Email rejected from DLP CDS for external recipients but not internal ones
search cancel

Email rejected from DLP CDS for external recipients but not internal ones


Article ID: 268526


Updated On:


Data Loss Prevention Cloud Service for Email Email


You are having issues with emails having multiple recipients, some external, and at least one internal to your organization.

The message is delivered only to any internal recipients (internal with respect to the sender domain), but fails to all external recipients.


This is known to occur with the following outbound mail route:

Customer Exchange or O365 => DLP Cloud Service for Email => ESS (aka "Email")


During transfer from Exchange Online to Symantec Cloud DLP, the message transfer fails (from Exchange message tracking) report the same error for each external recipient as below:

Reason: [{LED=550-Invalid recipient [email protected] 550 (#5.1.1)};{MSG=};{};{IP=144.49.XXX.XXX};{LRT=4/11/2023 1:44:29 PM}]. OutboundProxyTargetIP: 144.49.XXX.XXX. OutboundProxyTargetHostName:


Message tracing at Email may show the following:

Sender: original.sender@<sending-domain>.com
2023-04-11 01:44:30 PM
Recipient: [email protected]
2023-04-11 01:44:30 PM
SMTP Status: blocked by address reg - Invalid recipient [email protected] (#5.1.1)



Release : 

Supported versions of the DLP Cloud Service for Email



Per the Engineering teams for DLP, ESS splits emails by domain, routes via DNS lookup, and sends NDRs for unknown recipients.

The following edge case in this mail flow gives undesirable results:

If an email recipient also happens to be an ESS customer, and happens to be provisioned on the tower that DLP sent the mail to, then the ESS tower can reject unknown recipients.

The ESS tower acts an an "inbound" hop in this scenario, instead of the expected "outbound" hop DLP expected.


The following detail in the ESS error above explains why:

"SMTP Status: blocked by address reg"

In this case, Address Registration is enabled, by the recipient's ESS configuration, thus rejected additional recipients that are not part of that organization.


The error occurs because AR is a setting that applies to inbound email.

Thus, to correct it, a customer whose mail was rejected would have to ask the recipients to verify their address is part of their company's AR lists (including external ones).

If it's not possible to have those external recipients update their own, separate AR lists in Email, it's also suggested to reroute messages from DLP Cloud back to O365, before sending them on for final delivery to Email




Additional Information

See KB: Error: "550-Invalid recipient" after sending email (

More information about the Address Registration part of this issue is also available here: About Address Registration (