The Symantec DLP Cloud Service for Email is rejecting emails that are sent from the domains that are not registered in Symantec MessageLabs. The integration of the DLP Cloud Service for Email with Message Labs - aka, Email Security.cloud - requires that any domains from which messages should be accepts are first added and validated to the MessageLabs portal (ClientNet).

Release: All supported versions

Component: Cloud Service for Email

In some cases, customers have servers or applications that need to send out alerts or notification emails. It is not always possible to add domains for these emails, because either the domains are mutable (different every time) or the emails themselves are not sent out with a configured sender (no MAIL_FROM detail). Thus, when these messages are sent for inspection to the DLP Cloud Email Service, they are rejected by design.

The first preference, and best solution, is to add new domains to the configuration, as per this KB article: Emails rejected by DLP Cloud Service when sending messages from new domains (broadcom.com).

A second option for some customers is to have their Exchange servers rewrite the MAIL FROM (sender domain) on send - to one of the pre-configured domains in MessageLabs. This way,  when DLP receives the message, it will not be rejected on that basis. This feature, sometimes called "address masquerading" is described in the following Microsoft KB: https://docs.microsoft.com/en-us/exchange/architecture/edge-transport-servers/address-rewriting?view=exchserver-2016.

Note that with Sender Rewrite options, it can have impacts on DLP Cloud Email - see this internal KB about additional options for configuring Mail Rules:

Configuring O365 Transport Rule to avoid sending "spoofed" emails to the DLP Cloud Service (broadcom.com)