This is a very interesting scenario and I guess common one for all Office 365 hybrid configurations with DMARC enabled. I recently faced this issue and had to dig into several tools and troubleshooting techniques and contacted Microsoft support team for the best solution after identifying the problem.
In an Office 365 Hybrid solution (Where you have online users/mailboxes and on-premise users/mailboxes), Online mail users reported that they are not receiving Non-Delivery-Report mails from on-premise server/users.
For example if the on-premise user mail box is full or if the online user sent an email with huge attachment beyond the on-premise server mailbox attachment limit, they never receive the NDR and accordingly they assume their mail was delivered which lately turns to be wrong.
To identify the root cause of this problem, I started troubleshooting as follows:
- Checked the On-premise servers for the email sent by the online user and for any response using power shell “Get-MessageTrackingLog” and an Undeliverable mail (NDR) was generated and sent to the online user.
- Since the mail wasn’t received by the online user in his mailbox i went and checked the Quarantine queue (Office 365 – Admin Centers – Exchange – Protection – Quarantine), Advanced search and entered the email address of the online user in the “Recipient mail address” and I found this mail quarantined in his queue.
- The mail was quarantined because its classified as SPAM (Check above image) so the next step was to check Message header by clicking view message header (check above image)
- Copied the content from the Message Header and fired the Microsoft Message Header Analyzer Tab at the bottom to analyze the header for further details.
- Few important things to note from the message analyzer as follows (Check below image):
- SPAM confidence Level (SCL) is 9 which is the highest score
- It was filtered by SKS (Transport rules). Check this link for more details on the Anti-Spam Message header and their meaning https://technet.microsoft.com/en-us/library/dn205071.aspx?f=255&MSPPError=-2147217396
- The Authentication Results shows that DMARC Failed.
- Return-Path (Item 19) is empty
Root Cause, Why DMARC Failed ?
DMARC helps fighting and protecting our mail systems against spoofing along with SPF and DKIM (Will have several post on these three technologies). DMARC stands for Domain-Based message authentication, reporting and conformance.
DMARC works by comparing the “From” Field with “Return-Path” field and they should be the same (normally you are receiving mail from [email protected] and will reply back to [email protected]). The two fields will never match when the mail is spoofed.
For Exchange System Generated NDRS, they don’t contain any value/address in the Return-Path by design and that’s why the DMARC test in our Case failed which triggered the Transport rule which in return set its SCL to 9 and got Quarantined.
How can we fix it ?
We have three options (checked by Microsoft Support Team) to fix this issue by editing the Transport rule in question and creating an exception:
- Edit the Transport rule – Except if – The Sender – IP address is in any of these ranges or Exactly Match – IP (Your on-premise Exchange server Public IP address)
- Except If – The Sender – Is this person – add the email address of the NDR mail which is [email protected] (This is unique per each domain and won’t change)
- Except if – A Message header – includes these text patterns – Auto-submitted header contains “auto-replied”
This was a nice case and passed by several sections and views to troubleshoot it. Hopefully this post might help others facing the same issue/problem. Source