Troubleshooting Office 365 email delivery and Exchange Online issues requires a systematic approach using built-in diagnostic tools, configuration checks, and error analysis. Microsoft 365 administrators can resolve most problems by leveraging automated utilities like the Support and Recovery Assistant, message trace, and self-help diagnostics, while also verifying DNS records, mail flow connectors, and non-delivery reports (NDRs). The process typically begins with checking service health status, then progresses to specialized tools for identifying delivery failures, misconfigured rules, or external sender issues.

Key findings from the sources include:

• Primary tools: Message trace, NDR analysis, and the Exchange Admin Center (EAC) are essential for diagnosing delivery failures ^[1][9]
• Common causes: Incorrect SPF/MX records, misconfigured connectors, corrupted attachments, and DMARC failures frequently disrupt mail flow ^[2][8]
• Automated solutions: Microsoft’s self-help diagnostics and Support and Recovery Assistant provide guided troubleshooting for admins ^[1][6]
• External sender challenges: IP reputation, new IP warmup, and DNS misconfigurations often block inbound emails ^[10]

Core Troubleshooting Methods for Office 365 Email Issues

Diagnostic Tools and Initial Checks

Administrators should begin troubleshooting by verifying the overall health of Microsoft 365 services and using built-in diagnostic utilities. The Support and Recovery Assistant (SaRA) automates common checks, while the Exchange Admin Center (EAC) provides manual tools like message trace and mail flow tests. These steps help isolate whether issues stem from service outages, misconfigurations, or external factors.

Key diagnostic tools and initial actions include:

• Service health dashboard: Check for ongoing incidents at Microsoft 365 Service Health to confirm if delivery issues are widespread or isolated ^[1]. A "green" status indicates the problem likely lies within your configuration.
• Support and Recovery Assistant (SaRA): This tool automates diagnostics for Outlook connectivity, mailbox access, and hybrid configuration issues. It generates actionable reports, such as identifying corrupted Outlook profiles or authentication failures ^[1].
• Message trace: Located in the EAC under Mail flow > Message trace, this tool tracks emails through the system, showing delivery attempts, delays, or rejections. Filters allow searching by sender, recipient, or time range ^[1][9].
• Self-help diagnostics: Accessible via the Microsoft 365 admin center, these tests analyze mailbox settings, safe senders lists, and blocked domains without requiring admin permissions for changes. For example, the "Email Delivery Issues" diagnostic checks SPF, DKIM, and DMARC records ^[6].

For persistent issues, Microsoft recommends running these tools in sequence: service health → SaRA → message trace → self-help diagnostics. This order ensures you rule out service-wide problems before diving into configuration details.

Analyzing Non-Delivery Reports (NDRs) and SMTP Errors

When emails fail to deliver, Exchange Online generates Non-Delivery Reports (NDRs), which contain SMTP error codes, descriptions, and troubleshooting steps. These reports are critical for identifying why messages are rejected, delayed, or routed to junk folders. NDRs typically include a 5.x.x error code (permanent failure) or 4.x.x code (temporary issue), along with a diagnostic message explaining the cause.

Common NDR scenarios and solutions:

• 550 5.7.606 Access denied, banned sender: Indicates the sender’s IP or domain is blocked due to spam complaints or failed authentication. Resolution requires checking the Microsoft 365 IP allow/block list and submitting a delist request if necessary ^[3].
• 554 5.6.0 Corrupt message content: Often triggered by malformed attachments or nested emails (e.g., forwarding an email with an attached .msg file). The fix involves removing the problematic attachment or resending the content in a different format ^[8].
• 550 5.7.133 Unauthenticated senders not allowed: Occurs when the sender’s domain lacks proper SPF, DKIM, or DMARC records. Admins must verify DNS settings using tools like MXToolbox and update records to include Microsoft 365’s servers ^[2][10].
• 451 4.7.500 Server busy: A temporary throttling error, usually resolved by retrying delivery. If persistent, check for excessive mail volume or review Exchange Online throttling policies ^[3].

To diagnose NDRs systematically:

1. Extract the error code from the bounce message (e.g., 5.7.133).
2. Reference Microsoft’s NDR table ^[3] to match the code with its cause (e.g., DMARC failure, mailbox full).
3. Run the NDR diagnostic tool in the EAC by pasting the error code. This provides tailored solutions, such as adjusting spam filters or correcting DNS records.
4. Check email headers for additional clues. Headers reveal the path an email took, including hops through spam filters or third-party services that may have altered the message.

For external senders experiencing delivery failures, Microsoft emphasizes checking:

• IP reputation: New or shared IPs often trigger spam filters. Use the Sender Score tool to assess reputation ^[10].
• DNS configuration: Validate SPF (v=spf1 include:spf.protection.outlook.com ~all), DKIM, and DMARC records using dig or nslookup commands ^[2].
• Bulk email practices: Ensure compliance with Microsoft’s bulk email guidelines, including clear unsubscribe links and double opt-in processes.