Office 365 / EOP: All emails Quarantined
Recently I was working on my EOP environment and our emails started going to the spam quarantine. I could not find fix over the internet so thought of sharing how I fixed it.
Environment:
Office 365 – Only for EOP working as anti-spam backbone.
Edge Transport – Exchange 2010
Hub Transport – Exchange 2010/2013
Issue:
All email to all recipient domain are going to quarantine in EOP.
Troubleshooting:
We did the message tracking and found the below screen which shows messaging got quarantine. 
Now we checked the quarantine message header to the see the value of the attribute “X-MS-Exchange-Organization-Rules-Execution-History”
X-MS-Exchange-Organization-Rules-Execution-History attribute shows what are the rules applied on this email.
Now we review the rule which had no problem. This is a basic transport rule which is blocking any outside mail senders from doing the relay and sending it to quarantine.
Now we were concerned to know why will this internal message is being considered external. After discussing this with Microsoft we identified that we need to retain the header in order to consider inside the Organization message.
Resolution: This is a 2 step resolution and both steps should be followed.
- In Office 365: Go to the inbound connector in the Exchange admin center à Mailflow à Connectors of office 365 and go to the properties. Check the checkbox “Retain service headers on transmission” and click save.
2. In On Premises: Create a new remote domain in the organization configuration with the name of recipient or we can edit * remote domain and run the below command from the Exchange management shell.
Set-RemoteDomain –Name NamePropertyOfRemoteDomain –TrustedMailOutboundEnabled $True
TrustedMailOutboundEnabled will keep the header intact and this parameter specifies whether the remote domain is considered a trusted domain. Microsoft recommends that we set this parameter to $true for cross-premises deployment scenarios. By default this will be false.
Now we tested the mail flow and mail started delivering to the remove domain.
Conclusion: We need to intact the header to let the EOP understand this email is inside the organization email or outside the organization.
The header will retain the following attribute value to internal which is required to be considered the email as inside the organization.
X-MS-Exchange-Organization-AuthAs: Internal
Prabhat Nigam
Microsoft Solution Architect | Exchange Server
Team@MSExchangeGuru
October 17th, 2014 at 5:16 am
A google search on “Retain Service Headers on transmission” returns about 6 related results. Bing has none.
We found that checking “Retain Service Headers on transmission” for our inbound/outbound mail flow connectors allowed the approved senders (restricted senders) for shared mailboxes and groups to be honoured for internal senders (senders inside your organisation) or for specified users or members of groups who are allowed senders. Without this setting checked, NDR’s would be returned.
Our need was slightly different to the original post. In our application, it was necessary as we have mail that flows out to a 3rd party cloud service with an on-premise connector. The service performs domain re-writes to work around the 900 domain limitation in Exchange Online and the mail then flows back into EOP/Exchange Online.
I’m actually suprised that this page is the only page on the internet that talks to using this setting for this application.
I’m not sure if system headers are retained if the “partner” type connector is used (that option is greyed out).
October 17th, 2014 at 11:23 am
I think partner is another office 365 host so header is already there and it is within the same org.
For on premise, you have a choice if you wish to retain the header because message is going out of the org.