A Step-by-Step Implementation Tutorial For IT Admins
Email security is one of the most critical responsibilities for modern IT admins. With the rise in phishing, ransomware, spoofing, and malicious email attachments, businesses need strong cloud email protection.
Trend Micro Email Security (TMES) is a powerful cloud-based service that protects Microsoft 365 organizations from advanced email threats.
In this guide, youβll learn exactly how to configure Trend Micro Email Security (TMES) with Microsoft 365 using a simple, GUI-based, step-by-step process.
This is a full production-ready configuration, based on official Trend Micro documentation and real-world enterprise deployment experience.
β What You Will Learn in This Guide
- What TMES is and how it protects Microsoft 365
- How to add & verify your domain in Trend Micro
- How to configure inbound & outbound email flow
- How to set up Microsoft 365 connectors
- How to update DNS (MX, SPF, DKIM, DMARC)
- Important security rules to enable
- Testing & final validation steps
Letβs get started.
π What Is Trend Micro Email Security (TMES)?
Trend Micro Email Security is a cloud service that filters:
- Spam
- Malware
- Ransomware
- Phishing
- Business Email Compromise (CEO Fraud)
- Malicious URLs
- Zero-day threats
It acts as a secure email gateway between the internet and Microsoft 365.
Email Flow After Integration:
Inbound:Internet β TMES β Microsoft 365 β User Mailbox
Outbound:Microsoft 365 β TMES β Internet
This gives maximum visibility and real-time threat protection.
𧩠PHASE 1 β Preparation Checklist
Before starting, ensure you have:
β Microsoft 365 Admin Access
(Global Admin or Exchange Admin)
β Trend Micro Email Security Admin Login
β DNS Access
(GoDaddy, Cloudflare, BigRock, Azure DNS, etc.)
β Your domain name
Example: company.com
(You can find it in Microsoft 365 Admin Center β Settings β Domains)
π·οΈ PHASE 2 β Add Domain in TMES (GUI)
- Login to TMES portal:
https://portal.mail.security.trendmicro.com - Go to:
Administration β Domain Management β Add Domain - Enter your domain, e.g.,
company.com - TMES shows a TXT Record:
TMES-verify=xxxxxxx - Copy this value.
π PHASE 3 β Add TMES TXT Record in DNS
Go to your DNS provider β DNS Records β Add New Record:
- Type: TXT
- Host: @
- Value: TMES-verify=xxxxxx
Save the record β return to TMES β click Verify.
π© PHASE 4 β Copy TMES Values (VERY IMPORTANT)
After verification, go to:
TMES β Administration β Domain Management β [Your Domain]
Copy these values:
β Inbound MX Record (Region based)
Example:
“mx12345.tmep.trendmicro.com“
β Outbound Smart Host
Example:
outbound.mx12345.tmep.trendmicro.com
β TMES IP ranges
(Used for Microsoft 365 connectors)
π₯ PHASE 5 β Configure Microsoft 365 Inbound Connector
Microsoft 365 Admin Center β
Exchange Admin Center β Mail Flow β Connectors β Add
- From: Partner Organization
- To: Microsoft 365
- Name: TMES-Inbound
- Identify by: IP Address
- Add: All TMES IP Ranges
- Enable TLS
- Save
This ensures Microsoft 365 accepts email only from TMES.
π‘οΈ PHASE 6 β Create Bypass Spam Rule in Microsoft 365
Exchange Admin Center β
Mail Flow β Rules β Add Rule
- Name:
BypassSpamFromTMES - Condition: Sender IP Address is TMES IPs
- Action: Bypass spam filtering (SCL = -1)
- Save
This prevents double-scanning by M365.
π« PHASE 7 β Disable Microsoft 365 SPF Hard-Fail
Go to:
Microsoft 365 β Security β Email & Collaboration β Anti-Spam Policies
Inside inbound spam policy:
Turn OFF β SPF Record Hard Fail
(This is recommended in Trend Micro’s official PDF.)
π PHASE 8 β Optional: Lock Down Microsoft 365 (Enhanced Security)
Create a rule:
βOnly allow email from TMES β block all direct inbound mail.β
This prevents hackers from bypassing TMES.
π¨ PHASE 9 β DNS CUTOVER (MX, SPF, DKIM, DMARC)
1οΈβ£ Update MX to TMES
Example:
<tenant>.in.tmes-in.trendmicro.com
2οΈβ£ Update SPF
Add TMES to existing O365 SPF:
=spf1 include:spf.protection.outlook.com include:spf.tmep.trendmicro.com -all
3οΈβ£ Add DMARC
v=DMARC1; p=quarantine; rua=mailto:dmarc@company.com;
4οΈβ£ Enable DKIM
- Add 2 CNAME records from O365
- Enable DKIM in Exchange Admin Center
π PHASE 10 β Configure TMES Inbound Protection
In TMES Portal:
Policies β Inbound Protection
Enable:
- Anti-Spam
- Malware Scanning
- URL Time-of-Click
- Attachment Security
- Zero-hour malware detection
- Impersonation Protection
π€ PHASE 11 β Enable TMES Outbound
TMES β
Domain Management β Outbound Protection β Enable β Select Office 365
π¬ PHASE 12 β Microsoft 365 Outbound Connector
Exchange Admin Center β
Mail Flow β Connectors β Add
- From: Microsoft 365
- To: Partner Organization
- Smart Host: (paste outbound value from TMES)
- Require TLS
- Save
π€ PHASE 13 β Create Outbound Routing Rule
Mail Flow β Rules β Add Rule
Condition:
- If recipient is outside the organization
Action:
- Route via β TMES-Outbound Connector
π§ͺ PHASE 14 β Testing
Inbound Test:
β Send from Gmail
β Send spam β should be quarantined
β Send EICAR test string β blocked
Outbound Test:
β Check if TMES headers appear
β Spoof protection working
π― PHASE 15 β Go Live
Monitor:
- TMES Dashboard
- Quarantine logs
- Microsoft 365 Message Trace
- False positives
Your integration is now 100% complete.
π Final Thoughts
Trend Micro Email Security adds an essential extra layer of security beyond Microsoft 365βs native protection. With proper configuration of:
- DNS
- Connectors
- Policies
- Routing rules
You ensure complete protection against modern email threats.
This step-by-step guide simplifies the entire process, making it easy for IT administrators to deploy the solution confidently in production.