As a new small church, we have and are using our own domain and email on that domain. (nalcwc.org). We have been granted a license to O365 and have started setting it up, primarily for OneDrive. OneDrive is functional and working for a few but having issues with emails not getting delivered.
We setup the O365 account using the same domain (nalcwc.org). If we try to send a link to OneDrive, the email never gets delivered. If we use the ‘Outlook’ button to share, then the link gets delivered, but the user generally has issues get into OneDrive.
We’ve been looking for a ‘how-to’ site on setting O365 up. We know enough about Exchange/Sharepoint/Azure to get us in trouble.
Any helpful tips, pointers or reasonable cost consultants to help us thru these hurdles. As I said, we are a new, small church and our budget is pretty tight. The email system thru our host is working well, it’s just the Microsoft O365 that we’re having issues
I would suggest at least adding Microsoft to your SPF records if the OneDrive emails you’re referring to are spoofing your domain currently.
We have our email provided by Microsoft, and I would assume (but I’m far from an expert) that perhaps that’s part of the issue you’re running into - trying to use email features of Microsoft without having your email provided by Microsoft.
If you are looking to just get the basics of M365 setup, we do the basic setup pro-bono for upstart churches: https://geekout.biz/
Looking at your domain, I can see that you don’t have the MX servers set to Microsoft: Network Tools: DNS,IP,Email
By the looks of it, you are missing the SPF records as well… you only have Mailchimp as a valid sender: Network Tools: DNS,IP,Email
That’s all pretty straightforward to change the records and it will give you guidance if you go to https://admin.microsoft.com and then go to settings (the gear icon) and then click “Domains” then select or add your domain and make sure to do all the changes they indicate.
Like I said, we do pro-bono basic M365 setup for upstart churches to help them get off on the right foot. Our time zones are a bit opposite though so if you need to talk at a time outside our usual hours, let me know.
Guys, thanks for your input, it has helped to identify the issues.
Isaac, we enabled the suggestions you put out however you may have misunderstood our intentions. With those settings in place, mail to ???@nalcwc.org are now being handled and received by Microsoft. We want to have any email generated within Microsoft to forward to our mailserver. I’ve had to disable the changes to keep our mail system functioning.
We’re still digging thru this
Thanks for any input
Ah, I see, I’m afraid that’s not really something I would advise. Typically Microsoft is the more reliable email service and the licensing is more than ample so churches use them for sending and receiving all their email. In fact the OneDrive link sharing is really envisioned within the context of using M365 as the email and communications/collaboration platform.
Is there any particular technical or logistical reason you don’t want to transfer mail to M365 and start working with M365 as your church’s technology platform? I’d highly recommend transferring given the breadth and width of what you can do when Exchange Online is the email platform.
Isaac, thanks for your support and getting me to rethink all this.
We (I) shied away from Outlook/Exchange probably because we didn’t know it other than as a client app, and thought our existing way might be easier and add less complexity. Probably an incorrect assumption as I now look at all the issues we ran into. I’ve learned how to forward out of Outlook and assume I can use this for those who don’t want to use the app or site. Is that a correct assumption?
We will enable the MX record and give it a try. Any other items we should be aware of or take a look at?
Again, thanks for your help
I am strongly of the opinion that you will create more problems than you solve by trying to use two email systems in any manner.
I would recommend leaving the MX records with your current provider until you, your leadership team, and anyone else that needs to be involved in such decisions can discuss it. Ultimate, I would assume you’d want to make a plan to move to Office/Microsoft 365, and make sure documentation and such is in place to make it a smooth transition when the cut-over date comes.
As you’re new to a lot of this, I’d also recommend working with one of the CITN vendors throughout that process - including the planning phases - to make sure everything goes smoothly and everyone is on the same page.
Another thought would be when/if you have a contract expiring with your current email provider - it may be convenient to cut-over maybe a month before the annual contact ends - so that’s you’re “getting your money’s worth” so to speak, and so that if anyone is hesitant to the change, you can mention that the contract was needing to end or be renewed anyway, so what better time?
You can forward, but as of sometime around October 2020 you have to expressly allow auto-forwarding. The reason being that Microsoft 365 has protections against business email compromises (BEC)… which is awesome, I’ve been called in to clean up after some nasty financial scams in churches/missions agencies that were BECs… up to $400,000 USD lost!
As for sending emails, you mainly need to make sure all the allowed sending sources are in the SPF record: Mailchimp, M365, your ChMS, and anything else that you need to send from. If they aren’t at least on the SPF (and preferably also DKIM) DNS records then they’ll end up in spam/junk/quarantine folders.
For the most part, the best experience tends to be considerably better to get everyone using M365 either via Outlook (desktop/web/mobile) and Exchange Online. I’ve helped a lot of churches move off of things like their webhosting email and most take to it pretty easily and would never be willing to go back.
Aside from the user experience, you’ll get a lot of bonuses in terms of protection, particularly if you keep the requirement for modern auth applications and multi factor authentication (MFA). That being said, there are a lot of bonuses from a myriad of angles be they compliance, legal holds, data loss prevention, anti-spam, anti-phishing, etc.
Eventually you’ll want to take advantage of most of the tools available in M365 Business Premium, the best way to do that is to start with moving through the secure score and knocking off high value stuff like MFA. Later you’ll want to use Intune to set some basic computer and mobile device policies.
Alternatively, you can engage any of the service providers that frequent here, we are pretty blessed in that all the service providers you’ll bump into are very competent with M365. I mostly do Asia-Pacific right now but I believe the other folks are all Bible-belt located and are servicing the entirety of the USA.
thanks so much for your insight, it has really helped. We’re meeting this week to discuss and have put all on hold till we put together a plan. I’ve also reached out to a couple of consultants and will have their input also.
Have you ever seen a ‘hit list’ of setup to-dos for O365? Maybe a roadmap for newbies like us to at least consider and learn as we get more familiar with this tool?
On of the really fun quirks you’re likely to encounter as you set it up is that once your domain is active within the O365 ecosystem, any mail originating from within O365 (anywhere, any tenant, not just you) will ignore MX records, and attempt to deliver internally. This is especially problematic if you’re still on an external mail system and need things like notifications to go through. The workaround for this is to set up an Exchange transport rule that any email that doesn’t have a local user gets sent on to a different server, at which point you can put in your current MX server and it will deliver directly - Once you do that, you can set your MX records to O365, and then as you move users over, any migrated users will get it on O365, and everything else will go to the legacy mail server.
There are a few, one of the better guides is Alex Fields’ guides: Best Practices Checklists – ITProMentor
Otherwise, the Microsoft 365 Security documentation is very good: Identity and device access configurations - Microsoft 365 for enterprise - Office 365 | Microsoft Docs
At the end of the day, since you have M365, your consultants should have established the baseline protection level as well:
I hope that you are well, I will try to keep this short and sweet for you.
- Sometimes the path of least resistance is the easiest to tread, and in this case that would be a full cut-off migration to using Microsoft 365 email.
- This will also help you to secure your email systems for the cyber threat climate in 2021. The number one priority being to implement MFA.
- Microsoft has free tools to migrate existing emails via secure IMAP, alternatively if this is not available low-cost third party migration tools exist.
- Do consider that Microsoft 365 does not include data backups for things like maliicous/accidental deletion OR cyber security against advanced email attacks.
We have supplied thousands of Microsoft Cloud licenses over the years:
Unlike many consultants on this side of the pond we also have a keen focus on securing Microsoft 365 which is equally important.
I hope this advice reaches you well, and I am happy to contribute a bit of free advice, please reach out to me if desired.
To be fair, the Microsoft 365 Business Premium donations do include Microsoft Defender for Office 365 P1, it’s not best-in-class per se when it comes to email cybersecurity, but it is solid; constantly improving; and configuring it for anti-phishing, safe attachments, and safe links is a great starting point for small churches.
I wasn’t aware that Microsoft was giving churches M365 BP for free - that certainly helps!
Yes, agreed Microsoft Defender for Office 365 is definitely a big step in the right direction. Office 365 ATP P1 was a snappier name though.
Of course OP will need to migrate to M365 email to benefit. And they’ll still ideally need an external backup service.
The nice thing I suppose about Microsoft Defender for O365 is that it’s a native/API-integrated solution.
So it still leaves room for a good old email security gateway if desired. Cloud-native edge services from providers like Barracuda or even SpamTitan are cheap.
Can’t block everything. We currently have four email security layers from top vendors and still on the very odd occasion something gets through, usually a zero-day BEC.
I’ll probably add the new Cisco CMD service when it becomes available under NFR and then we’ll be rocking five. Yes I’m that sad.