External email messages that are sent to an Exchange Online mailbox in a hybrid deployment have an SCL value of -1

Article translations Article translations
Article ID: 2737890 - View products that this article applies to.
Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
Expand all | Collapse all

PROBLEM

You have a hybrid deployment of Microsoft Exchange Online in Microsoft Office 365 pre-upgrade and your on-premises Microsoft Exchange Server environment. You notice that all external email messages that are sent to an Exchange Online mailbox have a spam confidence level (SCL) value of -1. In this situation, these messages may be delivered to the Exchange Online mailbox even if they are spam or junk messages.

The following is an example of the header of an email message that's sent from the Internet to an Exchange Online mailbox and routed through the on-premises environment:
From: John Smith <external email address>
To: Cassie Hicks <cassie@contoso.com>
Content-Type: multipart/alternative; boundary="000e0cd6eb98872f8904c0cdd515"
X-OrganizationHeadersPreserved: O365-E14-HC-01.contoso.local
Return-Path: <external email address>
X-CrossPremisesHeadersPromoted: CH1PRD0410HT004.namprd04.prod.outlook.com
X-CrossPremisesHeadersFiltered: CH1PRD0410HT004.namprd04.prod.outlook.com
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-AuthSource: O365-E14-HC-01.contoso.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: mail.contoso

CAUSE

When the Exchange 2010 Hybrid Configuration Wizard creates the Microsoft Forefront Online Protection for Exchange (FOPE) inbound connector to Exchange Online, anti-spam settings are disabled.

In the example in the "Problem" section, although X-MS-Exchange-Organization-AuthAs is set to Anonymous, X-MS-Exchange-Organization-SCL is set to -1. This setting lets the message bypass all spam filtering on FOPE Edge servers and in the Outlook Junk Mail filter.

Additionally, the FOPE inbound connectors that are created by the Hybrid Configuration Wizard are read-only. Therefore, you can't edit the existing connector.

SOLUTION

To resolve this issue, create a new FOPE inbound connector that accepts mail from the Internet and that enables anti-spam settings so that external messages have a SCL value of something other than -1. To do this, follow these steps:
  1. Sign in to the FOPE Administration Center.
  2. Create a new inbound connector. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Administration tab, and then click Company.
    2. Next to Inbound Connectors, click Add.
    3. Type a name and a description.
    4. In the Sender Domains box, type the following:
      *.*
    5. In the Sender IP Addresses box, enter the IP address of the on-premises Exchange 2010 Hub Transport server (hybrid server).

      Note If you want FOPE to only accept mail from these IP addresses, click Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. When you use this setting, a nondelivery report (NDR) is generated for all messages that originate from an IP address that isn't listed in the Sender IP Addresses box.
    6. Under Transport Layer Security Settings, click Force TLS, select the Sender certificate matches check box, and then enter the fully qualified domain name (FQDN) of the hub server (hybrid server).
    7. Under Filtering, select the following check boxes (if they aren't already selected):
      • Apply IP reputation filtering
      • Apply spam filtering
      • Apply policy rules
    8. Click Save.
  3. Add the inbound connector that you created in step 2 to your organization's domain. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Domains tab, and then select your organization's domain (the routing domain).

      Note Typically, <domain>.mail.onmicrosoft.com is created by the Hybrid Configuration Wizard, where <domain> is the name of your organization's domain.
    2. In the Inbound Connectors box, select the connector, click Remove, and then click OK.
    3. Click Select, select the connector that you created in step 2, and then click OK.
    4. Wait for as long as 40 minutes for the changes to propagate to the FOPE servers.
  4. Create an inbound connector for on-premises and shared domains. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Administration tab, and then click Company.
    2. Next to Inbound Connectors, click Add.
    3. Type a name and a description.
    4. In the Sender Domains box, type the name of all shared namespace and on-premises domains. Separate each domain name by using a comma.
    5. In the Sender IP Addresses box, enter the IP address of the on-premises Exchange 2010 Hub Transport server (hybrid server).

      Note If you want FOPE to only accept mail from these IP addresses, click Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. When you use this setting, a nondelivery report (NDR) is generated for all messages that originate from an IP address that isn't listed in the Sender IP Addresses box.
    6. Under Transport Layer Security Settings, click Force TLS, select the Sender certificate matches check box, and then enter the fully qualified domain name (FQDN) of the hub transport server (hybrid server).
    7. Under Filtering, do the following:
      • Clear the Apply IP reputation filtering check box.
      • Clear the Apply spam filtering check box.
      • Select the Apply policy rules check box.
    8. Click Save.
  5. Add the inbound connector that you created in step 4 to your organization's domain. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Domains tab, and then select your organization's domain (the routing domain).
    2. In the Inbound Connectors box, select the connector, click Remove, and then click OK.
    3. Click Select, select the connector that you created in step 4, and then click OK.
    4. Wait for as long as 40 minutes for the changes to propagate to the FOPE servers.
Note This procedure doesn't affect on-premises email messages. On-premises email messages will still have an SCL value of -1 because the messages contain the following in the header:
X-MS-Exchange-Organization-AuthAs: Internal

MORE INFORMATION

When the Exchange 2010 Hybrid Configuration Wizard creates on-premises connectors and FOPE inbound connectors, the wizard does this with Mutual Transport Layer Security (TLS) enabled. In this scenario, the TrustedMailOutboundEnabled option is set to True in the on-premises domain, and the TrustedMailInboundEnabled option is set to True in the cloud-based domain. This means that messages that are sent from the on-premises environment to Exchange Online have a SCL value of -1, and X-MS-Exchange-Organization-AuthAs is set to Internal.

The following is an example:
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-MS-Exchange-Organization-AuthSource: O365-E14-HC-01.contoso.local
X-MS-Exchange-Organization-SCL: -1

Still need help? Go to the Office 365 Community website.

Properties

Article ID: 2737890 - Last Review: June 19, 2013 - Revision: 7.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Microsoft Exchange Online
Keywords: 
o365062011 pre-upgrade o365 o365e o365a hybrid KB2737890

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com