@Dashrender said in Troubleshooting email flow issue:
Pretty sure I figured it out.
The domain in question had 2 MX records,
O365
gmail
O365 has the higher priority, and there have never been any complaints of missing messages.
I'm assuming this spam made it to google, because I know some spammers specifically use the secondary, etc MX records in hopes of bypassing spam filters. So I'm assuming that's what was happening here.
Now that said - I did see a single Twitter email in the G Suite - so I'm guessing there was glitch at O365 once, and Twitter hit it and tried the secondary...
Often, spammers will send mail to a higher MX record on purpose. There are many reason they do this, Less protected routes to a gullible user is one of them.