Emails from users of the service are being rejected when sending through the Data Loss Prevention (DLP) Cloud Service for Email.

550 5.7.64 TenantAttribution; Relay Access Denied SMTP

Usually this occurs when the DLP Cloud Service is setup in "reflect-mode" (where Microsoft M365 is both upstream and downstream of the connections made to and from Symantec).

Data Loss Prevention Cloud Service for Email, much like the on-premise version of Network Prevent for Email, is an SMTP Proxy and not an MTA.

When a message is to be sent through our proxy, there are always 2 connections made - one accepted from the upstream MTA by the proxy, and one made by the proxy downstream to the next hop MTA.

The error message actually originates from the downstream MTA, but is passed back to the upstream MTA as part of the DLP closing handshake when the connections are dropped.

This issue happens when there is a mismatch between the M365 "mailhost" and the value for this mailhost (aka the "nextHop" from DLP) to which the DLP Cloud Service is sending messages. Note that this configuration is made by the DLP Cloud Operations team at provisioning. Until the hostname is verified as correct, the downstream MTA (M365 in reflect mode) will continue to reject the messages because the hostname tp which DLP is sending message back to M365 does not match the org that Microsoft has setup for this same customer.

To confirm these settings for your DLP Cloud Service for Email detector, you will need to open a case with Broadcom Support - which can verify that the M365 "mailhost" specification matches the DLP Cloud Service setting for "hostname".

Additional details from Microsoft when the above is NOT the case:

• ATTR35 response code when mail is sent to EOP/EXO - Exchange | Microsoft Docs
• https://support.microsoft.com/en-us/help/3212877/550-5-7-64-tenantattribution-relay-access-denied-smtp-error-when-sendi
• https://support.microsoft.com/en-us/help/4051495/550-5-7-64-tenantattribution-relay-access-denied-smtp-error-when-users