Some messages are being rejected by the DLP Cloud Email Service with a "Tenant Not Assigned" error
search cancel

Some messages are being rejected by the DLP Cloud Email Service with a "Tenant Not Assigned" error


Article ID: 206244


Updated On:


Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Package


You are using the DLP Cloud Service for Email and find that some messages are queueing upstream (in O365) with the following error:

Reason: [{LED=421 4.3.0 Tenant Not Assigned. Missing X-DetectorID. Please check the configuration in the latest copy of the DLP Cloud Service for Email Implementation Guide.}

But most emails are accepted without the error and the list of domains used by your organization have already been validated in the Enforce Server as per requirements (see "Additional Information" below).


In many cases, the emails in question are NDRs (Non-delivery reports), or DNRs ('Do not reply' notification emails) - and in some cases this additional error is returned:

Error: 550 5.7.1 Domain not authorized


Release : 15.7+

Component :

DLP Cloud Service for Email, in O365 Reflecting mode

This solution is usually only required if both of the following are true:

  1. You are using the DLP Cloud Service for Email in O365 Reflecting mode (message sent back to O365 after DLP inspection is complete).
  2. You have set "" (instead of "") as the primary domain in O365 Admin Center.


It is possible your primary domain in O365, aka the "OrganizationalUnitRoot", includes the "" domain.

If so, you need to add this domain (i.e., "") to the list of Validated Domains for your DLP Cloud Detector.


Using the O365 Admin Center, it is possible to add a specific TXT record as a "Custom" record for your "onmicrosoft" domain.

  1. Login as an O365 Admin, and go to Domains > (choose the domain) > DNS records.
  2. Click "+Add record" to create a new Custom record.
  3. For "Name" enter an "@" symbol.
  4. The "value" should be your TXT record as found in the Welcome Email for the Cloud Service for Email (it's also visible for the Detector entry in the Enforce Service UI).
  5. The TTL should be 1 Hour.

On saving the changes, wait for DNS to populate the update. This can be checked via NSLOOKUP of the TXT record, or via 3rd party tools, like MxToolbox.


Additional Information

Customers in O365 Reflecting mode can find more information at this link: About updating email domains in the Enforce Server administration console (

To confirm the "OrganizationalUnitRoot" for your O365 account, you can use the "Get-OutboundConnector" command in Exchange Powershell.

Both the Outbound and Inbound connectors will include this detail:

OrganizationalUnitRoot : <your-domain>

For more info, see: Get-OutboundConnector (ExchangePowerShell) | Microsoft Docs.

Update: Microsoft has recently announced changes to mailflow for certain message types, such as those covered by the topic of this KB. For information about that, see: Sender Rewriting Scheme (SRS) in Microsoft 365 | Microsoft Learn.