1. Exchange Online Mail Flow Architecture

Understanding the sequence of connectors and filtering layers is critical for troubleshooting delivery and security.

  • Inbound Connectors: The entry point for mail arriving from third-party security gateways (e.g., Mimecast) or on-premises Exchange servers in a hybrid configuration. These rely on TLS certificate validation or IP whitelisting to establish trust.
  • Tenant Edge / EOP: The primary hygiene layer where Connection Filtering (IP reputation), Directory Based Edge Blocking (DBEB), and basic Anti-Malware/Anti-Spam scanning occur. Even with an Inbound Connector, EOP will still scan for Malware and High-Confidence Phishing. These are considered “non-negotiable” by Microsoft.
  • Exchange Transport Rules (ETRs): Custom logic applied after initial hygiene. These rules fire in priority order and can be used for custom routing, disclaimer injection, or bypassing further scanning for trusted internal flows.
  • Microsoft Defender for Office 365 (MDO): The advanced protection layer including Safe Attachments (sandboxing) and Safe Links (time-of-click verification). This layer also manages Zero-hour Auto Purge (ZAP) to remediate threats post-delivery.
  • Outbound Connectors: The exit point for mail leaving the tenant destined for specific third-party gateways or on-premises environments. These ensure mail is routed through the correct smarthost rather than directly to the public internet. If the mail returns from the outbound service (e.g. an email signature service), it is treated as a new inbound connection at the edge.
  • Mailbox Layer: The final delivery point where SCL-based Junk Email filtering and user-defined Inbox Rules are processed.

2. Mail Flow & Routing Troubleshooting

  • Message Trace: The primary diagnostic tool for mail delivery issues. Use the Exchange Admin Center (EAC) for messages within the last 10 days; use Historical Search for up to 90 days.
  • Mail Flow Rules (Transport Rules):
    • Always verify rule execution order (Priority).
    • Ensure “Stop processing more rules” is used deliberately to prevent conflicting actions.
    • Test new rules in “Test with Policy Tips” or “Test without Policy Tips” mode before enforcement.
  • Connectors:
    • Validate inbound/outbound connectors for third-party filtering services or on-premises environments.
    • Check TLS certificate requirements and IP whitelisting.
  • Accepted Domains: Verify authoritative vs. internal relay configurations to prevent routing loops.

3. Recipient Management & Governance

  • Shared Mailboxes:
    • Governance: Do not apply licenses to shared mailboxes unless they exceed 50GB or require a continuous In-Place Archive.
    • Permissions: Distinguish between FullAccess (read/manage) and SendAs / SendOnBehalf rights. Note that FullAccess does not automatically grant sending rights.
    • Automapping: Managed via PowerShell (Add-MailboxPermission -AutoMapping $false if users complain about Outlook client performance issues).
  • Group Types:
    • Distribution Lists (DLs): Legacy broadcast communication. Ensure message approval or sender restrictions are applied to large DLs.
    • Microsoft 365 Groups: Modern collaboration tied to SharePoint and Teams. Enforce naming and expiration policies via Entra ID.
  • Resource Mailboxes: Manage automated booking via Set-CalendarProcessing and configure booking windows and delegate approval.

4. Security, Protection & Authentication

  • Email Authentication Standards:
    • SPF (Sender Policy Framework): Validates outbound sending IPs. Keep DNS lookups under the 10-limit threshold.
    • DKIM (DomainKeys Identified Mail): Cryptographic signing of outbound emails. Ensure CNAME records are published and DKIM is enabled in Defender.
    • DMARC: Policy enforcement (p=none, quarantine, reject). Review aggregate reports before moving to strict enforcement.
  • Access Control:
    • Verify Basic Authentication is permanently disabled across the tenant.
    • Control client access (e.g., POP/IMAP) via Client Access Rules or CAS Mailbox settings.
  • Protection Policies: Review Anti-Spam, Anti-Phishing, and Anti-Malware policies and manage Safe Links and Safe Attachments.

5. Hybrid Environment Considerations (Enterprise)

  • Attribute Authority: In an AD-synced environment, Exchange attributes must be managed on-premises via ADUC or an Exchange Management Server.
  • Routing in Hybrid: Understand the role of the targetAddress (typically alias@tenant.mail.onmicrosoft.com) for routing mail from on-premises to cloud mailboxes.
  • Cross-Premises Permissions: SendAs and ReceiveAs permissions do not reliably span across on-premises and Exchange Online boundaries; migrations of delegates and shared mailboxes must be batched together.

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module)

  • Connection: Connect-ExchangeOnline
  • Diagnostics: Get-MessageTrace -SenderAddress user@domain.com -StartDate (Get-Date).AddDays(-2)
  • Permissions:
    • Get-MailboxPermission -Identity "Shared Mailbox"
    • Add-RecipientPermission -Identity "Mailbox" -Trustee "User" -AccessRights SendAs
  • Mailbox Configuration:
    • Set-Mailbox -Identity user@domain.com -HiddenFromAddressListsEnabled $true
    • Set-CASMailbox -Identity user@domain.com -ImapEnabled $false -PopEnabled $false