To verify that you're experiencing this issue, examine the email header of an email message that was sent from the on-premises user account. Typically, X-MS-Exchange-Organization-AuthAs should be listed as "Internal." If X-MS-Exchange-Organization-AuthAs is listed as "anonymous" or if it's missing, this indicates an incorrect configuration or an incorrect mail route.
- Check the mail route.
The simplest route is Exchange 2010 mailbox server to Exchange 2010 hub server (hybrid server) to the Exchange Online Protection (EOP) inbound connector to Exchange Online. Make sure that there are no unnecessary network devices such as anti-spam gateway devices between the Exchange 2010 hub server (hybrid server) and EOP. Those devices could remove the necessary header.
- Check the remote domain of the on-premises Exchange server. To do this, follow these steps:
- In Exchange Management Shell, run the following PowerShell command:For example:
Get-RemoteDomain < NameOfService>.< DomainName>.com | FL
Get-RemoteDomain exchangedelegation.contoso.com | FL
- In the output, make sure that the TrustedMailOutboundEnabled, TargetDeliverDomain, and IsInternal attributes are set to True.
- If the attributes in step 2B aren't set to True, use the Set-RemoteDomain command to change the value to True.
- In Exchange Management Shell, run the following PowerShell command:
- Check the remote domain in Office 365. To do this, follow these steps:
- Connect to Exchange Online by using remote PowerShell. For more info about how to do this, see Connect to Exchange Online using remote PowerShell.
- Run the following PowerShell command:
Get-RemoteDomain <FQDNOfOnPremisesEndConnector> | FL
- In the output, make sure that the TrustedMailnboundEnabled attribute is set to True.
- If the attribute in step 3C isn't set to True, use the Set-RemoteDomain command to change the value to True.
- Make sure that Transport Layer Security (TLS) is implemented and enabled in both environments and that the fully qualified domain name (FQDN) is set correctly. Check the on-premises send connector and the EOP inbound connector by using the Exchange Server Deployment Assistant at the following Microsoft website:
- Check the Exchange certificate of the send connector on the on-premises Exchange servers that are responsible for delivering mail to EOP. The Exchange certificate should have Simple Mail Transfer Protocol (SMTP) enabled and should match the FQDN of the send connector.