Currently, we do not recommend that Umbrella filtering be used by an MTA (Mail Transfer Agent) that is handling email. It is not a supported configuration and unexpected results will occur.
There are several reasons to avoid using Umbrella filtering on your MTA. Below we cover these briefly.
- Categorization filtering rules can block legitimate mail. For example, an email to email@example.com will be blocked if Social Media category is not allowed. The mail delivery may be legitimate, but you want to block employees from using Facebook.
- Security filtering: domains may be blocked for a Security Threat; however, email is still desired to be sent to this domain. This can occur when a site is temporarily compromised and is flagged for Malware but still needs to have mail send to it's domain.
- Due to the large number of queries that can occur from our DNS resolvers, some DNSBLs do not allow queries from us. This will potentially affect your spam catch rate.
Unfortunately, due to the way our services interact with MTA's, there currently is no solution for them benefiting from our protective services. As such, you could have them assigned to an identity in your policies that has no filtering, utilize your ISP's or another DNS service.
The following article (step 6) deals with the configuration of DNS in Exchange 2010: