Use headers to determine which Exchange Online tenant a message was attributed to

Consider the following mail flow.

On-premises environment --> Your Exchange Online tenant --> External Recipient

With the above mail flow, you may find yourself in a situation where you need to validate that the outbound message was properly attributed to your Exchange Online tenant. I recently worked with an organization that controlled two Exchange Online tenants and found that their mail was not relaying out of the tenant they expected.

You could simply run a message trace in your tenant as a trace will only show you results for messages that have passed through your tenant. However, you can also use the headers of the message as they look to the recipient. When looking at the Receive headers of a message, you’ll typically see a server name of <server name>.mail.protection.outlook.com for messages that have been sent to Exchange Online. This will indicate when a message entered an Exchange Online tenant.

Received: from mail-yw1-f45.google.com (209.85.161.45) by
QB1CAN01FT005.mail.protection.outlook.com (10.152.120.70) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id
15.20.1471.13 via Frontend Transport; Wed, 2 Jan 2019 17:40:34 +0000

But what tenant in Exchange Online actually received this message? When a message is inbound to Exchange Online, it will be stamped with the following header once it has been attributed to a tenant.

X-EOPTenantAttributedMessage

The value of this header will be a GUID which represents a unique Office 365 tenant. To view the GUID of your own Office 365 tenant, connect via PowerShell to your Office 365 tenant and run the following.

Get-MsolCompanyInformation | Select-Object InitialDomain,ObjectID

If your tenant GUID matches the value in this header, then the message was attributed to your tenant. For a message that has left an Office 365 tenant and arrived at an external recipient, you may also see the following header.

X-MS-Exchange-CrossTenant-id

This will often represent the GUID of the tenant which sent the message, but won’t always, depending on how the mail routed through Exchange Online and if there were hops to third party devices as a message moved from one tenant to another.

The easiest way to tell if a message has gone through your tenant by using the headers is to grab your tenant GUID using the above PowerShell and then searching the headers for that GUID.

Cheers.

Comments