Emails from on-prem Exchange in Hybrid Env. stil get filtered despite "Anti-spam inbound policy (Default)" allowed domain

Dieter Tontsch (GMail) 917 Reputation points

I recently have started migrating our "real" mailboxes from on-prem Exchange 2016 to Exchange Online. Previously I did migrat3e several mailboxes in a test drive scenario, but now I started migrating the real mailboxes, taking mine as first.
Beside lots of other stuff around Windows 365 Defender I figured out, after I did miss several more like system-generated Mails, that these mails all where delivered (that's what my on-prem queue told me). But checking with I figured that's all these mails got "FilteredAsSpam" status, and indeed I did find them in my Outlook Junk folder.

Now I have not configured yet any special AntiSpam policies, so I assume the default inbound one is responsible for this. I have no idea what the reason for this action is, I only can assume it is because all these mails come from an internal domain like @keyman .intra address. How c an I tell the exact reason for this action and how can I make sure that Emails from this address or domain do never get classified as spam. But in the same time, in case it is phishing or malware, it still should be detected?
I mean, I can add the domain or sender to the safe senders list from Outlook Junk folder from an user's perspective, but I'd rather like to control this centrally.

And therefor I figured that a good approach might be to add my domain in charge to the Allowed Domains in "Anti-spam inbound policy (Default)". But unfortunately emails from this domain still get caught due to status "FilteredAsSpam", and therefor, according to this Anti-spam inbound policy (Default) rule, such emails are moved to Junk folder, which indeed happens.



Any idea how I can debug why these mails coming from an allowed domain still geht filtered?

kind regards,

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,358 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,480 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,985 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 144.7K Reputation points MVP

    Well, honestly, in a hybrid environment, you could probably get away with no SPF record for those messages, but that domain is not a valid top level domain.
    Best practices in hybrid:

    1. Internal sending domain is set as a valid accepted domain in 365 and on-prem
    2. On-Prem Exch Servers have a valid SPF record for each sending domain

    If you dont have that set, then you risk 365 blocking it or marking as SPAM

    You could try creating a transport rule that sets the SCL to -1 for messages from that domain, but no guarantee that will work


4 additional answers

Sort by: Most helpful
  1. T. Kujala 8,706 Reputation points

    Hi @Anonymous ,

    If you open message events, is there any reason for that?


  2. Andy David - MVP 144.7K Reputation points MVP

    What connector from on-prem are these messages coming through? If through the hybrid connector then they should be trusted.

  3. Dieter Tontsch (GMail) 917 Reputation points

    yes, I have only one, the one I also use for the migration batches, and yes created by the wizard.

    0 comments No comments

  4. Andy David - MVP 144.7K Reputation points MVP

    Ok, this is not a valid domain:

    You can see in the headers:

    Received-SPF: None ( mobilex.intra does not designate
    permitted sender hosts)

    The alerts need to come from a valid domain with a SPF record like