Determine where a message leaves an Office 365 tenant


When troubleshooting mail flow it is often important to determine where a message is handed off from a partner to your Office 365 tenant, or from your Office 365 tenant to a partner. This is easy to see in a message header, just look for the receiving host with the domain mail.protection.outlook.com, as this will indicate Office 365 servers.

But what if your partner is also an Office 365 tenant, then how can we tell when a message left their tenant and entered yours, or vice versa? If troubleshooting a mail delay, this is crucial information as this will let us know which tenant is experiencing the delay.

Example 1 – Inbound mail from a partner not using Office 365

In this scenario it is extremely easy to see when the handoff was made from the partner server to our Office 365 tenant. Let’s look at a header to see this.


 
I'll pull out the highlighted line so it's easier to see.

Received: from BLU004-OMC2S37.hotmail.com (xx.xx.xx.xx) by
BN1BFFO11FD014.mail.protection.outlook.com (xx.xx.xx.xx) with Microsoft SMTP
Server (TLS) id 15.1.99.6 via Frontend Transport; Fri, 27 Feb 2015 20:49:35
+0000

We can easily see that this is the hop where Hotmail handed the message to our Office 365 tenant.

Example 2 – Inbound mail from a partner using Office 365

In this example, a message has arrived at our Office 365 tenant from a partner who also uses Office 365 to send mail. Because of this, every server is on the outlook.com domain (some being mail.protection.outlook.com, and others being prod.outlook.com). Luckily, it’s actually quite easy to tell when the message leaves our partners EOP tenant and enters our own EOP tenant.

As I did above, I’ve pulled out the line that I’ve highlighted so it's easier to see.

Received: from na01-bn1-OBE.outbound.protection.outlook.com (xx.xx.xx.xx)
by BY2FFO11FD017.mail.protection.outlook.com (xx.xx.xx.xx) with Microsoft
SMTP Server (TLS) id 15.1.99.6 via Frontend Transport; Fri, 27 Feb 2015
20:53:17 +0000

Look for the server whose name ends with OBE, which stands for Outbound Edge. When mail leaves an Office 365 tenant, it leaves from our OBE servers. This is true regardless of where the message is being sent. This is the secret, look for OBE in the Receive headers, and that will show you when the message left an EOP tenant.

Resources

The screenshots in this article were taken from the Microsoft Message Analyzer (select the Messagse Analyzer tab). This tool is great not only because it makes message headers more readable, but it will also provide links to TechNet articles relating to the various headers that it finds.


Comments (2)

  1. turbomcp says:

    great stuff
    Thanks

  2. JeffC86 says:

    Is there a way to determine if a message that left Office365 used TLS in communicating with the receiving MTA?

Skip to main content