1. Okay.  Is this to tell 365 that mail is on prem still?  What happens after i remote create or move mailboxes to 365?  Will this affect mail routing?

2. Are you sure i have read that the SPF must point to mimecast in order to use their mail servers?  https://community.mimecast.com/docs/DOC-1623

3. okay will take a look at this.  I know mimecast support has added umbrella domains or IPs here recently (no mention of KB or requirement until i spoke to them).

4. will look into this also.

My concern is making the changes to production domain which could affect mail....

I have tested mail flow and they are failing from the following routes/configs:
Pure test o365 domain hosted by MS - to external recipient and on premise mailboxes.
Remote mailbox in o365 (created by on prem server) - to on premise mailboxes.

1. Going back to your point of authoritative, do you mean change the domains listed under - Organisation configuration - hub transport - accepted domains?  I have our .com, .local and onmircosoft.com domains in here, all authoritative..
2. I've added the MS and Mimecast SPF records to my external DNS config for all my domains in o365.
3. Can you elaborate on the IPs and where in mimecast?
4. Ive turned off TLS for my mimecast and hybrid connectors in o365.  Still failing to route some of my emails.  Errors:


From: Microsoft Outlook
Sent: 24 April 2016 11:00
To: o365 remotemailbox
Subject: Undeliverable: Test Appointment with attendee added (user1@domain.com) via o365 calendar in browser

Delivery has failed to these recipients or groups:
User One (user1@domain.com)
Your message wasn't delivered. Despite repeated attempts we were unable to deliver your message because validation of the recipient email system's certificate failed.
Contact the recipient by some other means (by phone, for example) and ask them to tell their email admin that it appears there's a problem with their SSL certificate or how it's configured on their email servers. Give them the error details shown below. It's likely that the recipient's email admin is the only one who can fix this problem.
For more information and tips to fix this issue see this article: http://go.microsoft.com/fwlink/?LinkId=389361.





Diagnostic information for administrators:
Generating server: AM3PR07MB0677.eurprd07.prod.outlook.com
Receiving server: AM3PR07MB0677.eurprd07.prod.outlook.com
user1@domain.com
4/24/2016 9:59:44 AM - Server at AM3PR07MB0677.eurprd07.prod.outlook.com returned '550 5.7.320 Message expired, certificate validation failed(SubjectMismatch)'
4/24/2016 9:51:46 AM - Server at mail.domain.com (WAN IP) returned '450 4.7.320 Certificate validation failed(SubjectMismatch)'
Original message headers:
Received: from AM3PR07MB0677.eurprd07.prod.outlook.com
 (2a01:111:e400:8839::25) by AM3PR07MB0677.eurprd07.prod.outlook.com
 (2a01:111:e400:8839::25) with Microsoft SMTP Server (TLS) id 15.1.466.12;
 Fri, 22 Apr 2016 09:52:33 +0000
Received: from AM3PR07MB0677.eurprd07.prod.outlook.com
 ([fe80::750f:1b9:c27d:b22a]) by AM3PR07MB0677.eurprd07.prod.outlook.com
 ([fe80::750f:1b9:c27d:b22a%18]) with mapi id 15.01.0466.023; Fri, 22 Apr 2016
 09:52:33 +0000
Content-Type: multipart/mixed;
        boundary="_000_AM3PR07MB06770EC3D7FA518DE9E751A7FD6F0AM3PR07MB0677eurp_"
From: o365 remotemailbox <o365remote@domain.com>
To: User One <user1@domain.com>
Subject: Test Appointment with attendee added (user1@domain.com) via
 o365 calendar in browser
Thread-Topic: Test Appointment with attendee added
 (user1@domain.com) via o365 calendar in browser
Thread-Index: AdGcfFenwshGZ2tJ0ESBRxhxksPC8g==
Date: Fri, 22 Apr 2016 09:52:33 +0000
Message-ID: <AM3PR07MB06770EC3D7FA518DE9E751A7FD6F0@AM3PR07MB0677.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator: <AM3PR07MB06770EC3D7FA518DE9E751A7FD6F0@AM3PR07MB0677.eurprd07.prod.outlook.com>
authentication-results: domain.com; dkim=none (message not signed)
 header.d=none;domain.com; dmarc=none action=none
 header.from=domain.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [WAN IP]
x-ms-office365-filtering-correlation-id: 06c55a16-9848-4cef-32e7-08d36a93d3c9
x-microsoft-exchange-diagnostics: 1;AM3PR07MB0677;7:uoGVVgyIYoFI60ASy6FKNGSQq4aF/fihKxnVSt+ekCn/4yHcMIPeNWLXFq8Hfvga2J0750NsPC6Vr/qRuaHIhk6CLvM9nBHidhHGx6pM0q9q66QoSVsEYq1UsHRgpyU64vyOSxlEyTJOmy14WAjK+vyXWy5d/ggnUNogcsixaeJdDXroM18xIuab6qHNQx/PYz6m86Obyka57rICDOXokmBHSgbOtH+TurA5B4KdWvA=;20:6J6rtONzkfNyrDrWQSj95Lq73QmasHIn5OSU99+u8sywyA6bZr2jgYwnRCC++xA9nWWypPfDE7UIwP4EtA/5ha2s2RMPIDNDMXZYoPBdgg+mSHU069vhIrzqe5LlwtvJ+smXdO6vL0SB/svvUvJQOQ8N0Q1NTRBnAU62QwQdfPU=;23:ugdvqTBXX2jxNj1LSZr1N0tFp7/2JpBGBa7J1fEotPK65C4OZ4AcljtAldDbU+fMHbrnzxwKOeJcxgMUidkER8qVphipLUF8MEiysUkeW/JGbYSRVgrGvAwsm74KhMLlAVgqu9pjv4FzVfESm98enPf6bleJKcvclJkxikIFaUBdoTTQ3XceB1ttjJhwS2Ai;23:1gwzUDjmGGqLEPxZZ9a/c+YURphYcmD4KakV8nzicfvryz/Fq8O3r2gm97RKoN+aLrLCtmv8s2Sd83/owShrSi1Xmozldd+m7KsMvmu47PgeyMX7nrXtcqhy+BKGVG7HqS3JQ82IIffVvmUF7cqJMkCkvVWnQ9hN+X1PrtGWTgrRGLbPizBh8a4ihpAS7Deq
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM3PR07MB0677;
x-ld-processed: 6d915662-fb5f-4138-a2c5-b0250d6a5232,ExtAddr
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(9101524026)(601004)(2401047)(8121501046)(10201501046)(3002001);SRVR:AM3PR07MB0677;BCL:0;PCL:0;RULEID:;SRVR:AM3PR07MB0677;
X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:AM3PR07MB0677;H:AM3PR07MB0677.eurprd07.prod.outlook.com;FPR:;SPF:None;LANG:en;;SKIP:2;
spamdiagnosticoutput: 1:0
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2016 09:52:33.4037
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6d915662-fb5f-4138-a2c5-b0250d6a5232
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM3PR07MB0677
X-OrganizationHeadersPreserved: AM3PR07MB0677.eurprd07.prod.outlook.com
X-OriginatorOrg: domain.com
X-CrossPremisesHeadersFilteredByDsnGenerator:
        AM3PR07MB0677.eurprd07.prod.outlook.com

for SPF,

i usually keep all of them

v=spf1 include:_netblocks.mimecast.com include:spf.protection.outlook.com <+ all your onpremise IP> ~all

Although Mimecast will say just to use them, but mail continuity might break if just in case mimecast have broken

More to read: https://community.mimecast.com/docs/DOC-1623


MX record will require to change so all inbound email will have spam filter (thats given), and depends on your tenant location, you will have a different MX record. you should get this from MImecast directly.

Changed the MX priority so that miemcast is being used first, them MS>
Left SPFs for both providers.
MS say the cert isnt valid as were on 2010: https://blogs.technet.microsoft.com/exchange/2016/02/19/important-notice-about-certificate-expiration-for-exchange-2013-hybrid-customers/

Please evaluate this information and take any necessary action before April 15, 2016. If your latest run of the Hybrid Configuration Wizard was initiated from Exchange 2010 than you are NOT affected.

if could happening to you too (just saying)

on exchange online, if possible, you run get-outboundconnector | fl

on exchange on-premise, run get-sendconnector | fl
 

that should show anything using certificate based routing

PS:

[PS] C:\Users\Desktop>Get-SendConnector | fl
Creating a new session for implicit remoting of "Get-SendConnector" command...


AddressSpaces                : {SMTP:*;1}
AuthenticationCredential     :
Comment                      :
ConnectedDomains             : {}
ConnectionInactivityTimeOut  : 00:10:00
DNSRoutingEnabled            : False
DomainSecureEnabled          : False
Enabled                      : True
ErrorPolicies                : Default
ForceHELO                    : False
Fqdn                         :
HomeMTA                      : Microsoft MTA
HomeMtaServerId              : exchange
Identity                     : Mimecast Send Connector
IgnoreSTARTTLS               : False
IsScopedConnector            : False
IsSmtpConnector              : True
LinkedReceiveConnector       :
MaxMessageSize               : 25 MB (26,214,400 bytes)
Name                         : Mimecast Send Connector
Port                         : 25
ProtocolLoggingLevel         : None
RequireOorg                  : False
RequireTLS                   : False
SmartHostAuthMechanism       : None
SmartHosts                   : {eu-smtp-outbound-1.mimecast.com, eu-smtp-outbound-2.mimecast.com}
SmartHostsString             : eu-smtp-outbound-1.mimecast.com,eu-smtp-outbound-2.mimecast.com
SmtpMaxMessagesPerConnection : 20
SourceIPAddress              : 0.0.0.0
SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers       : {exchange, exchange-DR}
TlsAuthLevel                 :
TlsDomain                    :
UseExternalDNSServersEnabled : False

AddressSpaces                : {smtp:tenantdomain.mail.onmicrosoft.com;1}
AuthenticationCredential     :
Comment                      :
ConnectedDomains             : {}
ConnectionInactivityTimeOut  : 00:10:00
DNSRoutingEnabled            : True
DomainSecureEnabled          : False
Enabled                      : True
ErrorPolicies                : DowngradeAuthFailures
ForceHELO                    : False
Fqdn                         : mail.domain.co.uk
HomeMTA                      : Microsoft MTA
HomeMtaServerId              : exchange-DR
Identity                     : Outbound to Office 365
IgnoreSTARTTLS               : False
IsScopedConnector            : False
IsSmtpConnector              : True
LinkedReceiveConnector       :
MaxMessageSize               : 10 MB (10,485,760 bytes)
Name                         : Outbound to Office 365
Port                         : 25
ProtocolLoggingLevel         : None
RequireOorg                  : False
RequireTLS                   : True
SmartHostAuthMechanism       : None
SmartHosts                   : {}
SmartHostsString             :
SmtpMaxMessagesPerConnection : 20
SourceIPAddress              : 0.0.0.0
SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers       : {exchange-DR}
TlsAuthLevel                 : DomainValidation
TlsDomain                    : mail.protection.outlook.com
UseExternalDNSServersEnabled : False

On-Prem:

PS C:\Users\user> get-outboundconnector | fl


RunspaceId                    : 3513a101-11da-4b1c-b3a4-26e34605fb9e
Enabled                       : False
UseMXRecord                   : False
Comment                       : Outbound connector to exchange2
ConnectorType                 : OnPremises
ConnectorSource               : AdminUI
RecipientDomains              : {}
SmartHosts                    : {mail.domain.co.uk}
TlsDomain                     : mail.domain.co.uk
TlsSettings                   : DomainValidation
IsTransportRuleScoped         : False
RouteAllMessagesViaOnPremises : False
CloudServicesMailEnabled      : True
AllAcceptedDomains            : True
TestMode                      : False
LinkForModifiedConnector      : 00000000-0000-0000-0000-000000000000
ValidationRecipients          : {user1@domain.co.uk}
IsValidated                   : False
LastValidationTimestamp       : 27/04/2016 10:56:53
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
Name                          : exchange2
DistinguishedName             : CN=exchange2,CN=Transport Settings,CN=Configuration,CN=tenantdomain.onmicr
                                osoft.com,CN=ConfigurationUnits,DC=EURPR07A004,DC=PROD,DC=OUTLOOK,DC=COM
Identity                      : exchange2
Guid                          : 21bce97a-bb2f-458f-b434-9f45a286e5b1
ObjectCategory                : EURPR07A004.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-SMTP-Outbound-Connector
ObjectClass                   : {top, msExchSMTPOutboundConnector}
WhenChanged                   : 27/04/2016 11:33:04
WhenCreated                   : 26/04/2016 14:24:01
WhenChangedUTC                : 27/04/2016 10:33:04
WhenCreatedUTC                : 26/04/2016 13:24:01
OrganizationId                : EURPR07A004.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/tenantdomain.onmicrosoft.com - EURPR07A004.PROD.OUTLOOK.COM/ConfigurationUnits/tenantdomain.onmicrosoft.com/Configuration
Id                            : exchange2
OriginatingServer             : VI1PR07A004DC01.EURPR07A004.PROD.OUTLOOK.COM
IsValid                       : True
ObjectState                   : Unchanged

RunspaceId                    : 3513a101-11da-4b1c-b3a4-26e34605fb9e
Enabled                       : True
UseMXRecord                   : False
Comment                       : Connector to send o365 emails to mimecast journaling.
ConnectorType                 : Partner
ConnectorSource               : AdminUI
RecipientDomains              : {journal.testdomain.com, journal.domain.co.uk}
SmartHosts                    : {eu-smtp-journal-1.mimecast.com, eu-smtp-journal-2.mimecast.com}
TlsDomain                     :
TlsSettings                   :
IsTransportRuleScoped         : False
RouteAllMessagesViaOnPremises : False
CloudServicesMailEnabled      : False
AllAcceptedDomains            : False
TestMode                      : False
LinkForModifiedConnector      : 00000000-0000-0000-0000-000000000000
ValidationRecipients          : {user1@domain.co.uk}
IsValidated                   : False
LastValidationTimestamp       : 28/04/2016 14:56:07
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
Name                          : Office 365 to Mimecast Journaling
DistinguishedName             : CN=Office 365 to Mimecast Journaling,CN=Transport Settings,CN=Configuration,CN=tenantdomain.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR07A004,DC=PROD,DC=OUTLOOK
                                ,DC=COM
Identity                      : Office 365 to Mimecast Journaling
Guid                          : 1d3a7661-68fd-4d0e-83ab-2078ee8a87f8
ObjectCategory                : EURPR07A004.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-SMTP-Outbound-Connector
ObjectClass                   : {top, msExchSMTPOutboundConnector}
WhenChanged                   : 28/04/2016 14:56:15
WhenCreated                   : 21/04/2016 14:43:05
WhenChangedUTC                : 28/04/2016 13:56:15
WhenCreatedUTC                : 21/04/2016 13:43:05
OrganizationId                : EURPR07A004.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/tenantdomain.onmicrosoft.com - EURPR07A004.PROD.OUTLOOK.COM/ConfigurationUnits/tenantdomain.onmicrosoft.com/Configuration
Id                            : Office 365 to Mimecast Journaling
OriginatingServer             : VI1PR07A004DC01.EURPR07A004.PROD.OUTLOOK.COM
IsValid                       : True
ObjectState                   : Unchanged

RunspaceId                    : 3513a101-11da-4b1c-b3a4-26e34605fb9e
Enabled                       : True
UseMXRecord                   : False
Comment                       : Outbound Delivery Routing for Office 365
ConnectorType                 : Partner
ConnectorSource               : AdminUI
RecipientDomains              : {*}
SmartHosts                    : {eu-smtp-o365-outbound-1.mimecast.com, eu-smtp-o365-outbound-2.mimecast.com}
TlsDomain                     :
TlsSettings                   :
IsTransportRuleScoped         : False
RouteAllMessagesViaOnPremises : False
CloudServicesMailEnabled      : False
AllAcceptedDomains            : False
TestMode                      : False
LinkForModifiedConnector      : 00000000-0000-0000-0000-000000000000
ValidationRecipients          : {personalemail@hotmail.com}
IsValidated                   : True
LastValidationTimestamp       : 27/04/2016 16:39:38
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
Name                          : Outbound Delivery Routing for Office 365
DistinguishedName             : CN=Outbound Delivery Routing for Office 365,CN=Transport Settings,CN=Configuration,CN=tenantdomain.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR07A004,DC=PROD,DC=
                                OUTLOOK,DC=COM
Identity                      : Outbound Delivery Routing for Office 365
Guid                          : 290dfc25-2c05-476e-8eec-ffe0304929a0
ObjectCategory                : EURPR07A004.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-SMTP-Outbound-Connector
ObjectClass                   : {top, msExchSMTPOutboundConnector}
WhenChanged                   : 27/04/2016 16:39:48
WhenCreated                   : 22/04/2016 15:15:04
WhenChangedUTC                : 27/04/2016 15:39:48
WhenCreatedUTC                : 22/04/2016 14:15:04
OrganizationId                : EURPR07A004.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/tenantdomain.onmicrosoft.com - EURPR07A004.PROD.OUTLOOK.COM/ConfigurationUnits/tenantdomain.onmicrosoft.com/Configuration
Id                            : Outbound Delivery Routing for Office 365
OriginatingServer             : VI1PR07A004DC01.EURPR07A004.PROD.OUTLOOK.COM
IsValid                       : True
ObjectState                   : Unchanged

RunspaceId                    : 3513a101-11da-4b1c-b3a4-26e34605fb9e
Enabled                       : True
UseMXRecord                   : False
Comment                       : ZY1RDoJADAXnQiCsrEiy8S4rrok/kmji8cWRHwmmaTtt3mvnd+JF4cGTGxN3TrQcqGmMWg6rOZDY/emTXMzfJuj
                                IjFyI9iOVfNVfpM6anSoGa6SXGjVFjpz9ttf/9ebl2/b2Bw==
ConnectorType                 : OnPremises
ConnectorSource               : AdminUI
RecipientDomains              : {domain.co.uk}
SmartHosts                    : {mail.domain.co.uk}
TlsDomain                     :
TlsSettings                   :
IsTransportRuleScoped         : False
RouteAllMessagesViaOnPremises : False
CloudServicesMailEnabled      : True
AllAcceptedDomains            : False
TestMode                      : False
LinkForModifiedConnector      : 00000000-0000-0000-0000-000000000000
ValidationRecipients          : {user1@domain.co.uk}
IsValidated                   : True
LastValidationTimestamp       : 27/04/2016 11:26:21
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
Name                          : Outbound to f821c266-7256-4b87-a9d1-e2aadccee5cb
DistinguishedName             : CN=Outbound to f821c266-7256-4b87-a9d1-e2aadccee5cb,CN=Transport Settings,CN=Configurat
                                ion,CN=tenantdomain.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR07A004,DC=
                                PROD,DC=OUTLOOK,DC=COM
Identity                      : Outbound to f821c266-7256-4b87-a9d1-e2aadccee5cb
Guid                          : cde5e305-0664-46c9-8a4e-cf34c38c8952
ObjectCategory                : EURPR07A004.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-SMTP-Outbound-Connector
ObjectClass                   : {top, msExchSMTPOutboundConnector}
WhenChanged                   : 27/04/2016 11:26:44
WhenCreated                   : 21/04/2016 15:50:11
WhenChangedUTC                : 27/04/2016 10:26:44
WhenCreatedUTC                : 21/04/2016 14:50:11
OrganizationId                : EURPR07A004.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/tenantdomain.onmicrosoft.com - EURPR07A004.PROD.OUTLOOK.COM/ConfigurationUnits/tenantdomain.onmicrosoft.com/Configuration
Id                            : Outbound to f821c266-7256-4b87-a9d1-e2aadccee5cb
OriginatingServer             : VI1PR07A004DC01.EURPR07A004.PROD.OUTLOOK.COM
IsValid                       : True
ObjectState                   : Unchanged


results edited slightly of course..

I think i found something different

get-sendconnector "Outbound to Office 365" | set-sendconnector -smarthost <tenantname>.mail.protection.outlook.com
get-sendconnector "Outbound to Office 365" | Set-SendConnector -TlsCertificateName < the name of your certificate>

Please do not run the command above first.

Try to run the Hybrid configuration wizard. because it should be all created properly when you run the hybrid configuration wizard.

sorry?  run wizard again?

logon to exchange 2010 server
open Exchange management console - and make sure you logon to Office 365

then go to Organisation configuration (onpremise), click manage hybrid configuration


more read: http://www.msexchange.org/articles-tutorials/office-365/exchange-online/using-hybrid-configuration-wizard-exchange-2010-service-pack-2-part3.html

isnt this part of the hybrid wizard?

Sorry I was not able to follow up on your case CHI-LTD .. I was in an office 365 project too.

Could you please answer those questions for me ?

1- What Exchange server version do you have now?
From the send connector I can see that you have 2007 In order to have Hybrid working without an issue you'll need to have at least one Exchange 2010 SP3 (At least) for the Hybrid to work.

2- Have you entered Microsoft Exchange online/Online Protection/Hybrid IPs to your SMTP gateway's whitelist?

If you don't do this you won't be able to get e-mails.

3- Have you validated Outbound emails on office 365 Exchange online's Mail flow-Connectors tab ?

2010 with latest SP/Up.
I have Mimecast IPS added yes.
Yes

Are you certain you have added all the latest IPs that were updated by MS technet article?

Microsoft has also made a mistake in one article which I had problem with when I deployed a similar scenario with an on-prem Gateway.

The Article is here
https://technet.microsoft.com/en-us/library/dn163581%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

In this article MS says they have removed some IPS in February 24, 2016 but I have noticed in the gateway that these IPs are still being used.

Removed 23.103.148.0/22 207.46.163.128/26 207.46.163.192/27 207.46.163.224/27 23.103.145.128/27 23.103.145.192/27 213.199.154.0/26 213.199.154.64/26 213.199.154.128/27 207.46.51.64/27 207.46.51.96/27 134.170.132.0/24

make sure you add them all.

but mainly, it is a certificate issues.

this log told me it is a Certificate issue, rerun the hybrid configuration wizard should fix the issues.
4/24/2016 9:51:46 AM - Server at mail.domain.com (WAN IP) returned '450 4.7.320 Certificate validation failed(SubjectMismatch)'

Right mail is flowing again.  Re-ran wizard (which enabled TLS on connector in o365) so disabled this again.  
DNS for our production domain is now correct as much i think its going to be.
Mimecast IPs added as allowed in 365.

Whats confusing now is that im not sure which platform inbound and outbound emails are going from/to...

Maybe this will help..
DNS.jpg
o365-connectors.jpg
Hybrid-results.jpg

dns
please remove the CNAME record of autodiscover, since you are still in hybrid, it need to go onpremise, not office 365.

and MX record of 11,

then rerun HCW.

Iev removed this already.
In the event of the Mimecast service or MX records failing to deliver mail, i have added the MX record for Microsoft to handle email.  Are you sure this should be removed?
HCW still give me the error...

You're still getting a certificate error. You didn't disable the TLS certificate check on the Office 365 connector like I mentioned I guess?

The error is stating a certificate SAN Mismatch.. The TLS in most cases doesn't work with a gateway between Exchange online and On-prem in a hybrid scenarios.

4/24/2016 9:59:44 AM - Server at AM3PR07MB0677.eurprd07.prod.outlook.com returned '550 5.7.320 Message expired, certificate validation failed(SubjectMismatch)'
4/24/2016 9:51:46 AM - Server at mail.domain.com (WAN IP) returned '450 4.7.320 Certificate validation failed(SubjectMismatch)'

Yes i did, the TLS on connector from o365 to mimecast is disabled within the o365 portal.
Im really stumped now as most of the tests are failing within the remote analyser....  

EAS is working fine on prem so certs must be ok..

If you want, I could connect to you remotely and check your setup... send me a message if you're ok with that.

since it is between you and OP, i will stop monitoring the question.