Emails sent from Microsoft 365 in a hybrid deployment are rejected and nondelivery reports are received
Original KB number: 2750145
The Hybrid Configuration wizard that's included in the Exchange Management Console in Microsoft Exchange Server 2010 is no longer supported. Therefore, you should no longer use the old Hybrid Configuration wizard. Instead, use the Microsoft 365 Hybrid Configuration wizard that's available at https://aka.ms/HybridWizard. For more information, see Microsoft 365 Hybrid Configuration wizard for Exchange 2010.
You run the Hybrid Configuration wizard in Exchange Server 2010 to set up a shared namespace and centralized mail control configuration between your on-premises Exchange Server environment and Exchange Online in Microsoft 365. However, eventually, you notice that email messages that are sent from cloud-based mailboxes are rejected, and senders receive nondelivery reports (NDRs). Over time, the frequency of the NDRs increase.
This issue can occur if the IP addresses that are associated with Exchange Online Protection changed. These IP addresses aren't automatically updated in the on-premises environment. Therefore, the IP addresses that are set in the on-premises Exchange Online Protection receive connector may become invalid. When this issue occurs, mail that's routed from Microsoft 365 users through Exchange Online Protection to the on-premises environment may be rejected.
To fix this issue, use the following steps:
Rerun the Hybrid Configuration wizard. Rerunning the wizard configures the on-premises Exchange Online Protection receive connector to use the correct IP addresses.
This step applies only to the Hybrid Configuration wizard in Exchange Server 2010. When you run the Hybrid Configuration wizard in Exchange Server 2013, no receive connectors are created or are necessary.
Manually update the IP addresses that are listed under Receive mail from remote servers that have these IP addresses for the on-premises Exchange Online Protection receive connector.
In a shared namespace and centralized mail control scenario, an Exchange Online Protection receive connector must be created on the hybrid Exchange 2010 hub transport server to make sure that the on-premises environment receives mail from Microsoft 365 users. The Hybrid Configuration wizard creates the receive connector on the appropriate Exchange 2010 server. Then, the wizard configures the connector with the IP addresses to enable incoming Exchange Online Protection traffic from Microsoft 365 users to be routed to the on-premises environment.
The following screenshot shows an example of an Exchange Online Protection receive connector that the Hybrid Configuration wizard creates.
For more information about the Hybrid Configuration wizard in Exchange 2010, see Hybrid Deployments with the Hybrid Configuration wizard.