Steps on how to ensure Microsoft Office 365 is locked down to only accept connections from Symantec Email Cloud IP ranges. 

To restrict the flow of email between your Office 365 organization and the Symantec.cloud service, set up connectors in Exchange Online or Exchange Online Protection (EOP) to use only the Symantec.cloud IP address range.

To specify multiple IP addresses, use Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 32.

Note: By configuring the connector in this manner, any email that does not originate from Symantec.cloud IP address ranges will be rejected.

To require that all email is sent from a specific IP address range

1. In Office 365, click Admin > Exchange to go to the Exchange Admin Center.
2. Click mail flow.
3. Click connectors.
4. Click the plus symbol (+) to create a new connector.
5. On the first screen, choose the following options:
   • From: Partner organization
   • To: Office 365
6. Click Next.
7. Under How to you want to identify the partner organization, select Use the sender's IP address..
8. Check Reject email messages if they aren't from within this IP address range.
9. Click the plus symbol (+).
10. In the add ip address dialog box, enter the Symantec.cloud IP address ranges, in CIDR notation, as shown in Table 1.
11. Click the plus symbol (+) again to enter additional Symantec.cloud IP address ranges, in CIDR notation, until you have entered all Symantec.cloud IP address ranges in Table 1.

IPV4 IP addresses and Classless Inter-Domain Routing (CIDR)

IPV4 IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 0 to 255.

You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 32, as shown in Table 1. To help you with this, we have provided all Symantec.cloud IP address ranges up to /24 for each region below.

Table 1 Symantec.cloud IP address ranges to /24 - All regions

Creating connectors using a PowerShell script

To speed up the process of entering IP addresses, you can use the following PowerShell script.

Note: We recommend that you use the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell.

<#

Synopsis

    This script contains all Symantec.cloud IP address ranges converted to a Classless Inter-Domain Routing (CIDR) range of IP addresses to /24, allowing for quick entry into Office 365.

    Note: Office 365 allows CIDR ranges from /24 to /32.

Description
    This script creates a new connector for Office 365 that is restricted to Symantec.cloud IP addresses based on http://www.symantec.com/docs/INFO4532.

    The connector is named "Symantec.cloud IP Address Ranges".

Notes
   
    - When prompted for a username and password, enter your Office 365 admin credentials.
    - New connectors will be disabled by default.

 #>

Set-ExecutionPolicy RemoteSigned -Force

#Checks if the ExchangeOnlineManagement module is present
if (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {
    Import-Module ExchangeOnlineManagement
} 
else {
    Install-Module ExchangeOnlineManagement
}

$UserCredential = Connect-ExchangeOnline

New-InboundConnector -Enable $False -Name "Symantec.cloud IP Address Ranges" -SenderDomains *  -RestrictDomainsToIPAddresses $true  -RequireTls  $false -SenderIPAddresses 216.82.240.0/24, 216.82.241.0/24, 216.82.242.0/24, 216.82.243.0/24, 216.82.244.0/24, 216.82.245.0/24, 216.82.246.0/24, 216.82.247.0/24, 216.82.248.0/24, 216.82.249.0/24, 216.82.250.0/24, 216.82.251.0/24, 216.82.252.0/24, 216.82.253.0/24, 216.82.254.0/24, 216.82.255.0/24, 67.219.240.0/24, 67.219.241.0/24, 67.219.242.0/24, 67.219.243.0/24, 67.219.244.0/24, 67.219.245.0/24, 67.219.246.0/24, 67.219.247.0/24, 67.219.248.0/24, 67.219.249.0/24, 67.219.250.0/24, 67.219.251.0/24, 67.219.252.0/24, 67.219.253.0/24, 67.219.254.0/24, 67.219.255.0/24, 85.158.136.0/24, 85.158.137.0/24, 85.158.138.0/24, 85.158.139.0/24, 85.158.140.0/24, 85.158.141.0/24, 85.158.142.0/24, 85.158.143.0/24, 95.131.104.0/24, 95.131.105.0/24, 95.131.106.0/24, 95.131.107.0/24, 95.131.108.0/24, 95.131.109.0/24, 95.131.110.0/24, 95.131.111.0/24, 46.226.48.0/24, 46.226.49.0/24, 46.226.50.0/24, 46.226.51.0/24, 46.226.52.0/24, 46.226.53.0/24, 46.226.54.0/24, 46.226.55.0/24, 117.120.16.0/24, 117.120.17.0/24, 117.120.18.0/24, 117.120.19.0/24, 117.120.20.0/24, 117.120.21.0/24, 117.120.22.0/24, 117.120.23.0/24, 193.109.254.0/24, 193.109.255.0/24, 194.106.220.0/24, 194.106.221.0/24, 195.245.230.0/24, 195.245.231.0/24, 103.9.96.0/24, 103.9.97.0/24, 103.9.98.0/24, 103.9.99.0/24

Disconnect-ExchangeOnline -Confirm:$false -InformationAction Ignore -ErrorAction SilentlyContinue

Additional information

See Configure mail flow using connectors in Office 365 at Microsoft.com for more information.

See Set up connectors for secure mail flow with a partner organization at Microsoft.com for more information.

See Additional considerations when configuring IP Allow lists at Microsoft.com to specify ranges outside of the 24 to 32 range.