Share via

Recipient rejects mail from Microsoft 365 and host name does not match IP address error

  • Applies to: Exchange Online, Built-in security features for all cloud mailboxes

Original KB number:   3019655

Symptoms

When users try to send mail from Microsoft 365 to an external recipient, the destination message transfer agent (MTA) rejects the message. The error message that users receive may vary. Typically, it states that the source server's host name doesn't match its IP address.

Cause

The recipient server requires that the server name that's contained in the message HELO string have a corresponding pointer (PTR) resource record (reverse IP lookup). Microsoft 365 uses multiple IP addresses to send mail. Because of DNS limitations, all these IP addresses can't be mapped through the PTR record to the server name that's in the message HELO string.

Resolution

The method that Microsoft 365 uses to send email messages by using multiple IP addresses is standard for most large mail systems and is by design. Contact the recipient's system administrator for help.

More information

In Microsoft 365, outgoing email settings use specific patterns. It's important to be aware of these patterns if your recipient servers use PTR record lookups for validation. This is because they explain why messages sent from the service might be rejected. The patterns are as follows:

  1. The sending IP addresses used by Microsoft 365 have forward-confirmed reverse DNS records. This means that each sending IP address has both a forward (name-to-IP address) and a reverse (address-to-name) DNS record that contains matching information. For example:

    Outbound IP address: 157.56.110.65
PTR record: 157.56.110.65 = mail-bn1on0065.outbound.protection.outlook.com
A-record : mail-bn1on0065.outbound.protection.outlook.com = 157.56.110.65

  2. The HELO/EHLO strings which identify the mail servers that the Microsoft 365 service uses also contain outbound.protection.outlook.com. For example:
    na01-bn1-obe.outbound.protection.outlook.com

    All these HELO/EHLO strings have A records that contain some outgoing IP addresses that correspond to the sending mail servers. However, the A records don't contain all these outgoing IP addresses. For example:
    HELO na01-bn1-obe.outbound.protection.outlook.com

    A record: na01-bn1-obe.outbound.protection.outlook.com:

    207.46.163.150
    207.46.163.151
    207.46.163.152
    207.46.163.153
    207.46.163.154
    207.46.163.155
    207.46.163.156
    207.46.163.157
    207.46.163.158
    207.46.163.149

  3. The PTR records of the IP addresses in the A record of the EHLO/HELO string won't match the HELO/EHLO string of the sending mail server. For example:
    PTR record: 207.46.163.150: mail-bn1lp0150.outbound.protection.outlook.com

    Notice that mail-bn1lp0150.outbound.protection.outlook.com doesn't match na01-bn1-obe.outbound.protection.outlook.com.

Still need help? Go to Microsoft Community.

  • Last updated on