Exchange Online Not Sending, Receiving, or Syncing, Real Fixes for 2026

Microsoft Fix Intermediate 14 min read Official Docs Grounded Updated April 20, 2026
What's in This Guide
  1. Why This Happens
  2. The Quick Fix
  3. Step-by-Step Solution
  4. Advanced Troubleshooting
  5. Prevention & Best Practices
  6. FAQ

Why This Is Happening

I've seen this exact scenario play out more times than I can count: you sync your organization's users to Exchange Online, everything looks fine in the admin portal, and then the help desk starts lighting up. Emails bounce. Replies go to the wrong address. Someone's calendar stopped syncing three days ago and they just noticed. Your CEO can't release a message from quarantine. And the error messages Microsoft gives you? Cryptic at best.

Exchange Online not sending, receiving, or syncing properly isn't usually one problem, it's a category of related problems that share common root causes. Understanding which bucket your issue falls into is half the battle.

The most common culprits I've traced these issues back to are:

  • Unverified domains in Microsoft 365. This is the silent killer. When you have a domain that hasn't been fully verified in your Microsoft 365 tenant, Exchange Online falls back to routing mail through your *.onmicrosoft.com address. Users see a primary SMTP address like jane@contoso.onmicrosoft.com instead of jane@contoso.com, and recipients start bouncing mail back with NDRs.
  • Incorrect administrator role assignments. Trying to manage Exchange Online via PowerShell without the right role group membership throws an "Access is denied" wall that stops everything cold, including bulk fixes that admins need to run to resolve the underlying mail flow problems.
  • The RemotePowerShellEnabled flag being set to False. This one is subtle. A single parameter on a user account silently blocks all remote PowerShell connections, generating a "Bad Request" error that looks like a network or credential issue but isn't.
  • Remote mailbox objects not being ACLable. In hybrid environments where you've provisioned mailboxes using New-RemoteMailbox, on-premises users can't assign delegate access or folder permissions to cloud mailbox users, which breaks shared workflows teams depend on.
  • Quarantine release failures on Mac/Safari. Users on Macs with Safari get prompted for a client certificate when releasing quarantined messages, and because the certificate doesn't exist, they're completely blocked.

What makes Exchange Online troubleshooting frustrating is that Microsoft's error messages are written for engineers who already know the answer. "554 5.4.14 Hop Count exceeded, possible mail loop ATTR34" doesn't tell a help desk tech anything actionable. Neither does "Access is denied" when the real problem is a missing role assignment.

I'm going to walk you through every major scenario, starting with the fix that resolves the majority of Exchange Online sending and receiving problems, then going deeper for the edge cases. Browse all Microsoft fix guides →

The Quick Fix, Try This First

If users in your organization are getting non-delivery reports (NDRs) and the bounce messages reference your *.onmicrosoft.com address, or if their primary SMTP address is showing up wrong in the global address list, the fix is almost always the same: you have one or more unverified domains in Microsoft 365.

Here's exactly what to do:

  1. Sign in to the Microsoft 365 admin center at admin.microsoft.com with a Global Administrator account.
  2. In the left navigation, go to Settings > Domains.
  3. Look for any domain listed with a status other than Healthy. You might see "Setup incomplete" or a yellow warning icon.
  4. Click on the affected domain name, then click Continue setup.
  5. Follow the wizard to add the required DNS records, typically a TXT record for verification, plus MX and CNAME records for mail flow. Your DNS provider's control panel is where you actually add these.
  6. Once DNS propagates (give it up to 48 hours, though it's usually under an hour with modern providers), return to the Domains page and confirm the status shows Healthy.

After the domain is verified, Exchange Online will automatically correct the primary SMTP address assignments for synced users. You may need to trigger a delta sync from your on-premises Azure AD Connect server to push the updates faster:

Start-ADSyncSyncCycle -PolicyType Delta

Run that from a PowerShell session on your Azure AD Connect server. Within minutes, the corrected addresses should propagate to Exchange Online and mail flow should resume normally.

If users are still getting the NDR "554 5.4.14 Hop Count exceeded, possible mail loop ATTR34" even after domain verification, that error specifically means Exchange is detecting a routing loop. This usually clears up once the correct MX records are in place and verified. Double-check that your MX records point to *.mail.protection.outlook.com and not to an on-premises server that's forwarding back to the cloud.

Pro Tip
Before you start any Exchange Online troubleshooting session, open the Microsoft Remote Connectivity Analyzer at testconnectivity.microsoft.com. Run the "Outbound SMTP Email" and "Exchange ActiveSync" tests against the affected user account. The analyzer gives you a plain-English diagnosis in under two minutes and frequently surfaces domain verification and DNS misconfiguration issues that would otherwise take an hour to find manually.
1
Verify and Fix Unverified Domains Causing SMTP Address Problems

When Exchange Online is not sending mail correctly or addresses appear as user@contoso.onmicrosoft.com instead of your custom domain, the root cause is almost always an unverified domain. This behavior is by design in Microsoft 365, if Exchange can't confirm you own a domain, it won't route mail through it.

Start at Settings > Domains in the Microsoft 365 admin center. Every domain that isn't showing a green "Healthy" badge needs attention. Click through each problem domain and run the setup wizard. The wizard will tell you exactly which DNS records are missing.

The three records that matter most for Exchange Online mail flow are:

  • MX record, must point to your tenant's *.mail.protection.outlook.com address
  • SPF TXT record, should include include:spf.protection.outlook.com
  • Autodiscover CNAME, autodiscover.yourdomain.com pointing to autodiscover.outlook.com

Once you've added those records at your DNS provider, use a tool like MXToolbox to verify propagation before declaring success. After verification, Exchange Online will stop substituting the *.onmicrosoft.com fallback address and start routing mail through your proper domain. If you also notice secondary SMTP addresses (aliases) are missing, those typically restore themselves within one full sync cycle after domain verification completes.

You'll know this step worked when affected users can send test emails and the From address in received messages shows their real domain address, not the onmicrosoft.com fallback.

2
Fix "Access Is Denied" When Connecting to Exchange Online via PowerShell

If you're hitting a wall with this error trying to connect to Exchange Online via remote PowerShell:

[outlook.office365.com] Connecting to remote server failed with the following
error message: Access is denied.

...don't assume it's a password problem. I know that sounds obvious, but "Access is denied" in this context almost never means your credentials are wrong. It means the account you're using doesn't have the right Exchange role assignment, or your tenant has Security Defaults enabled, which blocks legacy authentication entirely.

Here's how to rule out the role assignment issue first. Sign in to the Microsoft 365 portal at portal.office.com as a Global Administrator, then navigate to Admin > Exchange > Permissions > Admin Roles. Find the role group you want to assign, for full Exchange management access including PowerShell, that's Organization Management. Double-click it, then click the Add button under the Members section, select your user account, and click Save.

Role changes in Exchange Online don't propagate instantly. Give it 15 to 30 minutes, then try reconnecting. If you're using the modern ExchangeOnlineManagement module (which you should be, the old remote PowerShell method is deprecated), connect with:

Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

If your tenant has Security Defaults enabled, the old $Session = New-PSSession approach will never work regardless of role assignment. You must use the modern authentication method via the ExchangeOnlineManagement module. Install it with Install-Module ExchangeOnlineManagement if you haven't already.

Success looks like a PowerShell prompt that returns without error and lets you run Get-Mailbox to list mailboxes.

3
Resolve "Bad Request" PowerShell Connection Errors

This one trips up even experienced admins because the error message is completely misleading:

New-PSSession: [outlook.office365.com] Connecting to remote server
outlook.office365.com failed with the following error message: Bad Request

"Bad Request" sounds like a malformed command or a network issue. It's neither. This error appears when the RemotePowerShellEnabled parameter on the specific user account is set to False. That parameter exists, and it can get set to False by automated processes, compliance policies, or a well-meaning admin who didn't realize what they were disabling.

To check the current value for the affected account, you'll need another admin account that can connect to Exchange Online. Once connected, run:

Get-User -Identity user@contoso.com | Select RemotePowerShellEnabled

If that returns False, fix it with:

Set-User -Identity user@contoso.com -RemotePowerShellEnabled $True

Microsoft's documentation specifically notes to allow 15 to 20 minutes for this setting to take effect after you change it. Don't immediately test and assume it failed, set a timer and wait the full window before retrying the PowerShell connection.

Once the setting propagates, the user should be able to connect without the Bad Request error. If you're doing this for multiple accounts, you can pipe a list through Set-User to fix them in bulk rather than one at a time.

4
Make Remote Mailboxes ACLable for Delegate and Folder Permission Access

In hybrid Exchange environments, one of the most disruptive problems is when on-premises users can't add cloud mailbox users as delegates or grant folder permissions. The calendar assistant breaks. Shared inbox access stops working. And the users affected have no idea why, from their perspective, the option to add a delegate just doesn't work.

The root cause is that remote mailboxes created with the New-RemoteMailbox cmdlet aren't ACLable by default. The msExchRecipientDisplayType attribute on the on-premises Active Directory object needs to be set correctly.

There are two ways to fix this. The first is to update the attribute directly on existing remote mailbox objects. From an on-premises Exchange Management Shell or a machine with the AD module, set the msExchRecipientDisplayType attribute to -1073741818 for the affected users.

The cleaner approach going forward is to enable ACLable objects at the organization level so that all future migrated mailboxes are ACLable automatically. Run this command from your on-premises Exchange Management Shell:

Set-OrganizationConfig -ACLableSyncedObjectEnabled $True

Important: this organization-level setting only applies to mailboxes that were migrated from on-premises to Exchange Online, not mailboxes provisioned directly in the cloud. If the mailbox was created directly in Exchange Online (cloud-only), this won't help and you'll need to handle delegation through Exchange Online admin tools directly.

After enabling this setting and running a full AD sync, on-premises users should be able to add cloud mailbox users as delegates through Outlook without errors.

5
Fix Quarantine Release Failures for Mac Users on Safari

Mac users in your organization hitting the quarantine portal and getting this prompt from Safari are completely stuck:

The website "na01-quarantine.dataservice.protection.outlook.com" requires a client certificate.

They can't release their quarantined messages, and that means legitimate emails sit in quarantine indefinitely. This is a Safari and Mac Keychain interaction issue, not an Exchange Online configuration problem, but you need to fix it from the client side.

Here's the fix process. Have the affected user do the following on their Mac:

  1. Open Finder and navigate to Applications > Utilities > Keychain Access.
  2. In the Keychain Access window, look through the certificates list for any entries that match what Safari showed in the client certificate dialog, certificates associated with the quarantine service or with "This client requires a certificate" prompts.
  3. Select those certificates and delete them from Keychain Access. You may need to authenticate with your Mac password to complete the deletion.
  4. Quit Safari completely, not just close the window. Use Cmd+Q or right-click the dock icon and choose Quit.
  5. Reopen Safari and navigate back to the quarantine portal.

After clearing those stale certificates from Keychain, Safari stops presenting the incorrect client certificate prompt and the quarantine portal loads normally. Users can then review and release their held messages without admin intervention.

If the problem persists after clearing Keychain, have the user try accessing the quarantine portal through Chrome or Firefox as a workaround, both browsers handle the certificate negotiation with the Microsoft quarantine service without triggering this issue.

Advanced Troubleshooting

When the standard fixes above don't resolve Exchange Online not sending, receiving, or syncing, the problem is usually deeper, hybrid configuration issues, mail flow rule conflicts, or connector misconfiguration. Here's how to dig further.

Analyzing NDR Error Codes

Exchange Online generates specific SMTP error codes when mail can't be delivered. The NDR "554 5.4.14 Hop Count exceeded, possible mail loop ATTR34" specifically tells you that a message has bounced back and forth too many times between servers. In practice, this almost always means your MX records point to an on-premises server that's forwarding to Exchange Online, while Exchange Online is trying to deliver back on-premises, creating a loop.

Check your mail flow connectors in the Exchange admin center under Mail flow > Connectors. If you have an outbound connector sending mail from Exchange Online to your on-premises server, verify the routing conditions are correct and that you're not accidentally routing all mail on-premises when it should deliver directly from the cloud.

Investigating with Message Trace

The single most powerful tool for Exchange Online mail delivery troubleshooting is Message Trace. In the Exchange admin center, go to Mail flow > Message trace. You can search by sender, recipient, message ID, or date range and see exactly what Exchange Online did with each message, including which connector was used, what rules fired, and where delivery failed.

For messages older than 10 days, use the "Extended message trace" option. The results take up to an hour to generate but go back 90 days. Filter by the NDR status to quickly isolate all failed deliveries in a given time window.

Checking Transport Rules and Safe Links

Transport rules (mail flow rules) can silently block or redirect messages without generating a traditional NDR. Go to Mail flow > Rules in the Exchange admin center and look for rules that might be matching your affected senders or recipients. Temporarily disable rules one at a time and test to isolate whether a rule is interfering with delivery.

In environments with Microsoft Defender for Office 365, Safe Links URL rewriting can sometimes cause issues with mail clients that don't handle redirected URLs cleanly. Check your Safe Links policies under Security > Policies & rules > Threat policies > Safe Links.

PowerShell Diagnostics for Mail Flow

Once you have Exchange Online PowerShell access working, these commands are your best friends for diagnosing delivery issues:

# Check if a specific mailbox can receive mail
Get-Mailbox -Identity user@contoso.com | Select PrimarySmtpAddress, EmailAddresses, HiddenFromAddressListsEnabled

# Check accepted domains
Get-AcceptedDomain | Select DomainName, DomainType, Default

# Review mail flow connectors
Get-InboundConnector | Select Name, Enabled, TlsSenderCertificateName
Get-OutboundConnector | Select Name, Enabled, SmartHosts, RecipientDomains

If Get-AcceptedDomain shows your custom domain with a type of "Authoritative" and the Default flag is True, Exchange Online considers itself the final destination for that domain. If the MX record doesn't point here, you'll get the mail loop NDR.

When to Call Microsoft Support

Escalate to Microsoft Support when: you've verified all domains, confirmed MX records are correct, fixed role assignments, and mail still won't flow, or when the Exchange admin center itself is throwing errors. Also escalate for hybrid configuration problems involving certificate mismatches on your Exchange hybrid server, or if Message Trace shows messages accepted by Exchange Online but never delivered with no actionable error. These scenarios often involve backend tenant configuration that only Microsoft engineering can access.

Prevention & Best Practices

Most Exchange Online sending, receiving, and syncing problems are preventable. The organizations I've seen suffer the least downtime around Exchange Online are the ones that treat it as an ongoing operational concern rather than a "set it and forget it" service. Here's what that looks like in practice.

Monitor domain verification status proactively. When you add a new domain to Microsoft 365, set a calendar reminder to verify its status 48 hours after adding it. DNS propagation delays mean domains sometimes silently fall back to unverified status if a TTL expires and the record isn't refreshed correctly. A monthly check of your Domains page in the admin center costs you five minutes and can prevent a full morning of mail delivery failures.

Document your mail flow connectors. Every connector in Exchange Online should have a clear description of what it does, who set it up, and why. Undocumented connectors get forgotten, then modified by a well-meaning admin who doesn't realize they're looking at a critical hybrid transport path. Write the purpose in the connector's Description field, Exchange Online stores it and displays it right there in the admin center.

Use the minimum necessary PowerShell access. Don't put everyone who needs Exchange management access into Organization Management. Create a more restricted role group for day-to-day tasks. This reduces the blast radius when credentials are compromised and keeps your audit logs readable.

In hybrid environments, enable ACLable objects at the start. Run Set-OrganizationConfig -ACLableSyncedObjectEnabled $True before your first batch of mailbox migrations, not after users start complaining that delegate access is broken. Retrofitting this setting to existing mailboxes is more work than getting it right upfront.

Set up Service Health alerts. Microsoft 365 has its own service health dashboard at admin.microsoft.com/adminportal/home#/servicehealth. You can subscribe to email alerts for Exchange Online incidents. When Microsoft's own infrastructure has an issue affecting mail flow, you want to know about it from Microsoft, not from an angry executive's IT ticket.

Quick Wins
  • Run the Microsoft Remote Connectivity Analyzer against a test account after any DNS or connector change, it catches misconfigurations before users do
  • Enable DMARC, DKIM, and SPF on all your Microsoft 365 domains, these prevent spoofing and reduce the chance your legitimate mail gets quarantined
  • Keep the ExchangeOnlineManagement PowerShell module updated (Update-Module ExchangeOnlineManagement), Microsoft regularly patches connection issues that would otherwise block admin access
  • Use named accounts for Exchange Online administration instead of shared admin credentials, when something breaks, you want the audit trail to show who made what change

Frequently Asked Questions

Why is Exchange Online showing my email address as user@contoso.onmicrosoft.com instead of my real domain?

This happens because your custom domain hasn't been verified in Microsoft 365. When Exchange Online can't confirm you own a domain, it falls back to your tenant's default *.onmicrosoft.com address for routing and display purposes. The fix is to go to Settings > Domains in the Microsoft 365 admin center and complete the verification steps for your custom domain, which involves adding specific DNS records at your domain registrar. Once the domain shows as "Healthy," Exchange Online will restore your correct primary SMTP addresses, though you may need to trigger an Azure AD sync to speed up the update.

I'm getting "554 5.4.14 Hop Count exceeded" NDR errors, what does that mean and how do I stop it?

That error code means Exchange Online detected a mail routing loop, your message has been bouncing back and forth between servers too many times without being delivered. The most common cause in Microsoft 365 environments is a misconfigured outbound connector that sends cloud-destined mail back to your on-premises Exchange server, which then forwards it back to the cloud. Check your MX records to confirm they point to *.mail.protection.outlook.com, and review your mail flow connectors in Exchange admin center under Mail flow > Connectors to make sure nothing is creating a circular routing path. Once the MX records are correct and the domain is verified, this error typically stops immediately.

My Mac users can't release quarantined messages in Safari, they keep getting a certificate prompt. How do I fix it?

This is a known issue with Safari on Mac and the Microsoft 365 quarantine portal. Safari is presenting a stale or incorrect client certificate that's stored in Mac Keychain, and the quarantine service rejects it. Have the affected user open Keychain Access (Applications > Utilities > Keychain Access), find and delete any certificates that appeared in the Safari certificate dialog, then completely quit and reopen Safari. That clears the bad certificate and lets the quarantine portal load normally. If they need immediate access, Chrome and Firefox don't have this issue and work fine with the quarantine portal in the meantime.

Why can't on-premises users add Exchange Online mailbox users as delegates in Outlook?

In hybrid Exchange environments, remote mailboxes created with the New-RemoteMailbox cmdlet are not ACLable by default, meaning on-premises users can't assign delegate access or folder permissions to those cloud mailbox objects. You can fix this at the organization level by running Set-OrganizationConfig -ACLableSyncedObjectEnabled $True from your on-premises Exchange Management Shell, which makes all future migrated mailboxes ACLable. For existing mailboxes, you can also use the -ACLableSyncedObjectEnabled parameter on the Enable-RemoteMailbox cmdlet, or manually update the msExchRecipientDisplayType attribute in Active Directory to -1073741818. Note that this only applies to migrated mailboxes, not to cloud-only mailboxes provisioned directly in Exchange Online.

I get "Access is denied" when connecting to Exchange Online PowerShell even though my credentials are correct. What's wrong?

Correct credentials aren't enough, your account also needs to be a member of an Exchange Online administrator role group. Sign in to the Microsoft 365 portal as a Global Admin, go to Admin > Exchange > Permissions > Admin Roles, and add your account to the appropriate role group (Organization Management gives full access including PowerShell). The other common cause is Security Defaults being enabled on your tenant, which blocks the legacy remote PowerShell connection method entirely. If Security Defaults are on, you must use the modern Connect-ExchangeOnline cmdlet from the ExchangeOnlineManagement module instead of the old New-PSSession approach.

Exchange Online PowerShell gives me a "Bad Request" error, I've checked my password and it's right. What else could it be?

"Bad Request" in Exchange Online PowerShell connections almost always means the RemotePowerShellEnabled parameter on your user account is set to False, not a password problem, not a network issue. Have another admin with working PowerShell access run Get-User -Identity youraddress@domain.com | Select RemotePowerShellEnabled to check. If it's False, they can fix it with Set-User -Identity youraddress@domain.com -RemotePowerShellEnabled $True. Microsoft says to wait 15 to 20 minutes after making that change before testing again, the setting doesn't propagate instantly, so don't assume it failed if your first retry still gets the error.

Related Microsoft Fix Guides

Microsoft Fix
How to Fix Windows Update Errors (Error 0x80070003 & More)
Microsoft Fix
Fix Microsoft 365 Sign-In Problems, Complete Guide
Microsoft Fix
Azure Active Directory Troubleshooting Guide
Browse All
5,000+ Microsoft Fix Guides →
H
Sai Kiran Pandrala
Our team includes certified Microsoft engineers, Azure architects, and system administrators with 10+ years of enterprise IT experience. Every guide is written from hands-on troubleshooting, not guesswork. We test every fix before publishing.