This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
A couple years ago we migrated from on-premises Exchange to Exchange Online. We currently are using Barracuda for email security, with inbound mail flowing through the Barracuda Cloud Protection Layer -> on-premises Barracuda Email Security Gateway -> on-premises Exchange server -> across SMTP connector to 365.
We are about to switch from the Barracuda to a 365-integrated solution (CheckPoint Harmony), which largely leverages the functionality of Exchange Online to handle things the Barracuda has been doing.
Right now, my main concern is how I'll be able to troubleshoot incoming email that isn't getting delivered to the user. As a test, I added a test URL in the Tenant Allow/Block Lists in https://security.microsoft.com. I then sent a test message from a personal account to my work account that contained this URL.
As expected, the email was not delivered and I received a NDR at the sending address. However, I cannot see anything in Exchange Online showing that the email tried to come in and was rejected, or why.
I tried starting a new message trace in the Exchange Online Admin Center, but it didn't find anything. I don't see anything in the various reports that I've looked at in the Security Admin Center, either.
Where would I look to find this email? I'd like to know how to troubleshoot something like this before there's a need to do it for a user. Where should I be looking for messages that we're blocking so I can determine the reason? It doesn't show up in the CheckPoint Harmony logs, presumably because it was blocked by Exchange before CheckPoint would have seen it.
Defender will show this:
Seems like message trace should as well honestly.
Defender links are only offering me the options for a Trial. I'm wondering where it is outside of that particular subscription product.
I agree Message Trace should show it, but it unfortunately doesn't. I just sent another test email without the URL. It was delivered successfully and does show up in the message trace, but the blocked one does not. Presumably it gets blocked before whatever Exchange component the trace starts with.
Yea see thats the part I will need to test. The TABL doesnt block messages at the SMTP conversation level, IOW, it doesnt reject a message back to the sender. It accepts the message, then processes the block based on the policy - either ending up in junk or quarantine: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-about?view=o365-worldwide#block-entries-in-the-tenant-allowblock-list
so, it should be in message trace! :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @Joe Grover
As expected, the email was not delivered and I received a NDR at the sending address.
Do you mind removing all personal information involved and share some of the NDR content here?
I've also tested in my lab tenant by adding a test URL in the Tenant Allow/Block Lists and then sent a test mail containing the url. But I didn't get the NDR at the sending address, and can see the test mail using Message trace with the quarantined status:
Did I misunderstand anything here?
Nope, you didn't miss anything. That's where/how I created the URL rule. This is the NDR I got back from my email with subject "Test":
I then sent another email with the subject "Test 2" with nothing in the body. If I go to message trace and search for emails from my test account the only match is "Test 2."
Hi @Joe Grover ,
Does the mail with subject "Test" have anything else aside from the "url" in the message body?
Was the second test mail "Test 2" sent from the same sender as "Test"?
Hi @Joe Grover ,
Just wondering how things are going with this issue. Is there any update you'd like to share?