Exchange Server mails not received with FAIL AGENT in logs

Question

using exchange server 2013;

A few of exchange users are complaining that they are not receiving emails from a certain domain's certain users. I have checked the sender domains and domain is not found in any BL and domains SPF records are good as well.

so situation is

user1@externaldomain.com sends to myuser@mydomain.com and mail is received. User2@externaldomain.com sends to myuser@mydomain.com and mail is not received. User3@externaldomain.com sends to myuser@mydomain.com and mail is not received.

And a similar complain is made by another user. So, I check a few things and found something in Message tracking…

[PS] C:\Windows\system32>Get-MessageTrackingLog -Server MYSERVER -Start "02/19/2019 02:00:00" -End "02/20/2019 16:00:00" -Recipients "myuser@mydomain.com”

HARED... SMTP     user1@externaldomain.com                 {myuser@mydomain.com}
RECEIVE  SMTP     user1@externaldomain.com                 {myuser@mydomain.com}
FAIL     AGENT    user1@externaldomain.com                 {myuser@mydomain.com}
AGENT... AGENT    user1@externaldomain.com                 {myuser@mydomain.com}
HARED... SMTP     user1@externaldomain.com                 {myuser@mydomain.com}
RECEIVE  SMTP     user1@externaldomain.com                 {myuser@mydomain.com}
FAIL     AGENT    user1@externaldomain.com                 {myuser@mydomain.com}
AGENT... AGENT    user1@externaldomain.com                 {myuser@mydomain.com}

I am not sure what is happening. why and what is causing that FAIL

Here are some more details

[PS] C:\Windows\system32>get-ContentFilterConfig

RunspaceId                            : dd89fbfd-2586-406a-a43f-00c61164159d
Name                                  : ContentFilterConfig
RejectionResponse                     : Message rejected as spam by Content Filtering.
OutlookEmailPostmarkValidationEnabled : True
BypassedRecipients                    : {}
QuarantineMailbox                     :
SCLRejectThreshold                    : 7
SCLRejectEnabled                      : True
SCLDeleteThreshold                    : 9
SCLDeleteEnabled                      : False
SCLQuarantineThreshold                : 9
SCLQuarantineEnabled                  : False
BypassedSenders                       : {}
BypassedSenderDomains                 : { externaldomain.com, externaldomain2.com, paypa.com, CCC.net, gmail.com, microsoft.com}
Enabled                               : True
ExternalMailEnabled                   : True
InternalMailEnabled                   : False
AdminDisplayName                      :
ExchangeVersion                       : 0.1 (8.0.535.0)
DistinguishedName                     : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport
                                        Settings,CN= MYDOMAIN,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=MYDOMAIN,DC=com
Identity                              : ContentFilterConfig
Guid                                  : 5091c1d6-14da-41db-b651-5c09135de269
ObjectCategory                        : MYDOMAIN/Configuration/Schema/ms-Exch-Message-Hygiene-Content-Filter-Con
                                        fig
ObjectClass                           : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}
WhenChanged                           : 2/13/2019 12:17:42 AM
WhenCreated                           : 4/29/2015 2:26:41 AM
WhenChangedUTC                        : 2/13/2019 8:17:42 AM
WhenCreatedUTC                        : 4/29/2015 9:26:41 AM
OrganizationId                        :
OriginatingServer                     : ADS.MYDOMAIN.com
IsValid                               : True
ObjectState                           : Unchanged

If you notice I have already set some domains in "BypassedSenderDomains" and externaldomain.com has already been added and my spam agent logs are showing that as well, and here are some spam agent logs

2019-02-20T02:28:52.455Z,08D6667109583CE6,xx.xx.xxx.xxx:2525,xx.xx..0.100:61670,xx.xx..0.100,<DB7P193MB03958494272A2C15517BE7F7AA7D0@DB7P193MB0395.EURP193.PROD.OUTLOOK.COM>,user1@externaldomain.com,user1@externaldomain.com;,myuser@mydomain.com,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,d70d3909-03ce-4458-3f21-08d696db2785,,Incoming

2019-02-20T02:30:25.064Z,08D6667109583CE6,xx.xx.xxx.xxx:2525,xx.xx..8.115:26160,xx.xx..8.115,<DB7P193MB0395D65CF9FA48BAAA779366AA7D0@DB7P193MB0395.EURP193.PROD.OUTLOOK.COM>,user1@externaldomain.com,user1@externaldomain.com;,myuser@mydomain.com,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,f612e78e-b3f0-4987-5969-08d696db5eb8,,Incoming

2019-02-20T05:03:04.567Z,08D6667109583D5F,xx.xx.xxx.xxx:2525,xx.xx..14.131:24231,xx.xx..14.131,<DB7P193MB0395AB0AA0027FECA619C88BAA7D0@DB7P193MB0395.EURP193.PROD.OUTLOOK.COM>,user1@externaldomain.com,user1@externaldomain.com;,myuser@mydomain.com,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,ccc92992-4a25-4a7f-9627-08d696f0b235,,Incoming

2019-02-20T06:42:41.796Z,08D6667109583DB4,xx.xx.xxx.xxx:2525,xx.xx..2.120:45283,xx.xx..2.120,<DB7P193MB0395E5E84AD36322A620F6A9AA7D0@DB7P193MB0395.EURP193.PROD.OUTLOOK.COM>,user1@externaldomain.com,user1@externaldomain.com;,myuser@mydomain.com,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,085ea7bd-add4-43f2-4d93-08d696fe9cea,,Incoming

2019-02-20T09:36:35.505Z,08D6667109583E99,xx.xx.xxx.xxx:2525,xx.xx..5.98:42760,xx.xx..5.98,<AM5P193MB0020E28194DFBEC6E1A4B99EA57D0@AM5P193MB0020.EURP193.PROD.OUTLOOK.COM>,user2@externaldomain.com,user2@externaldomain.com;,myuser@mydomain.com,1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.,,439ae10c-c673-45fc-f7c2-08d69716e7e3,,Incoming

Please advise what i need to check to make sure that my user always receives mails from a certain domain.

Thank you Ali

Answer 1

Since the event type is fail and the source is agent, it refers to the transport agent, which is being blocked by a transport rule. Have you had a look at the transport config yet? Here's a similar thread for your reference:

https://social.technet.microsoft.com/Forums/en-US/27072b07-6d54-47c4-a724-eaecd9e5aebd/transport-rules-and-message-tracking?forum=exchangesvrsecuremessaginglegacy