ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Emails are being rejected by the DLP Cloud Service with 550 "Relay Access Denied"

book

Article ID: 211845

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email

Issue/Introduction

You have a newly configured setup for DLP Cloud Service for Email, which is integrated with O365, in Reflecting mode:

Email Client => O365 => DLP Cloud Service for Email => O365

However, emails are being rejected with 550 "Relay Access Denied" errors, and the errors seem to come from DLP.

Cause

The error may state one of the following:

"550 5.7.64 TenantAttribution; Relay Access Denied"

It's possibly due to the configuration of the Connectors.

Resolution

Check the configuration of both the "Outbound to DLP" and "Inbound from DLP" Connectors in O365 Admin Portal.

The DLP documentation for the Cloud Service for Email implementation suggests that these connectors should be configured as the following types in O365:

Connector Purpose DLP Documentation description of "Type"  Microsoft Powershell setting for type Setting with regard to Microsoft Hybrid Configuration
Outbound to DLP Cloud Service "from Office 365 and to Partner organization" Partner "CloudServicesMailEnabled" is "false"
Inbound from DLP Cloud Service (reflecting back to O365) "Your organization's email server and to Office 365" OnPremises "CloudServicesMailEnabled" is "true"

 

Note that the Inbound Connector should NOT be "Partner" but the Outbound one should be.

If the Inbound Connector is not set as "Your organization's email service" but was configured as a "Partner" instead this could be the problem.

Set the Inbound Connector to "Your organization's email service" and wait for the changes to cascade throughout the hosted email services (~30 minutes), then retest.

 

Additional Information

For more information about the settings in the last column of the table above, see this Microsoft doc defining the configuration parameters for Connectors in Exchange Online:

New-OutboundConnector (ExchangePowerShell) | Microsoft Docs