Domain users cannot receive email messages through Microsoft Forefront Online Protection for Exchange (FOPE).
This issue occurs if one or more of the following conditions are true:
- The MX record does not point to the FOPE service.
- The FOPE Administration Center configuration is not valid for the domain.
- Firewall configuration is incorrect.
- Other issues are occurring.
If the MX record does not point to the FOPE service, follow these steps:
- Set the FOPE record to the lowest priority.
- Check public MX records.
Note Public DNS records may require 72 hours to propagate. If your MX record has recently been moved so that it points to the FOPE service, we recommend that you leave your firewall connections open for up to 72 hours. You can use a DNS lookup tool to verify where external senders are trying to send email messages. For example, you can use the NSLookup tool to verify this information. For more information about how to use the NsLookup tool to verify MX record configuration, visit the following Microsoft TechNet website:
f you receive errors from the DNS lookup tool when you check the MX records, you may have some DNS issues. In this case, check the spelling of the domain, and then run the test again. If you still receive errors from the DNS lookup tool, you should contact your DNS provider for troubleshooting.
If the FOPE Administration Center configuration is not valid for the domain, follow these steps:
- Sign in to the FOPE Administration Center. To do this, you must have administrator permissions for the domain that you want to view.
- Click Administration, click Domains, and thenselect the domain that cannot receive email messages.
- Make sure that the domain is enabled. A disabled domain displays No in the Enabled box.
- Make sure that the IP addresses that are listed in the inbound mail server box are accurate.
- Make sure that you verify the IP addresses and the associated MX priority.
- Make sure that your domain is not listed as a virtual domain.
Note Email messages that are addressed to a virtual domain cannot be forwarded. Virtual domains exist only in our system. These virtual domains are used for intelligent routing purposes.
If you have a firewall misconfiguration, you should make sure that all data-center IP addresses are allowed through your firewall. Otherwise, our data centers cannot relay email messages to your mail server. This behavior may result in a deferral of up to five days in our data centers. To find the most recent list of IP addresses, see the Configuration
section under the Information
tab in the FOPE Administration Center.
Customers using earlier versions of Cisco firewalls should also consult Email messages are deferred in Forefront Online Protection for Exchange (FOPE) when they are sent to a mail server that is deployed behind a Cisco PIX firewall
Other steps to consider to resolve this issue are as follows:
- Determine whether senders are receiving a bounced message. If they arereceiving a bounced message, look up the error, and then try to fix the issue.
- Restart the firewall and the mail server.
- Make sure that your ISP does not block traffic on port 25.
- If you use the Backscatterer.org service, see the following Microsoft Knowledge Base article:
Users in a FOPE environment receive NDRs when they send mail to a recipient environment that uses the Backscatterer.org service
Make sure that you have logging enabled on your mail server and on your firewall. This information is important for the troubleshooting process.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Article ID: 2598485 - Last Review: September 19, 2013 - Revision: 7.0
- Microsoft Forefront Online Protection for Exchange