Understanding Safety Net
Lets keep it simple: "Exchange safety net takes over where the shadow redundancy has left." Once the message is deivered to the mailbox AND before is is successfully replicated to the passive mailbox database copies- it is stored in a queue that is associated with the transport service on mailbox server. This queue is called Safety net and is an advancement of Transport Dumpster of exchange 2010. By default the safety net holds a copy of a successfully delivered message for 2 days.
Safety net does not require a DAG, like shadow redundancy; safety net stores the successfully delivered message to other mailbox server in same active directory if DAG is not a part.
Safety net itself is not a single point of failure. if the primary shadow redundancy fails; the shadow copy will take over and the messages are redelivered from the shadow subnet. you can configure thus behavior by changing this commandlet: set-transportConfig.
How does it work?
Shadow redundancy keeps a redundant copy of the message while the message is in transit. Safety Net keeps a redundant copy of a message after the message is successfully processed. So, Safety Net begins where shadow redundancy ends. concepts in shadow redundancy, including the transport high availability boundary, primary messages, primary servers, shadow messages and shadow servers also apply to Safety Net.
The Primary Safety Net exists on the Mailbox server that held the primary message before the message was successfully processed by the Transport service. This could mean the message was delivered to the Mailbox Transport Delivery service on the destination Mailbox server. Or, the message could have been relayed through the Mailbox server in an Active Directory site that's designated as a hub site on the way to the destination DAG or Active Directory site. After the primary server processes the primary message, the message is moved from the active delivery queue into the Primary Safety Net on the same server.
The Shadow Safety Net exists on the Mailbox server that held the shadow message. After the shadow server determines the primary server has successfully processed the primary message, the shadow server moves the shadow message from the shadow queue into the Shadow Safety Net on the same server. Although it may seem obvious, the existence of the Shadow Safety Net requires shadow redundancy to be enabled (it's is enabled by default).