You receive a warning about possible NDR of email messages when running Hybrid Configuration Wizard

Applies to: Exchange Online

Symptoms


Consider the following scenario:

  • You are running Microsoft Exchange Hybrid Configuration Wizard.
  • Mail flow connectors are being created.
  • You receive a warning message. 

In this scenario, If you ignore the warning, the Hybrid Configuration Wizard lets you continue by using the value that's obtained from on-premises. However, your on-premises environment cannot send messages on behalf of any domain that’s not validated as an accepted domain in your Office 365 tenant. 

Also, you receive the following non-delivery report (NDR): 

 

Cause


The warning message that is mentioned in the "Symptoms" section is generated if one of the following conditions is true:

  • The certificate that you are using on-premises has a subject name (the certificate value for host name) that does not match any accepted domain in your Office 365 tenant. 

    For example, the certificate subject is <S>CN=contoso.com. However, the contoso.com domain isn't validated in your Office 365 tenant.
  • The certificate that you are using on-premises has a subject name that contains a host name that does not belong to an immediately accepted domain name that is validated in your Office 365 tenant. 

    For example, the certificate subject is <S>CN=hostname.contoso.com. However, the contoso.com domain isn't validated in your Office 365 tenant. As another example, the certificate subject name is <S>CN=hostname.subdomain.contoso.com. However, only contoso.com is registered as an accepted domain for your tenant.

Resolution


To enable your on-premises environment to send messages, use one of the following methods:

  • (Preferred) Add the domain that’s used on the certificate to the Office 365 tenant. If you own the domain, sign in to Office 365 by using administrator permissions, locate Settings > Domains, and then follow the instructions. If the certificate subject name is hostname.subdomain.contoso.com, you have to add only subdomain.contoso.com.
  • Have the certificate reissued by using a different name that matches an accepted domain in the Office 365 tenant. You can still any specify subject alternative names that you want. Wildcard certificates are enabled, but not required.

    Note If you do this, you have to install the newly issued certificate on the Exchange Server that's used for hybrid mail flow. You may also have to make sure that the fully qualified domain name (FQDN) is set correctly on the Exchange Server connector.

After you complete either option, rerun the Hybrid Configuration Wizard so that the Exchange Online connector can be set correctly.

More Information


Make sure that the client certificate that's provided when you establish Transport Layer Security (TLS) matches the value of the TlsSenderCertificateName parameter on the (inbound) connector. Then, authenticate the certificate as a validated accepted domain. You can use this method to verify that messages that are submitted during an SMTP conversation belong to your Office 365 tenant. In this manner, you can verify that the messages exist only on the tenant.

For more information, see Identifying email from your email server.

Still need help? Go to Microsoft Community or the Exchange TechNet Forums.