1. Mail Flow & Routing Troubleshooting

  • Message Trace: The primary diagnostic tool for mail delivery issues. Use the Exchange Admin Center (EAC) for messages within the last 10 days; use Historical Search for up to 90 days.
  • Mail Flow Rules (Transport Rules):
    • Always verify rule execution order (Priority).
    • Ensure “Stop processing more rules” is used deliberately to prevent conflicting actions.
    • Test new rules in “Test with Policy Tips” or “Test without Policy Tips” mode before enforcement.
  • Connectors:
    • Validate inbound/outbound connectors for third-party filtering services (e.g., Mimecast, Proofpoint) or on-premises environments.
    • Check TLS certificate requirements and IP whitelisting.
  • Accepted Domains: Verify authoritative vs. internal relay configurations to prevent routing loops.

2. Recipient Management & Governance

  • Shared Mailboxes:
    • Governance: Do not apply licenses to shared mailboxes unless they exceed 50GB or require a continuous In-Place Archive.
    • Permissions: Distinguish between FullAccess (read/manage) and SendAs / SendOnBehalf rights. Note that FullAccess does not automatically grant sending rights.
    • Automapping: Managed via PowerShell (Add-MailboxPermission -AutoMapping $false if users complain about Outlook client performance issues due to too many shared mailboxes).
  • Group Types:
    • Distribution Lists (DLs): Legacy broadcast communication. Ensure message approval or sender restrictions are applied to large DLs.
    • Microsoft 365 Groups: Modern collaboration (tied to SharePoint/Teams). Enforce naming policies and expiration policies via Entra ID.
  • Resource (Room/Equipment) Mailboxes:
    • Manage automated booking via Set-CalendarProcessing.
    • Configure capacity, booking windows, and delegate approval for restricted rooms.

3. Security, Protection & Authentication

  • Email Authentication Standards:
    • SPF (Sender Policy Framework): Validates outbound sending IPs. Keep DNS lookups under the 10-limit threshold.
    • DKIM (DomainKeys Identified Mail): Cryptographic signing of outbound emails. Ensure CNAME records are published and DKIM is actively enabled in Microsoft 365 Defender.
    • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Policy enforcement (p=none, quarantine, reject). Review DMARC aggregate reports before moving to strict enforcement.
  • Access Control:
    • Verify Basic Authentication is permanently disabled across the tenant.
    • Control client access (e.g., restricting POP/IMAP) via Client Access Rules or CAS Mailbox settings.
  • Protection Policies (EOP & Defender for Office 365):
    • Review Anti-Spam, Anti-Phishing, and Anti-Malware policies.
    • Manage Safe Links and Safe Attachments policies (ensure they do not conflict with third-party security gateways).

4. Hybrid Environment Considerations (Enterprise)

  • Attribute Authority: In an AD-synced environment, Exchange attributes (e.g., proxyAddresses, targetAddress, mailNickname) must be managed on-premises via ADUC or an on-premises Exchange Management Server.
  • Routing in Hybrid: Understand the role of the targetAddress (typically alias@tenant.mail.onmicrosoft.com) for routing mail from on-premises to cloud mailboxes.
  • Cross-Premises Permissions: SendAs and ReceiveAs permissions do not reliably span across on-premises and Exchange Online boundaries; migrations of delegates and shared mailboxes must be batched together.

5. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module)

  • Connection: Connect-ExchangeOnline
  • Diagnostics:
    • Get-MessageTrace -SenderAddress user@domain.com -StartDate (Get-Date).AddDays(-2)
  • Permissions:
    • Get-MailboxPermission -Identity "Shared Mailbox"
    • Add-RecipientPermission -Identity "Mailbox" -Trustee "User" -AccessRights SendAs
  • Mailbox Configuration:
    • Set-Mailbox -Identity user@domain.com -HiddenFromAddressListsEnabled $true
    • Set-CASMailbox -Identity user@domain.com -ImapEnabled $false -PopEnabled $false