Where to see how/why emails are getting blocked in Exchange Online

Joe Grover 456 Reputation points
2023-05-22T18:25:58.83+00:00

A couple years ago we migrated from on-premises Exchange to Exchange Online. We currently are using Barracuda for email security, with inbound mail flowing through the Barracuda Cloud Protection Layer -> on-premises Barracuda Email Security Gateway -> on-premises Exchange server -> across SMTP connector to 365.

We are about to switch from the Barracuda to a 365-integrated solution (CheckPoint Harmony), which largely leverages the functionality of Exchange Online to handle things the Barracuda has been doing.

Right now, my main concern is how I'll be able to troubleshoot incoming email that isn't getting delivered to the user. As a test, I added a test URL in the Tenant Allow/Block Lists in https://security.microsoft.com. I then sent a test message from a personal account to my work account that contained this URL.

As expected, the email was not delivered and I received a NDR at the sending address. However, I cannot see anything in Exchange Online showing that the email tried to come in and was rejected, or why.

I tried starting a new message trace in the Exchange Online Admin Center, but it didn't find anything. I don't see anything in the various reports that I've looked at in the Security Admin Center, either.

Where would I look to find this email? I'd like to know how to troubleshoot something like this before there's a need to do it for a user. Where should I be looking for messages that we're blocking so I can determine the reason? It doesn't show up in the CheckPoint Harmony logs, presumably because it was blocked by Exchange before CheckPoint would have seen it.

Microsoft Exchange Online
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,374 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 145.1K Reputation points MVP
    2023-05-22T19:20:47.35+00:00

  2. Andy David - MVP 145.1K Reputation points MVP
    2023-05-22T21:02:11.95+00:00

    Yea see thats the part I will need to test. The TABL doesnt block messages at the SMTP conversation level, IOW, it doesnt reject a message back to the sender. It accepts the message, then processes the block based on the policy - either ending up in junk or quarantine: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-about?view=o365-worldwide#block-entries-in-the-tenant-allowblock-list

    so, it should be in message trace! :)

    0 comments No comments

  3. Yuki Sun-MSFT 41,011 Reputation points
    2023-05-23T07:12:35.1166667+00:00

    Hi @Joe Grover

    As expected, the email was not delivered and I received a NDR at the sending address.

    Do you mind removing all personal information involved and share some of the NDR content here?

    I've also tested in my lab tenant by adding a test URL in the Tenant Allow/Block Lists and then sent a test mail containing the url. But I didn't get the NDR at the sending address, and can see the test mail using Message trace with the quarantined status:
    1

    2

    3

    Did I misunderstand anything here?