After digging around in tcpdump from the client side for a bit, I've observed the following:
- The client makes a successful connection to URLs such as nexus.officeapps.live.com and roaming.officeapps.live.com with 200 Connection Established messages.
- The autodiscover protocol kicks off with the client my DNS servers for mail.mydomain.com,, then pop3.mydomain.com then pop.mydomain.com and imap.mydomain.com. Those usually resulted in no such name messages from DNS but we've since added CNAME records for them pointing to autodiscover.mydomain.com (the actual URL Outlook should be hitting)
- Client then resolves the multiple A records to IP addresses and tries to connect to them via ports 995, 993, 143 and 110 (secure and unsecure ports for POP3, IMAP). These don't work so it carries on.
- Further down, I see a Can't Connect webpage from MWG to client with message "The proxy could not connect to the destination in time." in reply to the client's attempt to connect to mydomain.com. No replies about the IP addresses from point 3 yet.
I'm gonna continue looking to see what happens further down but I imagine all this adds up to cause the delay I'm seeing.
What could you gain by providing CNAMEs for pop3.mydomain.com, pop.mydomain.com and imap.mydomain.com if you don't have POP or IMAP protocols enabled? I would think these names are not used for URLs ( = http requests). So better not provide these names so you can prevent unneeded connection attempts.
Thank you for this reply. I had removed the CNAME records and no luck but in the end, I found out how to completely bypass MWG for outlook.exe and that resolved the issue.