Email messages are incorrectly quarantined in Exchange hybrid deployments that use centralized mail control

Note The Hybrid Configuration wizard that's included in the Exchange Management Console in Microsoft Exchange Server 2010 is no longer supported. Therefore, you should no longer use the old Hybrid Configuration wizard. Instead, use the Office 365 Hybrid Configuration wizard that's available at http://aka.ms/HybridWizard. For more information, see Office 365 Hybrid Configuration wizard for Exchange 2010.
PROBLEM
You have a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365. In this deployment, you use centralized mail control. This forces messages to route to the on-premises mail server before they are delivered to Exchange Online mailboxes. In this scenario, you experience one or more of the following symptoms:
  • Spam notifications to users are quarantined.
  • Email messages on the Allow list are quarantined.
  • Email messages that are released from quarantine are requarantined.
  • Sender Policy Framework (SPF) checks fail on the second pass.
CAUSE
This problem occurs if the Exchange Online organization or the on-premises organization isn't set up to promote email headers as cross-premises (that is, from Exchange Online to the on-premises server to Office 365).
SOLUTION
  1. Verify that centralized mail control is enabled and is set up to promote headers in Office 365. To do this, follow these steps:
    1. Connect to Exchange Online by using a remote Windows PowerShell session. For more information, see Connect to Exchange Online using remote PowerShell.
    2. View the configuration information of the hybrid outbound connector in the Exchange Online organization. To do this, run the following command:
      Get-OutboundConnector "Contoso Outbound Connector" | Format-List
      Verify that the value of the RouteAllMessagesViaOnPremises property is set to $true.
    3. View the configuration information of the hybrid inbound connector in the Exchange Online organization. To do this, run the following command:
      Get-InboundConnector "Contoso Inbound Connector" | Format-List
      Verify that the value of the CloudServicesMailEnabled property is set to $true.
    4. Locate the following line in the headers:
      X-MS-Exchange-Organization-Cross-Premises-Headers-Promoted: <Office 365 Server Name>
      For example, BY2FFO11FD002.protection.gbl.

      Note If the RouteAllMessagesViaOnPremises property and the CloudServicesMailEnabled property are set to $false, and the X-MS-Exchange-Organization-Cross-Premises-Headers-Promoted: <Office 365 Server Name> header isn't found, this resolution does not apply to your organization’s configuration.
  2. Send an inbound test message to an Exchange Online mailbox by routing the message through the on-premises server first. Locate the following X-header lines in the message headers. This helps indicate that the message was scanned two times in transport.
    • X-Forefront-Antispam-Report-Untrusted: This is the first pass. It occurs when the message is first received in Office 365. The connecting IP address (CIP) on that line will be an Internet IP address.
    • X-Forefront-Antispam-Report: This is the second pass. It occurs when the message is returned by the on-premises server and is received for the second time in Office 365. The connecting IP address will be your organization's on-premises server IP address.
    Note If there’s only one X-Forefront header, this resolution does not apply to your organization’s configuration.
  3. To promote the headers from the on-premises environment back to Office 365, follow these steps:
    1. Verify that the headers are currently not being promoted. To do this, check whether the following line is missing in the headers:

      X-MS-Exchange-Organization-Cross-Premises-Headers-Promoted: <On-premises Server Name>
      For example, the on-premises server name is "contoso_on_premises.contoso.com."
    2. Locate X-OriginatorOrg from the headers. It will be in the format of "contoso.onmicrosoft.com."
    3. Open the Exchange Management Shell in Exchange 2013 or Exchange 2010, and then run the following commands:

      • New-RemoteDomain -Name 'Hybrid Domain - contoso.onmicrosoft.com' -DomainName 'contoso.onmicrosoft.com'
      • Set-RemoteDomain 'Hybrid Domain - contoso.onmicrosoft.com' -TrustedMailOutboundEnabled $true -TrustedMailInboundEnabled $true
    4. Verify that the issue is fixed. Send a new message, and then verify that the following line is present in the headers:

      X-MS-Exchange-Organization-Cross-Premises-Headers-Promoted: <On-premises Server Name>
      For example, the on-premises server name is "contoso_on_premises.contoso.com."
MORE INFORMATION
For more information, see the following Microsoft resources:
Properties

Article ID: 3079142 - Last Review: 04/26/2016 14:50:00 - Revision: 3.0

Microsoft Exchange Online, Microsoft Exchange Online Protection, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2010 Standard, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • o365022013 o365 o365a o365e o365m eop hybrid KB3079142
Feedback