Similar to the circumstances described in TECH247444, except in this case the DLP Cloud Email Service is configured in Reflecting mode.
It has been confirmed that the domains are validated in Enforce (as per or Implementation Guide), and there is no custom certificate involved (i.e., not in "hybrid" mode with Exchange on-prem senders).
Other basic requirements have also been verified (X-DetectorID header added, Connector sending to correct "SmartHost" or FQDN for their Detector, etc).
But no messages are accepted even from the primary domain as configured in their O365 Admin Center.
Error: 550 5.7.1 Domain not authorized
Despite other checks, the setup of the O365 domain may not be correct - either with DNS or other issues.
Firstly, verify domains as validated by using tools for this purpose.
If the above details match what is configured in your O365 Admin Center, you may find this Microsoft technet page useful:
Follow the link there to the (in the "Your domain's MX record has a problem" section):
Using the option in the O365 tab, enter the your primary domain (as configured in O365).
If there are any issues with the setup (DNS problem, etc.) the tool will return details - at which point you need to verify a solution to the issue with Microsoft support.