This article takes an in-depth look at one of the most common causes of the following Microsoft 365 mail loop / bounce error:
554 5.4.14Hop count exceeded - possible mail loop
This error means that Microsoft is looping mail back to our servers instead of delivering it to their local user's mailbox. After a certain number of delivery attempts, Microsoft detects the loop and rejects the message.
This can be a complex problem to comprehend but the solutions don't require an in-depth understanding:
In some circumstances, when SpamHero delivers a "clean" message to Microsoft 365, the message is accepted for delivery but then instead of being placed in the recipient's email box, it is forwarded back to our servers a moment later. Our servers then process the message again and deliver it to Microsoft 365 and the cycle repeats until the message is rejected for "looping".
The most common cause is the sender having a bad Inbound Connector configuration
- A common misunderstanding - Many believe that connectors are used to ensure fast inbound deliveries from a
Partner Organization to their Microsoft 365 account (but that is not correct). While this approach appears to work, it also has the side-effect of causing some mail deliveries to loop and fail (see the Related questions section, below).
- The reality of how it works - Connectors are used to identify IP addresses (and TLS certificates) that are authorized to send mail from your domain name. Connectors can also be used to restrict which mail host IP addresses can connect to your Microsoft 365 account (which is useful for locking down your account to only accept mail from SpamHero).
Frequently Asked Questions
- How does this cause a mail loop?
When Microsoft 365 receives an inbound message they inspect the sender's domain and IP address (or TLS certificate) to see whether the message came from an authorized connector. When they find a match, it is always treated as an outbound message (even if it was just accepted for an inbound delivery). And Microsoft always checks the MX record for outbound deliveries, causing the message to be sent back to SpamHero.
Related Microsoft documentation
How does message attribution work?
- Why does the "mail loop" only happen some of the time?
The problem only occurs when both the sender and recipient are hosted in the same Microsoft 365 geographic tenant region. That's because Microsoft only checks connector settings for "local" senders (based on where the message was delivered). In other words, when the sender and recipient are on different Microsft 365 networks, the sender's connector settings are not found during the delivery process.
Related Microsoft documentation
How does message attribution work?
- This sounds like a bug, why hasn't Microsoft fixed it?
It could be argued that the connector feature has a bug--particularly since the behavior appears to be inconsistent, depending on which Microsoft server the message was delivered to.
In reality, the connector feature is just counter-intuitive, poorly documented, and widely misunderstood.
- The controls are presented in such a way that causes users to reasonably believe that the connector could be used to whitelist sender IP addresses (a common concept that has been around for decades).
- The documentation on the topic is scattered and never mentions the possibility of mail loops. Meanwhile, there are plenty of online discussions talking about the problem--yet none of them seem to understand what is causing it. Nor does Microsoft's documentation about the mail loop error offer much help.
- As of December 2022, there are still prominent anti-spam providers (and blog posts) that suggest bad Microsoft 365 setup instructions that cause mail loops.
The biggest reason we don't just call this a bug is that Microsoft's documentation never says to use the connector feature as a method of whitelisting sender IP addresses (even though their interface heavily implies that it would work).
- Why did SpamHero suggest using Inbound Connectors in the past?
Microsoft has a tendency to throttle and delay mail from IP addresses that exceed certain volume thresholds. The Inbound Connector feature has been widely misunderstood as the "correct" method of whitelisting sender IP addresses to guarantee fast delivery from a trusted
Partner Organization. Many of the largest spam filtering services have used it incorrectly in their setup instructions. As of December 2022, the SpamHero setup instructions have been corrected but there are still many prominent anti-spam services using the "bad" connector instructions at this point.
If your SpamHero account was setup before December 2022, use the following article to fix your Microsoft 365 configuration:
Getting "Hop Count Exceeded" bounce error when sending to SpamHero user (Microsoft 365 / Office 365)
- How did SpamHero solve this mail loop mystery?
Over the years our support team received intermittent reports of a "mail loop" problem that affected a small fraction of our Microsoft 365 users (formerly Office 365 and Exchange Online before that).
The error usually seemed to start out of nowhere, without any recent configuration changes, and only affected certain sender and recipient combinations. Despite hours of troubleshooting, testing and research we were unable to reproduce the problem with our Microsoft 365 test account. As a result, we couldn't pinpoint the cause but it obviously had something to do with Microsoft's systems. So, we reluctantly asked our users to contact Microsoft tech support for help.
In late 2022 we had a breakthrough in which one of our tests finally reproduced the issue and we were able to narrow in on the exact cause. The key was that the message sender and recipient both had to be in the same Microsoft 365 geographic tenant region.
Next, we discovered that if we sent a minimalistic, plain text message "from" an email domain and IP address that matched a sender's connector then Microsoft 365 would rewrite the message body, add some headers (including a DKIM signature) and then deliver the message to any recipient (even externally).
This made us realize that the connectors feature was really designed to allow On-Premise Exchange servers to route their outbound mail mail through their Microsoft 365 account and enforce their organizational mail policies.
- Why does SpamHero still suggest using connectors for locking down my Microsoft 365 account?
- Are there other things that can cause this looping error?
Yes, there is a variety of unrelated scenarios that can cause Microsoft 365 to trigger a mail loop.
Unfortunately, they are outside the scope of our documentation. We will say this though--most loops are either caused by bad Connectors (on the senders' side) or by an incorrectly configured Exchange On-Premise hybrid setup.
Related Microsoft Documentation