This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 71%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
I recently have started migrating our "real" mailboxes from on-prem Exchange 2016 to Exchange Online. Previously I did migrat3e several mailboxes in a test drive scenario, but now I started migrating the real mailboxes, taking mine as first.
Beside lots of other stuff around Windows 365 Defender I figured out, after I did miss several more like system-generated Mails, that these mails all where delivered (that's what my on-prem queue told me). But checking with https://protection.office.com/messagetrace I figured that's all these mails got "FilteredAsSpam" status, and indeed I did find them in my Outlook Junk folder.
Now I have not configured yet any special AntiSpam policies, so I assume the default inbound one is responsible for this. I have no idea what the reason for this action is, I only can assume it is because all these mails come from an internal domain like @keyman .intra address. How c an I tell the exact reason for this action and how can I make sure that Emails from this address or domain do never get classified as spam. But in the same time, in case it is phishing or malware, it still should be detected?
I mean, I can add the domain or sender to the safe senders list from Outlook Junk folder from an user's perspective, but I'd rather like to control this centrally.
And therefor I figured that a good approach might be to add my domain in charge to the Allowed Domains in "Anti-spam inbound policy (Default)". But unfortunately emails from this domain still get caught due to status "FilteredAsSpam", and therefor, according to this Anti-spam inbound policy (Default) rule, such emails are moved to Junk folder, which indeed happens.
Any idea how I can debug why these mails coming from an allowed domain still geht filtered?
kind regards,
Dieter
Well, honestly, in a hybrid environment, you could probably get away with no SPF record for those messages, but that domain is not a valid top level domain.
Best practices in hybrid:
If you dont have that set, then you risk 365 blocking it or marking as SPAM
You could try creating a transport rule that sets the SCL to -1 for messages from that domain, but no guarantee that will work
It works with mail flow rule. But what makes me wondering is that it also works now without this rule being enabled. Actually I don't know if it works with that rule or it works now anyway because of the fact that several hours ago I have added mobilex.intra as allowed domain to the default inbound spam filter policy. But during my tests then it didn't work, does that eventually take quite a while until it's propagating, longer then 10 minutes or so?
However, thanks for your great advice again
Cheers, Dieter
The FilteredAsSpam Status trace has nothing, the Resolved status trace has the following, but I don't see useful Information here, right?
What connector from on-prem are these messages coming through? If through the hybrid connector then they should be trusted.
How do I see that? They definitely come through that domain.mail.onmicrosoft.com remote routing address though
Do you have only one hybrid connector on-prem? Was it created by the Hybrid Wizard?
can you post the headers of the messages removing any personal information?
needs to pe pdf attachment , otherwise I can't add it due to char limit etc.
yes, I have only one, the one I also use for the migration batches, and yes created by the wizard.
Ok, this is not a valid domain:
@mobilex.intra
You can see in the headers:
Received-SPF: None (protection.outlook.com: mobilex.intra does not designate
permitted sender hosts)
The alerts need to come from a valid domain with a SPF record like mobilexag.de
Thanks, I assumed this. But does it not help if I add this domain to the allowed domains in the inbound default policy? Or is there any other possibility to make this work? I mean, I could go and replace sender address everywhere from mobilex.intra to mobilexag.de, that's possible, just would be quite an effort.
And I'd like to know why it does not work with allowed sender? Or is it maybe an option to add the sender's IP as allowed IP? That would be an option too, but I'm afraid this "not designate
permitted sender hosts" issue might be more weighty again, right? In that case it woold mean one cannot work with non-public domains at all in this scenario.
cheers and thank you very much for sharing your knowledge with me several times!
Dieter
Cool, thanks.
The point is once I have created that mail flow rule you suggested, messages @mobilex.intra started getting through, but they get now through also when this rule is disabled. Honestly I am a bit confused. It is true that I also have added this domain to the default incoming spam policy several hours before. But it didn't help at that time. does that take some time, until it gets applied, more then 10 min or so?
However, it works now, and in order to keep it transparent I'd go for the mail flow rule probably.
I am absolutely aware that this mobilex.intra is no good, just we used it within our on-prem world for several system notification "From" addresses, like nas alerts, monitoring etc. Obviously we never used these addresses outside the LAN and not for any reply. But we can change these though.
thanks again for the great advice.
cheers,
Dieter
