Similar to the circumstances described in Emails rejected by DLP Cloud Service when sending messages from new domains (broadcom.com), except in this case the DLP Cloud Email Service is configured in Reflecting mode.

It has been confirmed that the domains are validated in Enforce (as per or Implementation Guide), and there is no custom certificate involved (i.e., not in "hybrid" mode with Exchange on-prem senders).

Other basic requirements have also been verified (X-DetectorID header added, Connector sending to correct "SmartHost" or FQDN for their Detector, etc).

But no messages are accepted even from the primary domain as configured in their O365 Admin Center.

Error: 550 5.7.1 Domain not authorized

• DLP Cloud Service for Email
• Configured in Reflecting mode, with O365

Despite other checks, the setup of the O365 domain may not be correct - either with DNS or other issues.

Firstly, verify domains as validated by using tools for this purpose.

E.g.,

• Check MX, DNS and TXT records as required, using MX Lookup Tool - Check your DNS MX Records online - MxToolbox
• Check TXT records and basic NS details using nslookup in Windows CLI.

If the above details match what is configured in your O365 Admin Center, you may find this Microsoft technet page useful:

https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-550-5-7-1-in-exchange-online#im-an-email-admin-how-can-i-fix-this

Follow the link there to the (in the "Your domain's MX record has a problem" section):

Microsoft Remote Connectivity Analyzer

Using the option in the O365 tab, enter the your primary domain (as configured in O365).

If there are any issues with the setup (DNS problem, etc.) the tool will return details - at which point you need to verify a solution to the issue with Microsoft support.