You have some emails coming from a different domain than is configured for your DLP Cloud Service for Email integration.
You've followed existing documentation (Cloud Service for Email Implementation Guide) and have a Transport Rule which should only allow emails from your domains to be sent to DLP.
However, some messages are still being sent to DLP and are being rejected with a "Domain not authorized" error.
Release : Any
Component : DLP Cloud Service for Email
The emails are "spoofed" to appear to originate from your domain by a 3rd party tool (e.g., "Salesforce"), and you cannot add that domain to your list because it does not belong to you.
The reason DLP rejects them is because we examine the "MAIL FROM" data, which comes from the message envelope instead of the header.
There is an option in O365 Transport rules - "Match sender address in message".
The default setting for this field is "Header".
According to Microsoft documentation, this will "Only examine senders in the message headers (for example, the From, Sender, or Reply-To fields)."
It is also possible to set this to "Envelope" - which has this difference: "Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission, which is typically stored in the Return-Path field). "
Because spoofed emails (like those from vendors such as Salesforce, or Wolken, or ServiceNow) preserve the envelope data (visible via the "Return-Path" field in any Header Analyzer tool), it is possible to set the Transport Rule in O365 to look at that field instead.
As a customer, you can choose which option works best: