Dear Community,

We have an on-prem exchange 2013 server and an office 365 account which is completly standalone.

Whilst the office 365 account is standalone, it does feature the email address we use for on-prem (Ie. the domain name in office 365 account is not active for any office 365 services however has passed ownership verification thus it's just sitting there)

We DON'T use EOP nor do we have any connector rules on our on-prem system that go to office 365 however when I randomly went into the 'Message Flow Trace' section in our office 365 account, there is recorded outbound mail which was sent from our On-prem server.

The ONLY mail that was recorded in the message Trace in Office 365 was emails we had sent from On-prem to other office 365 accounts (For example btconnect.com, and some of our clients whom also use office 365) .

How is office 365 picking up mail we've sent from our On-Prem server? Is there integration out of the box in exchange 2013 which auto interfaces with office 365? What on earth has happened here?

I'm really confused.

-------- For troubleshooting purposes...

Headers in the email which arrived in my personal office 365 account from the ON-PREM SERVER

Received: from AMSPR05MB065.eurprd05.prod.outlook.com (10.242.89.142) by

DBXPR05MB079.eurprd05.prod.outlook.com (10.242.138.22) with Microsoft SMTP

Server (TLS) id 15.1.93.16 via Mailbox Transport; Thu, 5 Mar 2015 16:16:31

+0000

Received: from DBXPR05CA0014.eurprd05.prod.outlook.com (10.255.178.14) by

AMSPR05MB065.eurprd05.prod.outlook.com (10.242.89.142) with Microsoft SMTP

Server (TLS) id 15.1.99.14; Thu, 5 Mar 2015 16:16:30 +0000

Received: from DB3FFO11FD028.protection.gbl (2a01:111:f400:7e04::145) by

DBXPR05CA0014.outlook.office365.com (2a01:111:e400:9434::14) with Microsoft

SMTP Server (TLS) id 15.1.106.15 via Frontend Transport; Thu, 5 Mar 2015

16:16:29 +0000

Received: from emea01-am1-obe.outbound.protection.outlook.com (157.56.112.128)

by DB3FFO11FD028.mail.protection.outlook.com (10.47.217.59) with Microsoft

SMTP Server (TLS) id 15.1.99.6 via Frontend Transport; Thu, 5 Mar 2015

16:16:28 +0000

Received: from DB4PR04CA0010.eurprd04.prod.outlook.com (25.160.41.20) by

DB3PR04MB236.eurprd04.prod.outlook.com (10.242.130.24) with Microsoft SMTP

Server (TLS) id 15.1.99.14; Thu, 5 Mar 2015 16:16:26 +0000

Received: from DB3FFO11FD040.protection.gbl (2a01:111:f400:7e04::184) by

DB4PR04CA0010.outlook.office365.com (2a01:111:e400:9852::20) with Microsoft

SMTP Server (TLS) id 15.1.106.15 via Frontend Transport; Thu, 5 Mar 2015

16:16:26 +0000

Received: from mail.localdomainhere (<IP OF OUR ON-PREM SERVER GOES HERE>) by

DB3FFO11FD040.mail.protection.outlook.com (10.47.217.71) with Microsoft SMTP

Server (TLS) id 15.1.99.6 via Frontend Transport; Thu, 5 Mar 2015 16:16:25

+0000

Received: from INT-EX-01.localdomainhere (192.168.142.20) by

INT-EX-01.localdomainhere (192.168.142.20) with Microsoft SMTP Server (TLS) id

15.0.913.22; Thu, 5 Mar 2015 16:15:55 +0000

Received: from INT-EX-01.localdomainhere ([fe80::aca4:88cf:3eaf:57dc]) by

INT-EX-01.localdomainhere ([fe80::aca4:88cf:3eaf:57dc%12]) with mapi id

15.00.0913.011; Thu, 5 Mar 2015 16:15:55 +0000

From: Jake Ives <Jake.Ives@domain.com>

To: Jake Ives <jake@ives.gb.net>

Subject: Test01

Thread-Topic: Test01

Thread-Index: AdBXX6dyI5u99OGoSKmXroKKyMA3Tg==

Date: Thu, 5 Mar 2015 16:15:54 +0000

Message-ID: <081f834d85b7436193fa887613b9dac7@INT-EX-01.localdomainhere>

Accept-Language: en-US, en-GB

Content-Language: en-US

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator:

x-originating-ip: [192.168.142.73]

Content-Type: multipart/related;

            boundary="_004_081f834d85b7436193fa887613b9dac7INTEX01localdomainhere_";

            type="multipart/alternative"

MIME-Version: 1.0

Return-Path: jake.ives@domain.com

X-EOPAttributedMessage: 1

Received-SPF: Pass (protection.outlook.com: domain of domain.com

designates <IP OF ONPREM SERVER HERE> as permitted sender)

receiver=protection.outlook.com; client-ip=<IP OF OUR ON-PREM SERVER GOES HERE;

helo=mail.domain.co.uk;

Authentication-Results: spf=pass (sender IP is <IP OF OUR ON-PREM SERVER GOES HERE>)

smtp.mailfrom=Jake.Ives@DOMAIN.co.uk; ives.gb.net; dkim=none (message not

signed) header.d=none;ives.gb.net; dkim=none (message not signed)

header.d=none;ives.gb.net; dmarc=none action=none header.from=domain.com;

X-Forefront-Antispam-Report-Untrusted: CIP:<IP OF ON PREM SERVER HERE>;CTRY:GB;IPV:NLI;EFV:NLI;BMV:0;SFV:NSPM;SFS:(10019020)(438002)(189002)(199003)(71364002)(87936001)(2656002)(98436002)(92726002)(102836002)(108616004)(19625215002)(19618635001)(512954002)(92566002)(229853001)(107886001)(66926002)(18206015028)(84326002)(16796002)(19300405004)(450100001)(19580395003)(2900100001)(77156002)(15974865002)(62966003)(5250100002)(5310100001)(99936001)(15395725005)(16236675004)(110136001)(17760045003)(67866002)(86362001)(19617315012)(19627595001)(15975445007)(19580405001)(54356999)(22756005)(50986999)(6806004)(46102003)(74482002)(106466001)(33646002)(7099025)(24736002)(15669805003);DIR:OUT;SFP:1102;SCL:1;SRVR:DB3PR04MB236;H:mail.domain.co.uk;FPR:;SPF:Pass;MLV:ovrnspm;MX:1;A:1;PTR:mail.domain.co.uk;LANG:en;

X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB3PR04MB236;UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AMSPR05MB065;

X-Microsoft-Antispam-PRVS: <DB3PR04MB2361563F5226475182B0CCD8C1F0@DB3PR04MB236.eurprd04.prod.outlook.com>

X-Exchange-Antispam-Report-Test: UriScan:;UriScan:;

X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5001007)(5005006);SRVR:DB3PR04MB236;BCL:0;PCL:0;RULEID:;SRVR:DB3PR04MB236;BCL:0;PCL:0;RULEID:(601004);SRVR:AMSPR05MB065;BCL:0;PCL:0;RULEID:;SRVR:AMSPR05MB065;

X-Forefront-PRVS: 05066DEDBB

X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR04MB236

X-MS-Exchange-Organization-MessageDirectionality: Incoming

Received-SPF: Fail (protection.outlook.com: domain of domain.com does not

designate 157.56.112.128 as permitted sender)

receiver=protection.outlook.com; client-ip=157.56.112.128;

helo=emea01-am1-obe.outbound.protection.outlook.com;

Authentication-Results: spf=fail (sender IP is 157.56.112.128)

smtp.mailfrom=jake.ives@DOMAIN.co.uk;

X-Forefront-Antispam-Report: CIP:157.56.112.128;CTRY:US;IPV:NLI;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(339900001)(489007)(189002)(71364002)(199003)(102836002)(92726002)(15975445007)(92566002)(17760045003)(62966003)(106466001)(15395725005)(16236675004)(77156002)(110136001)(107886001)(450100001)(5310100001)(229853001)(22756005)(98436002)(2900100001)(5250100002)(19625215002)(66926002)(99936001)(33646002)(15974865002)(19617315012)(19627595001)(67866002)(54356999)(108616004)(19300405004)(19618635001)(87836001)(2656002)(18206015028)(85426001)(512954002)(86362001)(6806004)(46102003)(74482002)(84326002)(19580395003)(50986999)(19580405001)(7099025)(24736002)(15669805003);DIR:INB;SFP:;SCL:1;SRVR:AMSPR05MB065;H:emea01-am1-obe.outbound.protection.outlook.com;FPR:;SPF:Fail;MLV:ovrnspm;MX:1;A:1;PTR:mail-am1on0128.outbound.protection.outlook.com;LANG:en;

X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB3FFO11FD028.protection.gbl

X-MS-Exchange-Transport-CrossTenantHeadersPromoted: DB3FFO11FD028.protection.gbl

X-MS-Exchange-Organization-Network-Message-Id: 927151e3-02c4-4c46-5539-08d22576df82

X-MS-Exchange-Organization-AVStamp-Service: 1.0

X-MS-Exchange-Organization-SCL: 1

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2015 16:16:28.9728

(UTC)

X-MS-Exchange-CrossTenant-Id: cd52bfe2-da2e-446d-b8f1-e78db861d489

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bfa61dad-1543-4f3b-8075-03498e9f4fcb;Ip=[IP OF ON PREM SERVER HERE]

X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMSPR05MB065

X-MS-Exchange-Organization-AuthSource: DB3FFO11FD028.protection.gbl

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.5565465

• Edited by intersys_jake 14 hours 27 minutes ago

did you or anyone ran the hybrid configuration wizard?

if you domain is verified meant that it was intended to use and someone may have manually created the connector or by running HCW

No one has ran the hybrid configuration wizard.

Also, the reason the domain was initially verified was for Office365 Lync, however we don't use that anymore.

I've spoken to my boss and he reckons the reason for this is because of Internal routing (After-all, it's only office 365 emails which are showing in the message flow trace) so this does make sense. 

What do you think?

you mentioned picking up right.

check your MX record and make sure they are not pointing office365 (outlook.com)

MX records are not set to office 365, the MX is pointing directly to the on-prem exchange server. 

The problem is; Office 365 Mail Delivery Trace is displaying mail we've sent via our On-Prem server - We are having trouble understanding why this is happening.

To clarify, the message tracer in Office 365 is displaying outbound mail (Which for example, a user has sent out from their outlook) BUT only outbound mail which is being sent to other office 365 users.

We do not have mail on office 365, only on-premise hence the reason why we are flabbergasted to why the mail we are sending out would be displaying on the office 365 message tracer.

To further clarify, we are only seeing addresses in the office 365 message trace which belong to recipients whom use office 365 for their mail.

Hope this makes sense.

In addition to the above, we have made sure there are NO outbound connectors on-prem pointing to Office 365.

Could this simply be an internal routing issue then?

MX records are not set to office 365, the MX is pointing directly to the on-prem exchange server. 

The problem is; Office 365 Mail Delivery Trace is displaying mail we've sent via our On-Prem server - We are having trouble understanding why this is happening.

To clarify, the message tracer in Office 365 is displaying outbound mail (Which for example, a user has sent out from their outlook) BUT only outbound mail which is being sent to other office 365 users.

We do not have mail on office 365, only on-premise hence the reason why we are flabbergasted to why the mail we are sending out would be displaying on the office 365 message tracer.

To further clarify, we are only seeing addresses in the office 365 message trace which belong to recipients whom use office 365 for their mail.

Hope this makes sense.

getting messy O365 users to another O365 you mean?

You mentioned if they send email using their MS Outlook Client.

I'd suggest you to send another email to the same recipient but using OWA

There may have been an office 365 connector in Outlook.