Emails rejected by DLP Cloud Service when sending messages from new domains

book

Article ID: 170072

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Package Email Security.cloud

Issue/Introduction

New sending domains have been implemented in your email architecture, and messages from these domains are being rejected by DLP Cloud Service for Email.

Possible errors:

Error: 550 5.7.1 Domain not authorized

Reason:[{LED=450 4.4.317 Cannot connect to remote server [Message=451 4.4.2 Error: Connection lost to forwarding agent.]

Cause

Any sending domains not registered are rejected by the downstream MTA (either O365 or Email Security.cloud).

These domains need to be added to your account via one of two options, depending on the architecture in place:

  1. If your emails come from and go back to O365 from DLP, you are in "Reflecting mode: domains should be added via the Enforce Server.
  2. If your emails come from either on-prem Exchange, O365 or Gmail, and go on to Email Security.cloud from DLP, you are in "Forwarding mode": Your domains should be configured in the ClientNet Self Service Portal.

 

Environment

DLP Cloud Service for Email, with servers provisioned as requested - where the list of "allowed domains" is submitted with your configuration (in the Cloud Management Portal) .

Already configured sending domains are successfully delivered to recipients.

Resolution

If your emails come from and go back to O365 from DLP, you are in "Reflecting mode": domains should be added via the Enforce Server.

See the online help at this page: About updating email domains in the Enforce Server administration console (broadcom.com)

Details are also found in the "Deployment" chapter, in the Symantec_DLP_Cloud_Service_for_Email_Implementation_Guide.pdf (broadcom.com).

Note: It is essential you first update your domains with the DLP TXT record, before adding them to the Enforce Server for validation.

 

If your emails come from either on-prem Exchange, O365 or Gmail, and go on to Email Security.cloud from DLP, you are in "Forwarding mode": Your domains should be configured in the ClientNet Self Service Portal.

  1. First, please ensure that the "DLP Cloud Email" is listed among the Email Services in your account:


    If that is not present, please open a case with Support, confirming the above along with your DLP Cloud Detector ID.

  2. If the above entry is present, then confirm the domain from which email is being sent is listed as an "Active Domain", in the portal*, as below:

 

Once the domains are added and the changes have updated across MX records, the DLP Cloud Management Portal will show the domain updates you've made, and these will also be cascaded to your Cloud Service Detector.

 

Please contact DLP support for any further questions.

Additional Information

*See related Article ID: 235909: Emails rejected by DLP Cloud Service for Email

Attachments