search cancel

Attribution errors preventing messages in your DLP Cloud Service for Email Office365 integration


Article ID: 212988


Updated On:


Data Loss Prevention Cloud Service for Email


You are setting up the Symantec Data Loss Prevention Cloud Service for Email, with O365 in Reflecting mode.

But messages are being rejected with various attribution errors.


Release :

Component :


Possible errors on messages as following:

451 4.4.62 Mail sent to the wrong Office 365 region. ATTR35. For more information please go to []

550 5.7.64 TenantAttribution; Relay Access Denied []

These appear to suggest that there is an issue with DNS for your domains in O365, however, it is more likely that there is a problem with the configuration of an Inbound Connector - specifically in regard to the one configured for the DLP Cloud Service for Email.




Verify that the Inbound Connector is setup as per the existing documentation:

In particular, the "550 5.7.64 TenantAttribution; Relay Access Denied" error can indicate that:

  1. The certificate on the upstream smarthost does not match the "domain" in the "How to identify email sent from your email server" in the Inbound Connector.
    • The solution is to make sure the value in Inbound Connector matches the CN of the smarthost certificate.
    • FYI: the CN referred to here is the Detector FQDN, which was sent in the Welcome Email, and is in the format of "<DetectorID-or-GUID>". It is also visible in the Enforce Server console entry for your Cloud Detector.
  2. The Inbound Connector is configured to accept mail from "Partner organization" rather than "Your organization's email server" as directed by the Implementation Guide.
    • The solution is to recreate the Inbound Connector choosing "Your organization's email server" for the "From" setting.

Both of the above errors (451 and 550) have also been seen when the Inbound Connector was not configured at all.