Partner email not reaching the mailbox in Microsoft 365 — causes and fixes

A partner sends an important email, but the recipient in the organization can’t find it anywhere — it’s not even in the Junk folder. Most likely, the email was rated as the highest level of spam by Microsoft 365 (Exchange Online Protection) and then sent to Quarantine or dropped outright (Drop) — so Message Trace shows the status Failed / Quarantined.

This article shows admins how to verify it with Message Trace and allow (trust) the sender so the email can reach the mailbox again.

Message Trace result: all emails from the partner show Failed or Quarantined status and do not reach the mailbox

Who is this article for?

The organization’s Microsoft 365 / Exchange Online admin (with access to the Exchange admin center or Microsoft Defender portal). These steps are performed at the organization level, not in each user’s Outlook.

Symptom: emails disappear without a trace

  • The sender confirms they sent it, and usually does not receive a clear non-delivery report (NDR).
  • The recipient can’t find it in either Inbox or Junk.
  • This often happens with emails from automated systems (no-reply), bulk emails, or sender domains with improper authentication configuration.
Message events details show the email was assigned Spam confidence level 9

What is SCL, and why is the email “Dropped”?

SCL (Spam Confidence Level) is a score from -1 to 9 that Exchange Online Protection assigns to each email: the higher the score, the more likely it is to be spam. The corresponding actions are:

SCLMeaningDefault action
-1Bypass spam filtering (from allow-list / safe sender / mail flow rule)Delivered to Inbox
0 – 1Not spamDelivered to Inbox
5 – 6SpamJunk folder
9High confidence spam (high confidence spam)Depending on policy: Junk / Quarantine / Reject / Drop

In this case, the email was assigned SCL 9. Depending on the configuration, Microsoft 365 puts the email in Quarantine or drops it outright (Drop) — in Message Trace, the status usually appears as Quarantined or Failed, while the Message events table clearly shows the Drop event with Reason: LED=550.

“Drop” means it is gone completely

Unlike Junk (still kept in the Junk folder for about 30 days) or Quarantine (still kept in quarantine, where admins/users can review it), Drop means the email is discarded and not stored anywhere. The recipient cannot recover it on their own — an admin must handle it first and then ask the sender to resend it.

Step 1 — Verify with Message Trace

Before you trust the sender, confirm the exact cause with the message tracking tool:

1. Go to Exchange admin center (admin.cloud.microsoft/exchange) → Mail flowMessage trace.

Open Message trace in Exchange admin center via Mail flow, then Message trace

2. Set the conditions: Sender = the partner’s address, select an appropriate time rangeSearch.

Set Message trace conditions: select the sender and time range, then click Search
Message Trace results display the email to inspect

3. Open the result row → view the Message events table.

Message events table: Receive, Drop with Reason LED=550, and Spam confidence level 9

A typical event sequence for an email blocked by the filter:

  • Receive — the server has received the email.
  • Spam — it was assigned Spam confidence level: 9.
  • Drop — Reason: [LED=550 …] → the message was blocked (sent to Quarantine or dropped entirely).

LED=550 is an SMTP status code indicating that the server blocked the email (with the reason “high confidence spam”); the overall status may be Quarantined (still recoverable in quarantine) or Failed. Seeing SCL 9 together with Drop/Quarantine is enough to confirm that the email was blocked by the organization’s spam filter — not because of a connectivity issue or an incorrect address.

Step 2 — Allow (trust) the sender

“Safe Senders” in Outlook cannot fix SCL 9

Adding the address to Safe Senders in the user’s Outlook has no effect on high confidence spam blocked at the organization level. You must trust it at the admin level using one of the two methods below.

Method 1 (recommended) — Create a Mail flow rule

The most reliable way: force mail from the partner’s domain/address to bypass the spam filter in Exchange Online.

1. Sign in to Exchange admin center: admin.exchange.microsoft.com.

2. Go to Mail flowRulesAdd a ruleCreate a new rule.

Create a new transport rule: Mail flow, Rules, Add a rule, Create a new rule

3. Set rule conditions:

  • Name: Enter a recognizable name, for example “Allow trusted partner”.
  • Apply this rule ifThe senderdomain is → doitac.com.vn (or The sender is[email protected] if you only want to trust one address).
Transport rule condition: choose domain is under The sender
  • Specify domain: Enter the domains of partners you trust.
Enter the partner domain for the The sender domain is condition

4.Do the followingModify the message properties 

Do the following: Modify the message properties, then Set the spam confidence level (SCL)

5.Set the spam confidence level (SCL)Bypass spam filtering

Set Set the spam confidence level (SCL) to Bypass spam filtering (-1)
Review and save the transport rule at the Review and finish step

6. Rule mode: Choose Enforce → Next

The newly created transport rule appears in the Rules list

From this point on, emails from the specified domain or address will bypass the spam filter and go directly to Inbox.

Enable the transport rule to apply it to mail flow

7. By default, after creation, the rule will not be enabled automatically.

8. Select the rule you just created and enable it.

Method 2 — Anti-spam Allow List (Defender)

1. Go to the Microsoft Defender portal: security.microsoft.com.

2. Go to Email & collaborationPolicies & rulesThreat policies.

Open Anti-spam policies in Microsoft Defender: Email & collaboration, Policies & rules, Threat policies

3. On the Threat policies page → Anti-spam policies.

List of Anti-spam inbound policies in Microsoft Defender

4. Edit the Anti-spam inbound policy (Default) for users.

Edit the Anti-spam inbound policy applied to users

5. In the window that opens, select Edit allowed and blocked senders and domains.

Allowed senders and Allowed domains section in the Anti-spam policy

6. Add Allowed senders: [email protected] — or Allowed domains: doitac.com.vn.

Allowed and blocked senders and domains panel for adding a sender or domain to the allow list

Trust narrowly or broadly?

If the partner has only one sending system, trust exactly one address ([email protected]). If multiple services from them send legitimate emails, you can trust the entire domain (doitac.com.vn). Do not create overly broad rules (bypassing checks for all email) before verifying the identity of the sending domain.

Add the partner domain to the Allowed domains list

If it is still being dropped

You trusted it, but the email is still being dropped? If Message Trace shows SCL 9 + Drop, it may not be caused only by normal spam filtering, but also by:

  • High Confidence Spam — a separate action in the anti-spam policy.
  • Anti-phishing — anti-spoofing/impersonation policy.
  • Tenant Allow/Block List — there is a Block entry blocking this domain/address.
  • Or another Transport Rule (mail flow rule) is affecting it.

To determine the exact cause:

  • Open the details of the Drop event in Message Trace and read the full Reason: 550 … line.
  • Or select Prepare and email extended report to receive a detailed report for analysis.

Step 3 — Check again

1. Ask the partner to resend the email (or wait for the next scheduled email).

2. Run Message trace again with the same sender.

3. This time, the event sequence should be Receive → Deliver with Status: Delivered — the email has reached Inbox.

Permanent solution

An allow-list is only a temporary workaround on the recipient side. The root cause of emails being marked as spam usually lies with the sender not having proper authentication configured. If possible, ask the partner to check:

  • SPF — the DNS record that specifies which servers are allowed to send mail on behalf of the domain.
  • DKIM — the digital signature that proves the message came from the correct source and was not modified in transit.
  • DMARC — the policy for handling SPF/DKIM failures, along with reporting.

When these three are properly set up, emails will almost never be assigned a high SCL, and you won’t need an allow-list anymore — which is also safer.

Do not overuse allow-lists

Each trust entry is a potential vulnerability: if an attacker spoofs a trusted domain, they can bypass the filter. Only trust sources that are truly necessary, set review deadlines, and prioritize fixing sender-side authentication.

Summary

  • Email disappears and is not even in Junk → likely dropped as spam.
  • Message Trace shows SCL 9 with Drop/Quarantine (LED=550) and Failed/Quarantined status — that confirms it.
  • Trust it by using: a Mail flow rule that sets SCL -1 (recommended) or Anti-spam Allow List.
  • Still being dropped → check other High Confidence Spam / Anti-phishing / Tenant Allow-Block List / Transport rule settings; read Reason: 550 or get the extended report.
  • Verify again with Message Trace → Delivered.
  • Long-term: ask the sender to standardize SPF / DKIM / DMARC.

Leave a Comment

Required fields are marked *