ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Emails rejected by DLP Cloud Service when sending messages from new domains


Article ID: 170072


Updated On:


Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Package


New sending domains have been implemented in email architecture, and messages from these domains are being rejected by DLP Cloud Service for Email.

Possible errors:

Error: 550 5.7.1 Domain not authorized

Reason:[{LED=450 4.4.317 Cannot connect to remote server [Message=451 4.4.2 Error: Connection lost to forwarding agent.]


Any sending domains not registered are rejected by the downstream MTA (Email for most customers). These domains need to be added to their account via the ClientNet Self Service Portal.

Note: this issue will also affect DLP Cloud Service customers in "Reflecting mode" (no Email downstream, mail goes back to O365).


DLP Cloud Service for Email, with servers provisioned as requested - where the list of "allowed domains" is provided on the original provisioning form.

Originally configured sending domains are successfully delivered to recipients.


For customers in Forwarding mode - with Email downstream:


First, please ensure that the "DLP Cloud Email" is listed among the Email Services in your account:


If that is not present, please open a case with Support, confirming the above along with your DLP Cloud Detector ID.


If the above entry is present, then confirm the domain from which email is being sent is listed as an "Active Domain", in the portal, as below:



Once the domains are added, the DLP Cloud teams will also confirm the updates are cascaded to the Cloud Services.


Update: For customers whose Cloud Email Service was provisioned in Reflecting mode (emails sent back to O365 as downstream MTA), DLP 15.1 MP1 introduced a feature that allows customers to add domains via the Enforce UI. Validation of any new domains does require proof of domain ownership via the addition of a TXT entry into the domain's DNS record.

For more details on adding domains for your Cloud Email Service in Reflecting mode, please see the latest copy of the Cloud Service for Email Implementation Guide.



Please contact DLP support for any further questions.