Browse all topics
All guidesGlossary
Microsoft 365 essentials

Exchange Online Protection transport pipeline

How email flows through EOP — connection filtering, content filtering, transport rules, and the deliverability checks.

Understanding how email actually flows through Exchange Online Protection (EOP) demystifies a lot of "why didn't this email deliver?" investigations. The pipeline has several stages, each with specific checks and potential failure points.

The inbound pipeline

When a message arrives at your *.mail.protection.outlook.com MX endpoint:

1. Connection filtering

The sender's IP is evaluated:

  • Connection filter policy — IP allow lists, IP block lists.
  • Reputation checks against Microsoft's spam intelligence.

Messages from known-bad IPs may be rejected at the connection level (never delivered, sender gets a rejection).

2. Authentication checks

  • SPF evaluation — does the sending IP match what the sender's SPF record allows?
  • DKIM evaluation — is there a valid DKIM signature?
  • DMARC evaluation — does the message pass DMARC policy (which itself requires SPF or DKIM alignment)?
  • ARC validation — for messages that passed through legitimate forwarders.

Results are stored in authentication headers added to the message. Failures may trigger anti-spoofing actions.

3. Anti-malware scanning

Built-in anti-malware engine checks attachments and message body. Detected malware: message blocked, quarantined, or deleted depending on policy.

4. Mail flow rules (transport rules)

Your tenant's transport rules execute. Rules can:

  • Block messages.
  • Modify content (disclaimers, redirect).
  • Apply policy (encrypt, set sensitivity, journal).
  • Adjust spam confidence levels.

Rules are evaluated in order; first matching rule's actions apply (per category).

5. Anti-spam evaluation

Content-based scoring:

  • Spam confidence level (SCL) — 0 (definitely not spam) to 9 (definitely spam).
  • Bulk complaint level (BCL) — 0 (no bulk complaints) to 9 (heavily complained-about bulk sender).
  • Phish detection — credential phishing, spear phishing, impersonation.

High-confidence detections go to quarantine; lower confidence may go to Junk Email folder or be delivered with header annotation.

6. Defender for Office 365 advanced detection

For tenants with Defender for Office 365:

  • Safe Attachments — unknown files detonated in a sandbox.
  • Safe Links — URLs rewritten and validated at click time (post-delivery).
  • Mailbox intelligence — sender pattern recognition.
  • Impersonation protection — comparison against protected users / domains.

7. Delivery

Final delivery to the recipient mailbox. If accepted, the message lands in Inbox, Junk Email, Other (Focused Inbox split), or other folders based on rules and user settings.

The outbound pipeline

Outbound mail goes through a similar pipeline:

  1. Submission from authenticated mailbox or via SMTP.
  2. Transport rules — outbound rules can add disclaimers, encrypt, route via connectors.
  3. Outbound spam filtering — protects your domain reputation; compromised users sending mass spam are throttled or blocked.
  4. DKIM signing — outbound messages get your DKIM signature.
  5. Recipient lookup and delivery — DNS lookup of recipient's MX, TLS-secured delivery.

Investigating delivery problems

The single most useful tool: Message Trace. For any specific message:

  • Find the message by recipient, date, subject, or message ID.
  • See every event in the pipeline — received, scanned, rules applied, queued, delivered, deferred, failed.
  • Drill into details on each event.

For broader patterns:

  • Mail Flow Insights dashboard for trends.
  • Threat Explorer in Defender for Office 365 P2.
  • Quarantine review.

Configuration surfaces

The transport pipeline is configured across:

  • Exchange Admin Center — accepted domains, connectors, transport rules, anti-spam policies, anti-malware policies, anti-phishing.
  • Defender portal — preset security policies, Safe Links, Safe Attachments, Defender for Office 365 alerting.
  • Tenant Allow/Block Lists in Defender — exceptions to default filtering.

Understanding which surface configures which stage saves troubleshooting time.

Common surprises

  • Microsoft 365 to Microsoft 365 mail still goes through the full pipeline — anti-spam, transport rules, etc. — even within the tenant.
  • Internal mail from compromised users is subject to outbound filtering; that's how Microsoft prevents your tenant from being a spam source.
  • Forwarded messages can fail DMARC because the forwarder isn't in your SPF; ARC validation helps but isn't universal.
  • Transport rule ordering matters — a later-matching rule may not fire if an earlier rule applies a different action of the same category.

For mail-flow problems, walk the pipeline step by step. The fault is almost always in a specific stage; identifying which stage takes most of the diagnostic work.