cloudflare · Maddy-Cloudflare · Jun 24, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025
@@ -0,0 +1,19 @@
+---
+title: Microsoft 365 GCC
+pcx_content_type: reference
+sidebar:
+  order: 4
+head:
+  - tag: title
+    content: Microsoft 365 Government Community Cloud
+
+---
+
+import { Render } from "~/components"
+
+
+Microsoft 365 Government Community Cloud (GCC) is designed to meet the requirements of the US government. GCC Low and GCC High are two tiers of GCC, each with different security and compliance requirements.
+
+GCC Low is intended for use by US government organizations that handle sensitive but unclassified data, and have less stringent compliance requirements.
+
+Email Security supports GCC Low environments.
@@ -11,7 +11,13 @@ When you receive an email, the email lands on your Microsoft 365 inbox, and then
 
 ![Email flow when setting up Microsoft 365 with Email Security.](~/assets/images/email-security/deployment/api-setup/journaling/Email_Security_MS365_Journaling_Diagram.png)
 
-To enable Microsoft 365 journaling deployment:
+Before you can [enable Email Security](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/#enable-email-security), you will have to configure your email environment in your Microsoft 365 account.
+
+<Render file="email-security/deployment/m365-gcc" />
+
+## Enable Email Security via the dashboard
+
+To enable Email Security journaling deployment:
 
 1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
 2. Select **Zero Trust**.
@@ -20,9 +26,9 @@ To enable Microsoft 365 journaling deployment:
 5. Select **BCC/Journaling**.
 6. Select **Integrate with MS** > **Authorize**.
 
-## Integrate with Microsoft 365
+### 1. Integrate with Microsoft 365
 
-To integrate with Microsoft 365:
+To integrate Email Security with Microsoft 365:
 
 1. **Name integration**: Add your integration name, then select **Continue**.
 2. **Authorize integration**:
@@ -35,15 +41,15 @@ To integrate with Microsoft 365:
 
 Continue with [Connect your domains](#connect-your-domains) for the next steps.
 
-### Connect your domains
+### 2. Connect your domains
 
 On the **Set up Email Security** page:
 
 1. **Connect domains**: Select at least one domain. Then, select **Continue**.
 2. (**Optional**) **Add manual domains**: Select **Add domain name** to manually enter additional domains. Then, select **Continue**.
 3. (**Optional**) **Adjust hop count**: Enter the number of <GlossaryTooltip term="Hops">hops</GlossaryTooltip>. Then, select **Continue**.
 4. (**Optional**, select **Skip for now** to skip this step) **Move messages**: Refer to [Auto-moves](/cloudflare-one/email-security/auto-moves/) to configure auto-moves. Then, select **Continue**.
-5. **Configure service address with your third party email provider**: Copy and paste the service address into your third-party email provider to allow BCC/Journaling: `<account tag>@CF-emailsecurity.com`.
+5. **Configure service address with your third party email provider**: Copy and paste the service address into your third-party email provider to allow BCC/Journaling: `<account tag>@CF-emailsecurity.com`. You will need this address to [configure journal rule](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/#2-configure-journal-rule).
 6. **Review details**: Review your connected domains. Then, select **Go to domains.**
 
 Your domains are now added successfully.
@@ -53,6 +59,17 @@ To view your connected domains:
 1. Go to **Settings**.
 2. Locate your domain, select the three dots > **View domain**. Selecting **View domain** will display information about your domain.
 
-## Next steps
+### 3. Enable logs
+
+<Render file="email-security/enable-logs" />
+
+Now that you have completed your setup on the Zero Trust dashboard, you will have to configure your Microsoft environment to allow messages to be processed.
+
+## Configure your Microsoft 365 environment
+
+<Render file="email-security/deployment/journaling-connector" />
+
+## Geographic locations
+
+<Render file="email-security/deployment/bcc-table-geographic-locations" />
 
-<Render file="email-security/enable-logs" />
@@ -0,0 +1,17 @@
+---
+{}
+
+---
+
+Select from the following BCC addresses to process email in the correct geographic location:
+
+| Host                                        | Location                | Note                                                                                                               |
+| ---------------------------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| `<customer_name>@journaling.mxrecord.io`                               | US                      | Best option to ensure all email traffic processing happens US data centers.                                        |
+| `<customer_name>@journaling.mailstream-eu-primary.mxrecord.io`         | EU                      | Best option to ensure all email traffic processing happens in Germany, with backup to US data centers.           |
+| `<customer_name>@journaling.mailstream-eu1.mxrecord.io`                | EU                      | Best option to ensure all email traffic processing happens within the EU without backup to US data centers.      |
+| `<customer_name>@journaling.mailstream-bom.mxrecord.mx`                | India                   | Best option to ensure all email traffic processing happens within India.                                           |
+| `<customer_name>@journaling.mailstream-india-primary.mxrecord.mx`      | India                   | Same as `mailstream-bom.mxrecord.mx`, with backup to US data centers.                                            |
+| `<customer_name>@journaling.mailstream-asia.mxrecord.mx`               | India                   | Best option to ensure all email traffic processing happens in India, with Australia data centers as backup.                                                            |
+| `<customer_name>@journaling.mailstream-syd.area1.cloudflare.net`       | Australia / New Zealand | Best option to ensure all email traffic processing happens within Australia.                                       |
+| `<customer_name>@journaling.mailstream-australia.area1.cloudflare.net` | Australia / New Zealand | Best option to ensure all email traffic processing happens in Australia, with India and US data centers as backup. |
@@ -0,0 +1,136 @@
+---
+{}
+
+---
+
+### 1. Configure connector for delivery to Email Security (if required)
+
+:::note
+Email Security only scans inbound emails.
+:::
+
+If your email architecture does not include an outbound gateway, you can skip this step and [proceed to the next one](#2-configure-journal-rule).
+
+On the other hand, if your email architecture requires outbound messages to traverse your email gateway, you may want to consider configuring a connector to send the journal messages directly to Email Security.
+
+1. Log in to the [Exchange admin center](https://admin.exchange.microsoft.com), and go to **Mail flow** > **Connectors**.
+
+2. Select **Add a connector**.
+
+3. Configure the new connector as follows:
+   - **Connection From**: Microsoft 365
+   - **Connection to**: Partner Organization
+
+4. Select **Next**.
+
+5. Configure the connector as follows:
+   - **Name**: `Deliver journal directly to Email Security`
+   - **Description**: `Deliver journal directly to Email Security`
+   - **Turn it on**: Enabled.
+
+6. Select **Next**.
+
+7. Configure the **Use of connector** setting as follows:
+   - Select **Only when email messages are sent to these domains**.
+   - In the text field, enter `<account tag>@cf-emailsecurity.com` as the host address, and select **+** to add the domain.
+
+8. Select **Next**.
+
+9. Configure the **Routing** setting as follows:
+   - Select **Route email through these smart hosts**.
+   - In the text field, enter `<account tag>@cf-emailsecurity.com` as the [smart host](https://en.wikipedia.org/wiki/Smart_host) address, and select **+** to add the domain.
+
+10. Select **Next**.
+
+11. In **Security restrictions**, you need to keep the default TLS configuration. Review the following settings:
+    - Make sure the **Always use Transport Layer Security (TLS) to secure the connection (recommended)** checkbox is selected.
+    - In **Connect only if the recipients email server certificate matches this criteria** select **Issued by a trusted certificate authority (CA)**.
+
+12. Select **Next**.
+
+13. You need to validate the connector by using your tenant's specific journaling address. To find this address:
+
+      - In [Zero Trust](https://one.dash.cloudflare.com/), go to **Email Security**.
+      - Go to **Settings** and locate your domain under **Your domains**.
+      - Select the three dots > **View domain** > **Service address**. Copy and paste the service address.
+
+14. Add the address and select **Validate**.
+
+15. Once the validation completes, you should receive a **Succeed** status for all the tasks. Select **Next**.
+
+16. Review the configuration and select **Create connector**.
+
+Your connector is now active. You can find it in **Exchange admin center** > **Mail flow** > **Connectors**.
+
+### 2. Configure journal rule 
+
+1. Log in to the [Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage).
+
+2. Go to **Data lifecycle management** > **Exchange (legacy)**.
+
+3. Select **Settings** (the gear icon).
+
+4. In **Send undeliverable journal reports to** enter the email address of a valid user account. Note that you cannot use a team or group address.
+
+5. Select **Save**.
+
+6. Still in the Exchange (legacy) screen, select **Journal Rules**.
+
+7. Select **New rule** to configure a journaling rule, and configure it as follows:
+
+   - **Send journal reports to**: This address is specific to each customer tenant. To find this address:
+      - In [Zero Trust](https://one.dash.cloudflare.com/), go to **Email Security**.
+      - Go to **Settings** and locate your domain under **Your domains**.
+      - Select the three dots > **View domain** > **Service address**. Copy and paste the service address.
+
+   - **Journal Rule Name**: `Journal Messages to Cloudflare Email Security`
+   - **Journal messages sent or received from**: *Everyone*
+   - **Type of message to journal**: *External messages only*
+
+8. Select **Next**.
+
+9. Verify the information is correct, and select **Submit** > **Done**.
+
+Once saved, the rule is automatically active. However, it may take a few minutes for the configuration to propagate and start pushing messages to Email Security. After it propagates, you can access Email Security in the [Zero Trust dashboard](https://one.dash.cloudflare.com/) to check the number of messages processed. This number will grow as journaled messages are sent to Email Security from your Exchange server.
+
+Refer to [Email monitoring](/cloudflare-one/email-security/email-monitoring/) to monitor your inbox.
+
+### 3. Compliance
+
+#### Create Microsoft 365 distribution lists
+
+For compliance purposes, you might be required to process emails in certain geographic regions such as India or the EU. If that is your case, you should [create Microsoft 365 distribution groups](https://learn.microsoft.com/en-us/microsoft-365/admin/setup/create-distribution-lists?view=o365-worldwide#create-a-distribution-group-list) for each geographic region where you need to process your emails, before configuring your journal rule.
+
+#### Configure journal rule
+
+After creating the distribution groups based on regions for your users, configure your journal rule:
+
+1. Log in to the [Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage).
+
+2. Go to **Data lifecycle management** > **Exchange (legacy)**.
+
+3. Select **Settings** (the gear icon).
+
+4. In **Send undeliverable journal reports to** enter the email address of a valid user account. Note that you cannot use a team or group address.
+
+
+5. Select **Save**.
+
+6. Still in the Exchange (legacy) screen, select **Journal Rules**.
+
+7. Select **New rule** to configure a journaling rule, and configure it as follows:
+
+   - **Send journal reports to**: This address is specific to each customer tenant. To find this address:
+      - In [Zero Trust](https://one.dash.cloudflare.com/), go to **Email Security**.
+      - Go to **Settings** and locate your domain under **Your domains**.
+      - Select the three dots > **View domain** > **Service address**. Copy and paste the service address. 
+   If you need to process emails in certain geographic regions, refer to the [Geographic locations](#geographic-locations) table for more information on what address you should use.
+   - **Journal Rule Name**: `Journal Messages to Cloudflare Email Security`
+   - **Journal messages sent or received from**: *A specific user or group* and select the user group you [created above](#3-compliance).
+   - **Type of message to journal**: *External messages only*
+
+8. Select **Next**.
+
+9. Verify the information is correct, and select **Submit** > **Done**.
+
+Once saved, the rule is automatically active. However, it may take a few minutes for the configuration to propagate and start pushing messages to Email Security. After it propagates, you can access the Email Security dashboard to check the number of messages processed. This number will grow as journaled messages are sent to Email Security from your Exchange server.
@@ -0,0 +1,8 @@
+---
+{}
+
+---
+
+:::note
+Email Security supports Microsoft 365 Government Community Cloud (GCC). Refer to [Microsoft 365 Government Community Cloud](/cloudflare-one/email-security/reference/m365-gcc/) for more information.
+:::