T The Triage ManualTechnical Guides for IT Emergencies
P2 · Exchange & Mail Flow

Email Delivery Failures, NDRs, Junk Misclassification — SPF/DKIM/DMARC, Blacklist, Connector, and Transport Rule Triage (Exchange / Exchange Online)

Outbound and inbound email delivery failures in Exchange Server 2016/2019 and Exchange Online manifest as NDRs with 5.x.x/4.x.x SMTP codes, queue backlogs, delayed delivery, or legitimate messages landing in recipients' junk folders. Root causes span missing or misaligned SPF, DKIM, and DMARC DNS records, sending IP reputation blacklisting, misconfigured Send/Receive connectors, over-aggressive EOP or third-party anti-spam policy, and transport rules silently discarding messages. Diagnosis follows a structured path: message trace → blacklist check → DNS authentication record validation → queue inspection → transport rule audit → NDR code analysis. Remediation targets the specific failure layer and DNS changes may require up to 48 hours to propagate; IP delistings 24–72 hours.

Indicators

Likely causes

Diagnostic steps

  1. Run a message trace to identify exactly where delivery failed. In Microsoft 365: Exchange Admin Center > Mail Flow > Message Trace. In on-premises Exchange, run: Get-MessageTrackingLog -Sender 'sender@domain.com' -ResultSize 100 | Select Timestamp, EventId, Source, MessageSubject, Recipients, RecipientStatus
    Pinpoints the delivery stage at which the message failed (submission, categorisation, routing, delivery) and surfaces SMTP error codes or rejection reasons.
  2. Check the outbound sending IP against public DNS block lists: navigate to https://mxtoolbox.com/blacklists.aspx or https://multirbl.valli.org and enter the public IP of the sending mail server. Also check Microsoft SNDS at https://sendersupport.olc.protection.outlook.com/snds/
    Determines whether the sending IP is blacklisted, which causes external recipients to reject or junk messages regardless of content or authentication.
  3. Validate SPF, DKIM, and DMARC DNS records for the sending domain. Run: nslookup -type=TXT yourdomain.com (SPF and DMARC) and nslookup -type=TXT selector._domainkey.yourdomain.com (DKIM). Or via PowerShell: Resolve-DnsName -Name yourdomain.com -Type TXT; Resolve-DnsName -Name _dmarc.yourdomain.com -Type TXT; Resolve-DnsName -Name 'selector._domainkey.yourdomain.com' -Type TXT
    Identifies missing or broken email authentication records that cause receiving servers to reject or junk messages from the domain.
  4. Review Exchange mail queue status on-premises: Get-Queue | Where-Object {$_.Status -ne 'Ready'} | Select Identity, Status, MessageCount, NextHopDomain, LastError
    Identifies stuck or growing queues and surfaces the last SMTP error encountered when attempting delivery, indicating connector or DNS routing problems.
  5. Inspect transport rules for any that may be silently affecting the affected messages: Get-TransportRule | Select Name, Priority, State, Description | Sort-Object Priority — then review rule conditions for sender/recipient/content matches that could redirect, delete, or reject messages.
    Rules acting on the affected sender, recipient, or message content may be silently discarding or rerouting messages without generating an NDR.
  6. Inspect the raw NDR or bounce message headers. Identify the SMTP diagnostic code (e.g., 550 5.7.1, 5.7.23, 5.7.509, 451 4.7.0) and the reporting MTA hostname. Cross-reference the extended status code against Microsoft's NDR reference: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/non-delivery-reports-in-exchange-online
    The SMTP status code and extended status code directly identify the rejection reason — policy, relay denied, reputation, SPF/DKIM/DMARC authentication failure — and determine the correct resolution path.
  7. Check the Application event log on Exchange servers for transport service errors: Get-EventLog -LogName Application -Source MSExchangeTransport -EntryType Error -Newest 50 | Select TimeGenerated, EventID, Message — or filter Event Viewer on Source = 'MSExchangeTransport'.
    Surfaces Exchange transport service-level errors indicating connector failures, TLS certificate problems, or service crashes contributing to delivery failures.
  8. Review Send and Receive connector configuration: Get-SendConnector | Select Name, AddressSpaces, SmartHosts, RequireTLS, TlsAuthLevel, Enabled and Get-ReceiveConnector | Select Name, Bindings, RemoteIPRanges, AuthMechanism, RequireTLS — compare against expected topology.
    Identifies connector misconfiguration such as incorrect address spaces, missing smart host entries, or TLS requirement mismatches that cause delivery failures.

Resolution path

Prevention

Tools

References

emailexchangeexchange-onlinemicrosoft-365NDRnon-delivery-reportmail-flowsmtpspamjunk-mailSPFDKIMDMARCblacklisttransport-rulesconnectorsEOPdeliverabilitydnsqueuemerge-candidate