Forum Widgets
Latest Discussions
ARC verification fail (40) on specific Exchange Online frontends - recurring issue
Hello, We are observing recurring arc=fail (40) errors on messages forwarded through Exchange Online, caused by specific frontend servers. The same messages pass ARC verification correctly on other providers (Google, etc.). Affected frontends identified so far: CH2PEPF0000013F.namprd02.prod.outlook.com - build 15.20.9700.17 (March 14, 2026) CH3PEPF0000000B.namprd04.prod.outlook.com - build 15.20.9769.17 (April 6, 2026) Both share the same build suffix .17. The signing implementation on our side has been cryptographically verified as correct and RFC 6376 compliant. The issue has also been reported on the IETF ietf-smtp mailing list with full technical analysis. Cryptographic analysis shows the failing servers append a spurious trailing \r\n to the last header before computing the verification hash, violating RFC 6376 Section 3.7. Is there a pattern with .17 frontend builds and ARC verification? Reagards Vittorio
Email Showing as Quarantined in a Message Trace, but Not Showing up in MS Defender
A customer of ours was waiting on an email to arrive and to help figure out where the email was or if it was sent yet we ran a message trace. The message trace showed that the email was sent to quarantine. With this information in mind, I went to MS Defender > Email & collaboration > Review > Quarantine but could not find the message. I modified some of the filters and could not get the quarantined message to appear. I triple checked the filters I created and made sure the information was correct. I also removed all filters and looked for the time period the email came in, but could not find it. Not sure if this is related, but this email had a significant delay likely coming from the sender. Any thoughts or ideas? Or anything that I am missing?Cross Tenant Mailbox Migration: NotAcceptedDomainException
This week I'm performing a new cross tenant mailbox migration. I have some experience with this kind of migrations, ( it's the third one I'm in charge of ), and with the new procedure, ( will paste the link with the instructions at the end of this article ), an Azure Key Vault is no longer required, so I was very confident and thought that I would no have any issue. But, as sometimes occurs, I was wrong The setup was quite easy, and the mail users configuration was like always, so no a big deal. But now comes the point... Once I launched the migration batch, half of the users started syncing correctly and the ther ones failed, ( neither a MoveRequest was able to start for them ). Once I checked the errors, I got the same for all the failed ones: " NotAcceptedDomainException: You can't use the domain because it's not an accepted domain for your organization ". Ok. No problem... ( I thought ). I work with Exchange since more than 10 years and this is a common error message. ( Again I was wrong ). I started to check the mail users, looking for some misspelled domain, missing alias, spaces, etc... Basically, the troubleshooting for this kind of errors. But from my perspective all looked good. So, I decided to reconfigure all the mailusers with a script, launch a delta sync, and resume the failed moverequest. But again, same error for all of them. Checked again, with PS, from source and target tenant, checked in AD, all the proxy addresses... Nothing, all was correct! Non sense... Ok. At that point I decid to compare some syncing mail users with some failed ones, looking for anything that could be a pattern. And "voilรก"! The syncing users were all licensed in O365... The failed ones not! After assigning a license to the failed ones and resume the MoveRequest, all started to work smoothly. For sure, I would have saved many hours of work if the error message had been: " The user is not licensed ". But, yeah... It would have been too simple ๐ Summarizing, make sure that the mail users have an O365 license before you start the migration batch. And remember, not always the error messages are what they seems to be ๐ Cross Tenant Mailbox Migration procedure, ( Preview ๐ https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide
Issue with certificate renewal for exchange Edge Transport Server
Hello team, I have come across a very particular problem I deployed 2 exchange server 2019 with one edge transport server When we are renewing the Certificates with wildcard certificate on both mailbox server ,and on edge transport server ,it is impossible for me to renew the edge subscription It says the cerificate is in "doublon" (repetitive) on one of the Exchange servers.I have always been using same certificate on exchange server be it edge or mailbox I tested a bogus different certificate on mailbox and on edge,only then th e edge sync works Did anybody come across this issue. ThanksM365 tenant emails marked as spam (SCL:5, CAT:PHISH) despite perfect authentication
Hello, Our business emails from our M365 tenant are consistently marked as spam when sent to other M365 tenants, despite perfect email authentication. Technical status: - SPF: Pass โ - DKIM: Pass โ (recently enabled) - DMARC: Pass โ (recently enabled) - Composite Authentication: Pass (reason=100) โ But messages are still marked as: - X-MS-Exchange-Organization-SCL: 5 - X-Forefront-Antispam-Report: CAT:PHISH;SFV:SPM We suspect a tenant reputation issue, possibly because the tenant ran for months without DKIM enabled. Now that all authentication is correct, how can we request a reputation review? Thank you!Administratively retract a user's email
I was recently asked to retract a message that was sent in-error to staff. I ran a discovery/search, and saved it, but when I ran the powershell script after connecting to Exchange, the script could not find the search, something like name not found. I verfied the name was correct, and I am a global admin so permissions should not have been an issue. Does anyone know of any accurate documentation to run a search and retract? I had to use an old YouTube video and could not find anything in Microsoft's documentation.iOS 26.4 iPhone Contact Sync with Microsoft Exchange Online
For the past 2โ3 weeks, several of our iOS users have been experiencing synchronization issues with Exchange contacts. Contacts intermittently disappear from their devices and then re-sync after some time. In some cases, the re-synchronization process is significantly delayed. Anyone else experiencing the same issue?
Microsoft Exchange Report
I faced a new issue today, don't know if anything breaks at Microsoft or any new thing roll out from there, the things is unable to check usage report properly as well as unable to export the email activity, Mailbox Usage etc report under report- exchange and other tabs as well in customer tenant. I have Global Reader privilege but still facing this issue. Anyone faced this type of issue from today or before? If anyone knows about its pleas update your comment here. Thanks..Can't connect with GDAP using ExchangeOnlineManagement 3.7.0/3.8.0, but 3.6.0 works
Since upgrading to ExchangeOnlineManagement version 3.7.0, I've been unable to connect to any of my clients using GDAP. I thought I'd try upgrading to 3.8.0, but I still get the same error: PS C:\Users\username> connect-exchangeonline -userprincipalname email address removed for privacy reasons -DelegatedOrganization contoso.com ---------------------------------------------------------------------------------------- This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure. Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets. V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently. REST backed EOP and SCC cmdlets are also available in the V3 module. Similar to EXO, the cmdlets can be run without WinRM basic auth enabled. For more information check https://aka.ms/exov3-module Starting with EXO V3.7, use the LoadCmdletHelp parameter alongside Connect-ExchangeOnline to access the Get-Help cmdlet, as it will not be loaded by default ---------------------------------------------------------------------------------------- The role assigned to user email address removed for privacy reasons isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to User. At C:\Users\username\OneDrive - MSP\Documents\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.7.2\netFramework\ ExchangeOnlineManagement.psm1:758 char:21 + throw $_.Exception; + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [], SystemException + FullyQualifiedErrorId : The role assigned to user email address removed for privacy reasons isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to User. You'd think there'd be something wrong with my GDAP permissions, but there doesn't appear to be. I can do anything via the Microsoft 365 Admin Center. Plus, most notably, if I manually load ExchangeOnlineManagement 3.6.0, everything works perfectly. I'm running Windows 11, and this behavior is reproducible on Windows PowerShell 5.1 as well as my preferred PowerShell 7.5.2. How can I troubleshoot this?
Preserving permissions during EXO migration
Hi, Can you help me understand the outcome of preserving the permissions in our scenario. Exchange Server 2016 (soon Exchange SE) in a hybrid with Exchange Online. We are moving 75% of the mailboxes to Exchange Online. What ways will preserve or break the full-access or sendas permissions? I guess best way would be to migrate both the user and the shared mailbox at the same time in the same batch to keep the permission? If we migrate the user in batch 1 and shared mailbox in batch 2 will that preserve/break the full access/send as? If we migrate the shared mailbox in batch 1 and usermailbox in batch 2 will that preserve/break the full access/send as? If the permission is linked directly on the shared mailbox or via a security group is there a difference? Thanks!
