Creating an Inbound Connector for Staffbase Email in Exchange

Discover how to configure an inbound connector in Exchange for Staffbase Email.

Staffbase Email

To ensure Staffbase messages are treated as internal communications by your Exchange environment, you will need to configure a custom MAIL-FROM domain and create an Inbound Connector in the Exchange Admin Center.

Classifying these messages as internal simplifies your configuration and provides two key benefits:

  • Seamless UX and Analytics: External images and Staffbase tracking pixels will download automatically, requiring no manual user intervention.
  • Reduced Maintenance: Internal mail natively bypasses standard spam filtering, eliminating the need to create and maintain separate Transport Rules.

Follow the steps below to set up the custom MAIL-FROM domain and create the Inbound Connector.

  1. Verify the domain that you want Staffbase to send emails on behalf of.

  2. Decide on a sub-domain for the custom MAIL-FROM, based on the current sending domain configured for web-sending, and ensure that it is verified within the Microsoft Admin Center.

    Since we will be using this domain as a custom MAIL-FROM/Return-Path, the domain must be authorized to send on your behalf.

    • The MAIL FROM domain must be a subdomain of your verified domain. For example, mail.example.com is a valid MAIL FROM domain for the domain example.com.
    • The MAIL FROM domain shouldn’t be a subdomain that you also use to send email from. For example, if you send an email from the mail.example.com subdomain, you can’t use it as your MAIL FROM domain.
    • The MAIL FROM domain shouldn’t be a subdomain that you use to receive email.

  3. Create an MX and TXT record for the subdomain based on your hosting region:

  4. Once the MX record is in place, please reach out to your Customer Success Manager or Staffbase Support to notify us that the custom MAIL FROM domain is ready. We will then work with AWS to verify the domain and complete the setup on our end.

    Please note that AWS states verification can take up to 72 hours.

  5. Once we notify you that the custom MAIL FROM domain is enabled, you may proceed with the Inbound Connector setup.

    If you receive an error when connecting, you may need to download and import the ExchangeOnlineManagement module.

    Start by connecting to Exchange Online using this command:

    Terminal window
    Connect-ExchangeOnline -UserPrincipalName user@company.com

    You will be restricting this Inbound Connector to IP’s dedicated to Staffbase for security reasons. This will ensure incoming mail must match Staffbase’s dedicated IPs as well as the custom MAIL-FROM domain in order to be marked as internal.

  6. Create a variable for the dedicated IPs Staffbase uses, which will be used in the next command.

    Please refer to our allowlisting page to get the most up-to-date range for the available regions and update the give examples below:

  7. With the IP’s defined, you can now create the Connector. This Connector will need to be an On-Premise connector to allow the mail to be marked as Internal.

    Terminal window
    New-InboundConnector -Name "From_Staffbase_to_Company_as_Internal" -SenderIPAddresses $IPs -RestrictDomainsToIPAddresses $True -SenderDomains subdomain.company.com -TreatMessagesAsInternal $True -ConnectorType OnPremise -RequireTLS $True -Comment "To mark Staffbase Email as Internal email for Internal Communications."

    If successful, you will likely see this message:

    WARNING: This flag will allow all mail sent from your mail servers (also called on-premises server) to be treated as internal mail if the sender's domain matches one of your organization's domains in Office365. This is an alternative option for an organization that does not have Exchange 2010 and later deployed in their on-premises. This could have some implications, for example, mail treated as internal will not be scanned for spam. The new connector may take up to 30 minutes to become active. At that point, with the MAIL-FROM/Return Path and Inbound Connector configured, mail should now be delivered to recipients as internal, with images downloading automatically

Because not all additional options for Mail Connectors are available in the Exchange web portal, please complete this via PowerShell. This must be done by a user whose account has the necessary permissions to create Connectors.

Breakdown of the PowerShell command parameters.

CommandDescription
-NameSets the display name in the Exchange Admin Center.
-SenderIPAddresses $IPsRestricts the connector to only accept mail from specific IP addresses (defined in your $IPs variable).
-RestrictDomainsToIPAddresses $TrueA security “double-check”. It ensures that mail claiming to be from your subdomain must come from the IPs listed above.
-SenderDomains subdomain.company.comLimits this connector’s scope to mail sent from this specific subdomain.
-TreatMessagesAsInternal $TrueThis bypasses many spam filters and ensures the emails appear with “Internal” headers (like showing the user’s profile photo).
-ConnectorType OnPremiseTells Office 365 that the mail is coming from a “known” infrastructure (even if Staffbase is a SaaS, this setting is required to use the internal flag).
-RequireTLS $TrueMandates that the connection must be encrypted. If Staffbase tries to send via plain text, Exchange will reject it.