Emails from on-prem Exchange in Hybrid Env. stil get filtered despite "Anti-spam inbound policy (Default)" allowed domain

Question

Emails from on-prem Exchange in Hybrid Env. stil get filtered despite "Anti-spam inbound policy (Default)" allowed domain

Dieter Tontsch (GMail) 977

I recently have started migrating our "real" mailboxes from on-prem Exchange 2016 to Exchange Online. Previously I did migrat3e several mailboxes in a test drive scenario, but now I started migrating the real mailboxes, taking mine as first.
Beside lots of other stuff around Windows 365 Defender I figured out, after I did miss several more like system-generated Mails, that these mails all where delivered (that's what my on-prem queue told me). But checking with https://protection.office.com/messagetrace I figured that's all these mails got "FilteredAsSpam" status, and indeed I did find them in my Outlook Junk folder.

Now I have not configured yet any special AntiSpam policies, so I assume the default inbound one is responsible for this. I have no idea what the reason for this action is, I only can assume it is because all these mails come from an internal domain like @keyman .intra address. How c an I tell the exact reason for this action and how can I make sure that Emails from this address or domain do never get classified as spam. But in the same time, in case it is phishing or malware, it still should be detected?
I mean, I can add the domain or sender to the safe senders list from Outlook Junk folder from an user's perspective, but I'd rather like to control this centrally.

And therefor I figured that a good approach might be to add my domain in charge to the Allowed Domains in "Anti-spam inbound policy (Default)". But unfortunately emails from this domain still get caught due to status "FilteredAsSpam", and therefor, according to this Anti-spam inbound policy (Default) rule, such emails are moved to Junk folder, which indeed happens.

Any idea how I can debug why these mails coming from an allowed domain still geht filtered?

kind regards,
Dieter

Answer accepted by question author

4 additional answers

Your answer

Answer 1

Andy David - MVP 159.7K MVP Volunteer Moderator

Well, honestly, in a hybrid environment, you could probably get away with no SPF record for those messages, but that domain is not a valid top level domain.
Best practices in hybrid:

Internal sending domain is set as a valid accepted domain in 365 and on-prem
On-Prem Exch Servers have a valid SPF record for each sending domain

If you dont have that set, then you risk 365 blocking it or marking as SPAM

https://office365itpros.com/2020/07/28/exchange-online-protection-restricts-tenants-sending-unprovisioned-email/

You could try creating a transport rule that sets the SCL to -1 for messages from that domain, but no guarantee that will work

Dieter Tontsch (GMail) 977 Reputation points

2022-04-10T17:14:14.747+00:00

It works with mail flow rule. But what makes me wondering is that it also works now without this rule being enabled. Actually I don't know if it works with that rule or it works now anyway because of the fact that several hours ago I have added mobilex.intra as allowed domain to the default inbound spam filter policy. But during my tests then it didn't work, does that eventually take quite a while until it's propagating, longer then 10 minutes or so?

However, thanks for your great advice again
Cheers, Dieter

Answer 2

T. Kujala 8,796

Hi @Anonymous ,

If you open message events, is there any reason for that?

Dieter Tontsch (GMail) 977 Reputation points

2022-04-10T11:33:56.1+00:00

The FilteredAsSpam Status trace has nothing, the Resolved status trace has the following, but I don't see useful Information here, right?

Answer 3

Andy David - MVP 159.7K MVP Volunteer Moderator

What connector from on-prem are these messages coming through? If through the hybrid connector then they should be trusted.

Dieter Tontsch (GMail) 977 Reputation points

2022-04-10T11:45:43.047+00:00

How do I see that? They definitely come through that domain.mail.onmicrosoft.com remote routing address though
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator

2022-04-10T11:47:14.463+00:00

Do you have only one hybrid connector on-prem? Was it created by the Hybrid Wizard?
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator

2022-04-10T12:27:45.293+00:00

can you post the headers of the messages removing any personal information?
Dieter Tontsch (GMail) 977 Reputation points

2022-04-10T13:00:10.09+00:00

needs to pe pdf attachment , otherwise I can't add it due to char limit etc.

191613-mail-header.pdf

Answer 4

Dieter Tontsch (GMail) 977

yes, I have only one, the one I also use for the migration batches, and yes created by the wizard.

Answer 5

Andy David - MVP 159.7K MVP Volunteer Moderator

Ok, this is not a valid domain:
@mobilex.intra

You can see in the headers:

Received-SPF: None (protection.outlook.com: mobilex.intra does not designate
permitted sender hosts)

The alerts need to come from a valid domain with a SPF record like mobilexag.de

Dieter Tontsch (GMail) 977 Reputation points

2022-04-10T15:41:43.183+00:00

Thanks, I assumed this. But does it not help if I add this domain to the allowed domains in the inbound default policy? Or is there any other possibility to make this work? I mean, I could go and replace sender address everywhere from mobilex.intra to mobilexag.de, that's possible, just would be quite an effort.

And I'd like to know why it does not work with allowed sender? Or is it maybe an option to add the sender's IP as allowed IP? That would be an option too, but I'm afraid this "not designate
permitted sender hosts" issue might be more weighty again, right? In that case it woold mean one cannot work with non-public domains at all in this scenario.

cheers and thank you very much for sharing your knowledge with me several times!
Dieter
Dieter Tontsch (GMail) 977 Reputation points

2022-04-10T17:09:59.76+00:00

Cool, thanks.
The point is once I have created that mail flow rule you suggested, messages @mobilex.intra started getting through, but they get now through also when this rule is disabled. Honestly I am a bit confused. It is true that I also have added this domain to the default incoming spam policy several hours before. But it didn't help at that time. does that take some time, until it gets applied, more then 10 min or so?

However, it works now, and in order to keep it transparent I'd go for the mail flow rule probably.

I am absolutely aware that this mobilex.intra is no good, just we used it within our on-prem world for several system notification "From" addresses, like nas alerts, monitoring etc. Obviously we never used these addresses outside the LAN and not for any reply. But we can change these though.

thanks again for the great advice.

cheers,
Dieter

Share via

Emails from on-prem Exchange in Hybrid Env. stil get filtered despite "Anti-spam inbound policy (Default)" allowed domain

4 additional answers

Your answer