[Email Security] Add secure mail flow

Author: Maddy-Cloudflare

src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx.mdx

@@ -64,4 +64,24 @@ If desired, you can create a separate quarantine for each of the dispositions.
 
 ## 4. Set up MX/Inline
 
-<Render file="email-security/deployment/set-up-mx-inline-step"/>
+<Render file="email-security/deployment/set-up-mx-inline-step"/>
+
+## 5. Secure your mail flow
+
+:::note
+This step should be performed after 72 hours for DNS propagation.
+:::
+
+After 72 hours, the MX record DNS update will have sufficiently propagated across the Internet. It is now safe to secure your email flow. This will ensure that Google only accepts messages that are first received by Email Security. This step is highly recommended to prevent threat actors from using cached MX entries to bypass Email Security by injecting messages directly into Gmail.
+
+To secure your mail flow:
+
+1. In the [Google Administrative Console](https://admin.google.com/), go to **Apps** > **Google Workspace** > **Gmail**.
+
+2. Select **Spam, Phishing and Malware**.
+
+3. Go to **Inbound gateway** and select **Edit Inbound gateway**.
+
+4. Enable **Reject all mail not from gateway IPs** and select **Save**.
+
+5. Select **Save** once more to commit and activate the configuration change in the Gmail advanced configuration console.

src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/index.mdx

@@ -105,4 +105,45 @@ To create the transport rules that will send emails with certain [dispositions](
 
 ## 5. Set up MX/Inline
 
-<Render file="email-security/deployment/set-up-mx-inline-step"/>
+<Render file="email-security/deployment/set-up-mx-inline-step"/>
+
+## 6. (Recommended) Secure Microsoft 365 from MX records bypass
+
+One method of DNS attacks is to search for old MX records and send <GlossaryTooltip term="phishing">phishing</GlossaryTooltip> emails directly to the mail server. To secure the email flow, you will want to enforce an email flow where inbound messages are accepted by Office 365 only when they originate from Email Security. This can be done by adding a connector to only allow email from Email Security with TLS encryption. This step is optional but recommended.
+
+:::caution[Important]
+This step should be performed 72 hours after all domains (excluding your `<on_microsoft.com>` domain) in your Microsoft 365 organization have been onboarded to Email Security, and Email Security is their MX record. If a domain has not been onboarded or DNS is still propagating, you will impact production email flow for that domain.
+:::
+
+#### Create Connector
+
+1. Go to the new [Exchange admin center](https://admin.exchange.microsoft.com/#/homepage).
+
+2. Go to **Mail flow** > **Connectors**.
+
+3. Select **Add a connector**.
+
+4. Go to **Connection from** > **Partner organization**.
+
+5. Select **Next**.
+
+6. Set the following options:
+
+   - **Name** - `Secure M365 Inbound`
+   - **Description** - `Only accept inbound email from Email Security`
+
+7. Select **Next**.
+
+8. Make sure **By Verifying that the sender domain matches one of the following domains** is selected.
+
+9. Enter `*` in the text field, and select **+**.
+
+10. Select **Next**.
+
+11. Make sure **Reject email messages if they aren't sent over TLS** is selected.
+
+12. Still in the same screen, select **Reject email messages if they aren't sent from within this IP address range**, and enter all the egress IPs in the [Egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page.
+
+13. Select **Next**.
+
+14. Review your settings and select **Create connector**.