On-Premises Relayed Email being marked as Spam in Exchange Online?

Recently, I had worked with a client who had reported all email being sent from their on-premises multi-function devices (MFDs) and line-of business (LoBs) apps via their Exchange Hybrid organization was being marked as Spam and causing a headache for their migrated mailbox users.

Although the client had previously ran the Hybrid Configuration Wizard (HCW) which created the hybrid mail flow connectors between Exchange and Exchange Online, their email was being junked in their Exchange Online mailbox. This was not the case for non-migrated mailbox users.

After doing a small amount or web trawling, I came upon this Exchange Blog article, which really helped me understand the Hybrid mail flow in a lot more detail.

After following the article and checking the Message Header, I had noticed the X-MS-Exchange-Organization-MessageDirectionality header was marked correctly as ‘Originating’, as this had been delivered to Exchange Online Protection from their Exchange Hybrid servers using the tenant’s inbound connector:

However, upon checking the X-MS-Exchange-Organization-AuthAs header, this was showing ‘Anonymous’:

After doing some basic checks on the Exchange receive connectors by running the below cmdlet in Exchange Management Shell:
Get-ReceiveConnector | Select Name, RequireSenderAuthenticationEnabled

I noticed none were showing ‘True’ for ‘RequireSenderAuthenticationEnabled’, which is a likely cause of the message being marked as ‘Anonymous’.

All the receive connectors were configured with ‘RequireSenderAuthenticationEnabled’ using the below Exchange Management Shell cmdlet:
Get-ReceiveConnector | Set-ReceiveConnector -RequireSenderAuthenticationEnabled $True

A small amount of message testing and header checks then ensued and voila! The message headers now show ‘Internal’ and the messages are no longer being marked as Spam and delivered to Junk folders, resulting in a happy client and their mailbox users.

About the author