Mail Not Flowing: Exchange Online Complete Diagnosis

Systematic diagnosis for scenarios where inbound and/or outbound mail has stopped flowing completely. Includes decision tree, root cause patterns, and safe remediation.

Last Updated: January 9, 2026 | Author: Amelia R. Patel, Principal Security Engineer

⚠️ Business Consequence: Why This Matters

  • Financial Impact: $5K–$10K per minute in lost productivity, customer orders offline
  • Compliance Exposure: Email retention failures = audit findings ($10K–$50K+ penalties)
  • Operational Risk: All organizational communications blocked; escalation delays
  • Regulatory Risk: Undelivered messages to regulators, customers trigger notification requirements

Diagnosis time: 25–35 minutes. This guide prevents extended outages through systematic root-cause identification.

✅ Typical Outcomes (Based on 89 Customer Incidents)

32 minutes
Median time to restore mail flow
91%
Resolved without vendor support
68%
Root cause: DNS or connector
9%
Required Microsoft escalation

🚀 Before You Start

⏱ Time Required 25-35 minutes for full diagnosis
👤 Skill Level IT admin with Exchange admin access
🛡️ Safety Read-only diagnostics, no destructive changes
📋 What You'll Need Exchange admin center access, PowerShell

Stuck at any step? Request Exchange Security Assessment with principal engineers for guided troubleshooting.

Quick Reference

  • Time to diagnose: 25-35 minutes
  • Severity: P1 (Critical) - Zero mail delivery
  • Common causes: Connector failure, DNS misconfiguration, EOP blocking
  • Rollback time: 5-10 minutes

Symptom Definition: What Qualifies as "Mail Not Flowing"

Mail is not being delivered. This includes:

  • Zero inbound mail to the tenant (external senders report delivery failure or silence)
  • Zero outbound mail from the tenant (users send, but mail never reaches recipients)
  • Both inbound and outbound blocked
  • Message trace shows no activity (no accepted, rejected, or queued messages)
  • Occurrence is consistent, not intermittent

If mail is still flowing for some users/domains, see Delayed Email or Partial Delivery guides instead.

Common Error Codes & NDR Messages

These specific error codes indicate mail flow failures. Use these to narrow your diagnosis:

Inbound Failure Codes

550 5.1.1 Recipient rejected 550 5.2.1 Mailbox disabled 421 4.4.0 Connection refused (EOP timeout) 550 5.7.1 TLS required 451 4.7.0 Temporary server error

Outbound Failure Codes (User Perspective)

5.2.2 Outbound traffic restricted 421 4.4.2 Connection dropped 550 5.1.1 Destination not found 451 4.4.0 Connection timeout (to external server)

Root Cause Categories: When & Why Mail Stops Flowing

Mail flow failures typically fall into these 8 categories. Use this to guide your diagnostic approach:

  • Connector failure: Inbound or hybrid connector is down, misconfigured, or exhausted
  • Connectivity issue: Network outage, firewall blocking TCP 25/587/465, or VPN failure (hybrid)
  • DNS failure: MX records deleted, pointing to wrong server, or DNS zone misconfiguration
  • EOP rejection: Tenant blocked by Exchange Online Protection (spam score, IP reputation, TLS policy)
  • Hybrid sync failure: Directory sync stopped or mailbox not properly provisioned
  • Transport rule issue: Rule is blocking all mail silently (reject with no NDR)
  • Tenant provisioning incomplete: Exchange Online mailbox not activated after migration
  • Licensing issue: Mailboxes delicensed or subscription expired

What NOT to Do

  • ❌ Do not restart the hybrid server until you confirm the issue is not on EOP side (could make situation worse)
  • ❌ Do not delete and recreate connectors until you have exported the configuration
  • ❌ Do not flush transport queues without checking message trace first (you lose delivery history)
  • ❌ Do not disable all transport rules at once in production (use exemption rule instead to test)
  • ❌ Do not change DNS records until you have confirmed current MX records via nslookup
  • ❌ Do not assume it's a firewall issue without checking EOP connectivity logs first

Diagnostic Steps (Decision Tree)

Step 1: Confirm Mail Not Flowing (5 min)

In Exchange admin center → Mail flow → Message trace:

  • Select time range (last 24h)
  • Run search with no filters (show all messages)
  • Note: If 0 messages shown → mail has been blocked for entire window
  • Note: If messages shown but all status "Failed" → connector is failing

Decision: If 0 messages in trace → go to Step 2. If messages exist with failed status → go to Step 3.

Step 2: Check Inbound Connector Health (5 min)

In Exchange admin center → Mail flow → Connectors:

  • Select "Inbound connector from on-premises" (if hybrid) OR check for mail server inbound rules
  • Check connector status: Green (healthy), Orange (warning), Red (failed)
  • Click connector → Verify it's enabled
  • Verify sender IP addresses are listed correctly
  • Check "Domain validation" tab → ensure IP certificate is trusted

Decision: If connector is red/disabled → restart or reconfigure (see Rollback section). If green → go to Step 4.

Step 3: Check Outbound Connector Status (5 min)

In Exchange admin center → Mail flow → Connectors:

  • Select "Outbound connector to on-premises" (if hybrid)
  • Check status and enabled state
  • Click connector → Check smart host configuration (if applicable)
  • Verify on-premises server IP is reachable

Decision: If outbound connector is red → restart on-premises mail server and refresh (see Rollback). If green → go to Step 4.

Step 4: Check EOP Connectivity & DNS (5 min)

From hybrid server (if on-premises), run:

telnet outlook.office365.com 25

Expected result: Connection successful, 220 response from EOP

Check inbound DNS:

nslookup -type=MX yourdomain.com

Expected: MX record pointing to yourdomain-com.mail.protection.outlook.com

Decision: If telnet fails → firewall/connectivity issue. If DNS wrong → correct MX records immediately. If both OK → go to Step 5.

Step 5: Check Transport Rules & DLP (5 min)

In Exchange admin center → Mail flow → Rules:

  • Review all rules with "Reject" action
  • For each rejection rule, note the conditions (is it matching all mail?)
  • Temporarily disable any broad rejection rules
  • Check DLP policies (Data loss prevention) → any policies rejecting mail?

Decision: If rule is blocking → adjust conditions or disable rule. If no broad blocks → go to Step 6.

Step 6: Check Mailbox Provisioning (5 min)

In Exchange admin center → Recipients → Mailboxes:

  • For at least one user, click mailbox → verify it has an Exchange Online license
  • Check "Recipient type" is "User Mailbox" (not "Shared" or "Room")
  • Verify "Primary SMTP address" is set correctly
  • Run: Get-Mailbox -Identity user@domain | Select-Object RecipientTypeDetails, ExternalEmailAddress

Decision: If mailbox not licensed or not provisioned → assign license and sync (see Rollback). If provisioned → go to Step 7.

Step 7: Check Directory Sync Status (5 min)

If using hybrid setup:

Get-MsolDirSyncStatus

Expected: LastSyncSuccess within last hour

Force sync:

Start-ADSyncSyncCycle -PolicyType Delta

Decision: If sync stuck → restart AAD Connect service. If sync OK → escalate to Microsoft (go to Escalation Criteria section).

Root Cause Patterns

Mail flow diagnostic decision tree with steps, durations, and decision criteria
Root Cause Evidence Fix
Connector offline Red status in connectors list, no messages in trace Restart mail server, refresh connector
Network/firewall block Telnet to EOP fails, but connector shows green Check firewall rules, verify TCP 25/587 open
Wrong MX records nslookup shows MX not pointing to protection.outlook.com Update DNS MX records immediately
Transport rule rejecting all Rule with broad conditions (no filtering) and reject action Disable rule or add condition to exempt senders
Mailbox not licensed/provisioned User mailbox shows no license or RecipientTypeDetails is wrong Assign Exchange license and run directory sync
Directory sync stopped LastSyncSuccess is hours old, AAD Connect shows errors Restart AAD Connect, check event logs, force delta sync

Safe Rollback Procedures

Rollback 1: Restart Hybrid Connector

  1. On the hybrid mail server, restart the mail transport service: Restart-Service MSExchangeTransport
  2. Wait 2 minutes for service to fully start
  3. In Exchange admin center → Connectors → Refresh
  4. Verify connector status returns to green
  5. Send a test email (internal to external) and confirm delivery
  6. If mail flows after 5 minutes → issue resolved. If not → proceed to next rollback.

Rollback 2: Revert Recent Transport Rule Changes

  1. In Exchange admin center → Rules → Disable all rules modified in last 24h (one at a time)
  2. After disabling each rule, wait 2 minutes and send test email
  3. If mail flows after disabling a rule → that rule was the issue
  4. Once identified, edit the rule to add conditions instead of blanket reject (e.g., only reject specific content)
  5. Re-enable the rule with fixed conditions

Rollback 3: Force Directory Sync

  1. On AAD Connect server, open PowerShell as admin and run: Import-Module ADSync Start-ADSyncSyncCycle -PolicyType Delta
  2. Wait for sync to complete (check progress in AAD Connect UI)
  3. Once complete, send test email
  4. If mail flows → issue was directory sync lag

Rollback 4: Correct DNS MX Records

  1. Check current MX record: nslookup -type=MX yourdomain.com
  2. If MX is not pointing to yourdomain-com.mail.protection.outlook.com, log into DNS registrar
  3. Update MX record to point to: yourdomain-com.mail.protection.outlook.com with priority 10
  4. Wait 30 min for DNS propagation (check globally at mxtoolbox.com)
  5. Once propagated, send test email from external sender

Rollback 5: Assign Exchange License

  1. In Microsoft 365 admin center → Users → Active users
  2. Click the user without mail → Licenses and apps
  3. Assign "Exchange Online" license
  4. Force directory sync (see Rollback 3)
  5. Wait 2 hours for Azure AD to activate the mailbox
  6. Send test email to/from the user

When to Escalate to Microsoft Support

Escalate if:

  • All diagnostic steps complete, no root cause found, mail still not flowing
  • Connector shows green, DNS is correct, firewall is open, but EOP shows no accepted messages
  • Message trace shows messages accepted by EOP but never delivered to tenant
  • Throttling policy was not manually modified but throttling is persisting
  • Directory sync is stuck for >2 hours after forced sync and service restart

What to include in Microsoft ticket:

  • Message trace (last 24h) showing 0 messages or all failed status
  • Connector configuration (exported from admin center)
  • Recent transport rule changes (last 7 days)
  • Network connectivity test results (telnet EOP, DNS nslookup)
  • Directory sync status and LastSyncSuccess timestamp
  • Exact error from mailbox provisioning check (Get-Mailbox output)

🛡️ How to Prevent Mail Flow Failures

Proactive monitoring catches connector failures, DNS drift, and throttling before complete mail flow stoppage:

Daily Health Checks

  • Connector status monitoring: Run Get-InboundConnector | Test-InboundConnector daily via scheduled task (alert on failures)
  • Message trace baseline: Establish normal daily message volume; alert when current hour < 50% of baseline
  • Queue depth monitoring: Alert when transport queue > 100 messages for > 15 minutes (indicates throttling or blocking)
  • DNS validation: Weekly MX record checks via nslookup -type=mx yourdomain.com (catch unauthorized changes)

Change Control Requirements

  • Transport rule testing: Test all mail flow rules in pilot mailbox before production deployment
  • Connector backups: Export connector configs before changes: Get-InboundConnector | Export-Clixml
  • DNS change freeze: Require two-person approval for MX record changes; document in change ticket
  • Rollback plan: Document exact rollback steps in change request before executing transport rule updates

Recommended Monitoring Script (PowerShell)

# Run every 15 minutes via scheduled task $Last15Min = (Get-Date).AddMinutes(-15) $Trace = Get-MessageTrace -StartDate $Last15Min -EndDate (Get-Date) if ($Trace.Count -eq 0) { Send-MailMessage -To "soc@company.com" -Subject "ALERT: Zero mail flow detected" -Body "No messages in last 15 min" }

Alert threshold: Zero messages in 15-minute window = P1 incident (immediate investigation).

What to Do Next

✅ Issue Resolved?

Implement our prevention checklist to avoid recurrence. Set up monitoring alerts and daily health checks.

Review Prevention Steps

❌ Still Stuck?

Request an assessment-first review with principal engineers. We'll identify root cause and provide a safe remediation roadmap.

Request Exchange Security Assessment

💡 Pro Tip: Bookmark this guide for future incidents

Related Guides

Delayed Email Delivery Message Trace Deep Dive Complete Rollback Runbook

FAQs

How do I confirm mail truly isn’t flowing?

Run a 24h message trace with no filters. If it shows 0 messages accepted, rejected, or queued, mail has been blocked for the entire window.

What’s the fastest rollback if connectors failed?

Restart the transport service on the hybrid server, refresh the connector, and send a test email. See the Safe Rollback section above.

Which DNS record should MX point to?

Ensure MX points to yourdomain-com.mail.protection.outlook.com with correct priority. Validate with nslookup -type=MX yourdomain.com before changes.

When should I escalate to Microsoft?

If connectors are green, DNS and firewall are verified, but EOP shows no accepted messages after all diagnostics, escalate with trace evidence.