if needed.
Try it
The Hermes Community Edition is free and open source. Pro adds time-of-click Link Guard and more, with a free trial, no credit card required.
