What causes Exchange Online mail flow problems?

SPF / DKIM / DMARC misconfiguration after vendor change • Hybrid connector certificate expiry • User compromised → tenant marked as suspicious sender by recipient systems • MS365 service incident (always check Service Health first) • Anti-spam policy too aggressive after recent tuning

How do I resolve Exchange Online mail flow problems?

Confirm not a service incident • Identify failure layer (DNS, connector, anti-spam, mailbox rule) • Repair the specific layer • Test bidirectional flow with test mailboxes • Document policy / DNS change in change log

How do I prevent Exchange Online mail flow problems?

DMARC at p=quarantine minimum, monitored for misalignment • Connector certificate expiry monitoring • Anti-spam policy tuning reviewed quarterly • MFA enforced on all mail-enabled accounts to prevent compromise-driven outage

P2 · Exchange & Mail Flow

Exchange Online mail flow problems

Mail not delivering, NDRs, mass quarantine, or hybrid connector failure. The diagnosis runs from envelope sender to mailbox, in order.

Indicators

Outbound NDRs (5.7.1, 5.4.1, 5.7.708)
Inbound legitimate mail going to junk or quarantine
Hybrid connector throwing 'unable to authenticate' errors
DKIM / DMARC failures appearing in headers post-sender-config-change
Recent SPF / MX / connector change preceded the issue

Likely causes

SPF / DKIM / DMARC misconfiguration after vendor change
Hybrid connector certificate expiry
User compromised → tenant marked as suspicious sender by recipient systems
MS365 service incident (always check Service Health first)
Anti-spam policy too aggressive after recent tuning

Diagnostic steps

Check Microsoft 365 Service Health — rule out tenant-wide incident first
Use Message Trace (Exchange admin) — find the actual delivery path and rejection reason
Inspect message headers for SPF/DKIM/DMARC results, anti-spam stamps (X-MS-Exchange-Organization-SCL, X-Forefront-Antispam-Report)
Verify DNS — SPF flat lookup count <10, DKIM selectors present, DMARC valid
For hybrid: test connector with Test-OutboundConnector / Test-MailFlow; check certificate expiry dates
Quarantine review for false positives; sender / domain allow lists scrutinised

Resolution path

Confirm not a service incident
Identify failure layer (DNS, connector, anti-spam, mailbox rule)
Repair the specific layer
Test bidirectional flow with test mailboxes
Document policy / DNS change in change log

Prevention

DMARC at p=quarantine minimum, monitored for misalignment
Connector certificate expiry monitoring
Anti-spam policy tuning reviewed quarterly
MFA enforced on all mail-enabled accounts to prevent compromise-driven outage

Tools

Exchange admin centre — Message Trace, Mail Flow → Connectors
Microsoft 365 Service Health dashboard
MXToolbox / EasyDMARC for external DNS validation
PowerShell ExchangeOnlineManagement: Get-MessageTrace, Test-OutboundConnector
Microsoft Remote Connectivity Analyzer

References

Microsoft Learn — Mail flow and message trace
Microsoft Learn — Exchange hybrid configuration
M3AAWG — Sender best practices

exchange-onlinemail-flowspfdkimdmarcmicrosoft-365