Users in an Exchange Online Protection environment receive NDRs when they send mail to a recipient environment that uses the service

Applies to: Exchange Online Protection


Users in a Microsoft Exchange Online Protection environment receive a nondelivery report (NDR) when they send email messages to a recipient whose messaging environment uses the service for mail security.


This issue occurs if all the following conditions are true:
  • The Exchange Online Protection outgoing servers (also known as "outbound servers") are listed in the reputation block list. (This listing can't be prevented because of certain kinds of spoofing attacks that can be directed against the Exchange Online Protection service and users.) 
  • The recipient email environment implemented the service in reject mode instead of in safe mode.
  • The recipient email environment didn't add the Exchange Online Protection outgoing edge server IP addresses to the list of enabled mail senders.
It's very common for Exchange Online Protection outgoing servers to be listed by the service. However, if you must verify that this occurred, follow these steps:
  1. Use the Message Trace feature in the Exchange Online Protection Administration Center to determine the host name of the outgoing edge server that sent the users' mail items. For more information about how to run a message trace, see Trace an Email Message.
  2. Use the test that's provided by the service to determine whether the IP address is listed as the source of spam.


Because the cause of the issue is rooted in the service, the solution must be directed at Backscatterer. Office 365 doesn't support services. The following guidance is provided as-is and without any warranty to resolve unexpected mail rejections from recipient environments that use the service as a block list.

To resolve this issue, try one of the following methods:
  • Contact the recipient mail administrator to have the specific Exchange Online Protection outgoing server IP addresses added to an enabled list to bypass the checks. For an updated list of Exchange Online Protection IP addresses, see Exchange Online Protection IP addresses.
  • Contact the recipient mail administrator to recommend that he or she implement the service in safe mode, as recommended at the following website:


"Backscatter" (also known as "outscatter," "misdirected bounces," "blowback," and "collateral spam") refers to the incorrect and automated bounce messages that are sent by mail servers, typically as a side effect of incoming spam. Because Exchange Online Protection is a spam-filtering service, mail to nonexistent recipients and to other suspicious messages is rejected by the service. When that happens, Exchange Online Protection generates a new NDR message and delivers it back to the "sender." Because spammers frequently use a forged or invalid "from" address in their messages, the sender address to which the NDR is sent may result in backscatter. When this happens, outgoing servers that are associated with the Exchange Online Protection network may be listed on the Backscatterer DNS block list (DNSBL). 

The Backscatterer DNSBL is a list of IP addresses that send backscatter. It's not a spammer list. The instructions on the Backscatterer website recommend that you not set up or use the reject mode for all incoming mail from the service. You should use the service in safe mode to block messages in which MAIL FROM resembles the following:
For more information about the correct configuration, see the following website: We are committed to enabling customers to have a secure email environment that is both spam-free and virus-free. As part of that commitment, Exchange Online Protection takes many steps to make sure that mail that's filtered through our network doesn't contain unsolicited commercial messages.