Hello all,
we are dealing with a very strange case where somemessages from a specific senderseem to bypass a whole set of transport rules.
More specifically this contact sends many emails daily to our organization - most of them are getting classifications and redirections to other users through transport rules. That is the basic design and it works good.
We have analyzed those "offending" messages and found out that a mail header is missing - theX-Authenticated-Sender. This header isn't a standard one (RFC wise) and as far as I understand it, it is being put by the sender's server to declare an authentication between the original sender and their server (for spam avoidance purposes).
In front of the Exchange there is a Sophos UTM (Mail gateway, Firewall) appliance which receives incoming traffic, scans it and then forwards it to the Exchange server - this is transparent to the Exchange server.
Also the sender's domain seems to be in a blacklist (according to MX-Toolbox Header Analyzer). But in general their messages are being received without a problem.
When this happens (mails not being processed through transport rules) nothing relevant is logged into the Event Viewer.
This happens in a low frequency - say in 1 message out of 50.
Why do these messages have this behavior? Is that header important by any means to Exchange 2013?
What else should I look to investigate further?