Knowledge Base

Delayed or blocked emails within a hybrid environment


Your organization is using a hybrid Exchange environment. Emails recently started to be delivered with a delay or fail to be delivered at all. The problems seem to intensify over time.


The problems you’re experiencing are most likely related to Microsoft’s (Mail) Transport-based Enforcement System that gradually restricts your mail flow from vulnerable Exchange server(s) to Exchange Online in your hybrid environment. The general purpose of the system is to encourage admins to patch or upgrade vulnerable on-premises servers to ensure overall security of your organization and Exchange Online.

Once the system detects that emails coming to Exchange Online are sent from a vulnerable version of Exchange Server like:

  • an unsupported version, e.g. Exchange Server 2010,
  • a version that hasn’t been updated/patched for a long time, e.g. Exchange Server 2016 that’s behind with security updates,

you’ll get a compliance report telling you how to avoid throttling (delaying) or blocking your mail flow in the future.

After a vulnerability is detected, you have 30 days to remediate the affected on-premises server(s). If you fail to do it, Exchange Online will start throttling incoming connections form the server(s), which will result in email delivery delays. The throttling will increase over time.

If you fail to remediate your server(s) for another 30 days, Exchange Online will start blocking emails. The degree of blocking will increase over time as well, resulting in a complete mail flow block after 90 days since the vulnerability was first detected.


If you need more time to remediate your on-premises server(s), you can also pause the Transport-based Enforcement System for up to 90 days per year. This will temporarily stop it from throttling and blocking emails sent from vulnerable servers in your environment.

Learn more about the Transport-based Enforcement System, ability to pause it & more

Addressing the problems

To eliminate the problems with email delivery, address the issue(s) listed in the compliance report:

  • Update/patch the server(s) that are still supported (e.g. Exchange Server 2016).
  • If your server(s) are not supported, migrate to a supported Exchange Server version (e.g. Exchange Server 2019). To do it, you can use the native methods or go for the CodeTwo migration tool, which is a lot easier to use and offers a number of additional features, including the possibility to quickly delta-migrate emails sent by users while the migration is under way.

Alternatively, you can retire your on-premises server(s) and decide to go 100% with the cloud, moving all your local mailboxes to Exchange Online. For this scenario, you can also find a dedicated, easy-to-use, GUI-based tool in CodeTwo’s portfolio.

Learn more about the expected Transport-based Enforcement System timeline for specific Exchange Server versions

Once you’ve remediated your server(s), the mail flow between the on-premises and cloud mailboxes will resume as normal.

Was this information useful?