Dynamic Distribution Group and external sender gets 550 5.4.1 Recipient address rejected: Access denied (in reply to RCPT TO command)

Anonymous

Hi all.

I am facing a problem with a dynamic distribution group in my Office 365 tenant.

Two external partners get an NDR with this data while they a trying to send a mail to this group:

<DynamicDistributionGroup@MyTenant,com>: host

MyTenant-de02c.mail.protection.outlook.com[213.199.154.106] said:

550 5.4.1 [DynamicDistributionGroup@MyTenant,com]: Recipient address

rejected: Access denied (in reply to RCPT TO command)

We are a small non-profit organisation and using this group for a monthly newsletter for our internal members.

This is the only distribution group I have created last year. It definitively worked a month before.

The group is configured to accept mails from "Senders inside and outside of my organization", is moderated by both internal and external partners. No further restrictions are set as far as I know.

The external partners have an existing contact entry with WindowsEmailAddress correctly set.

I am not really aware of any changes I might have done. (I am the only administrator for this tenant) except I tried something with Sharepoint Sitemailboxes

Here is the output of get Get-DynamicDistributionGroup I think which could be relevant.

AcceptMessagesOnlyFrom : {}

AcceptMessagesOnlyFromDLMembers : {}

AcceptMessagesOnlyFromSendersOrMembers : {}

MaxSendSize : Unlimited

MaxReceiveSize : Unlimited

ModeratedBy : {Person1 (internal), Person2 (internal), Contact1, Contact2...}

ModerationEnabled : True

RejectMessagesFrom : {}

RejectMessagesFromDLMembers : {}

RejectMessagesFromSendersOrMembers : {}

RequireSenderAuthenticationEnabled : False

SendModerationNotifications : Internal

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous

Hi Martin,

Please sign in to EAC with your admin account < Mail flow < Accepted domains < Click the domain which is used to your DDG < Internal Relay < Save, please wait for a few minutes to send emails to this DDG to check whether the issue persists.

If the issue still exists, please upload a screenshot of your DDG settings, so we can better understand your situation.

Regards,

Rick

0 comments

16 additional answers

Anonymous

2016-09-16T17:36:48+00:00

Hi all.

Thanks for your appreciated support. Together we found the explanation of this behaviour.

This is calles Directory Based Edge Blocking DBED.

here is the relevant part of the explanation:

<quote>

Based on the NDR, this is an DBEB (Directory Based Edge Blocking) issue. DBEB is a feature which is automatically turning on in EOP if the domain type is Authoritative. It will maintain a list of recipients of the tenant and synced to the egde of EOP. When the email sent from external to EOP, EOP will check if the recipient on the DBEB list to decide whether this email should be accepted or rejected. The recipient in EOP must be an Azure AD object to be synchronized to the DBEB list. However, it is a known issue that DDG is not an object even in on-prem AD. Therefore, DDG cannot be synchronized from on-premises to cloud. Also, it is not an object in Azure AD, so it cannot be synced to DBEB list.

Therefore, to make your DDG able to receive emails from external, you have to disable DBEB feature. To fulfil this, please change the domain type from Authoritative to Internal Relay. Because this feature is disabled in Internal Relay type of domain.

I am including the article for your reference:

In Deployment: Directory Based Edge Blocking for Exchange Online Protection:http://blogs.technet.com/b/exchange/archive/2014/01/27/in-deployment-directory-based-edge-blocking-for-exchange-online-protection.aspx .

<quote end>

This is a feature which is currently rolled out to the standalone customers.

However, I have deciced to replace my dynamic distribution group with a static one because my change rates are very low.

Thanks again

Best regards

Martin
Was this answer helpful?

2 people found this answer helpful.

0 comments No comments
Anonymous

2016-09-05T08:01:36+00:00

I had the exact same issue.

I turned the Domain Type back to Authoritative, waited a minute, switched it back to Internal Relay, then after about 15 minutes I was able to send my DDG e-mails from an external email address.
Was this answer helpful?

1 person found this answer helpful.

0 comments No comments
Anonymous

2016-08-29T12:02:22+00:00

Hi Lance,

thanks for sharing the article.

Based on the "Check DNS" of the domain administration within portal.office.com "All DNS records are correct, no errors found."

The same for testconnectivity.microsoft.com, where all "Office 365 Exchange Domain Name Server (DNS) Connectivity Test" related tests shows "Successfully verified specified external domain name settings for your domain in Office 365"

I am getting mails from this partner sent to my personal mailbox without problem.

First I thought the attachments are the problem, so I asked my partner to sent the mail without it, but there was the same message.

In the meanwhile, I have created a second distribution group for testing purposes. I am able to reproduce this with my private email address so I am no longer depending on our partner for testing.
Was this answer helpful?

0 comments No comments
Anonymous

2016-08-29T10:00:28+00:00

Hi Martin,

Thanks for the detailed information.

Based on the NDR error code, I'd like to share an article for your reference.

Fix email delivery issues for error code 5.4.1 in Office 365

Please check the settings which are mentioned in that article.

Thanks,

Lance
Was this answer helpful?

0 comments No comments

Share via

Dynamic Distribution Group and external sender gets 550 5.4.1 Recipient address rejected: Access denied (in reply to RCPT TO command)

16 additional answers