You are having issues with emails having multiple recipients, some external, and at least one internal to your organization.

The message is delivered only to any internal recipients (internal with respect to the sender domain), but fails to all external recipients.

This is known to occur with the following outbound mail route:

Customer Exchange or O365 => DLP Cloud Service for Email => ESS (aka "Email Security.cloud")

During transfer from Exchange Online to Symantec Cloud DLP, the message transfer fails (from Exchange message tracking) report the same error for each external recipient as below:

Reason: [{LED=550-Invalid recipient [email protected] 550 (#5.1.1)};{MSG=};{FQDN=smtp-europe-west1-p11-i01-si01.dlp.protect.broadcom.com};{IP=144.49.XXX.XXX};{LRT=4/11/2023 1:44:29 PM}]. OutboundProxyTargetIP: 144.49.XXX.XXX. OutboundProxyTargetHostName: smtp-europe-west1-p11-i01-si01.dlp.protect.broadcom.com

Message tracing at Email Security.cloud may show the following:

Sender: original.sender@<sending-domain>.com
2023-04-11 01:44:30 PM
Recipient: [email protected]
2023-04-11 01:44:30 PM
SMTP Status: blocked by address reg - Invalid recipient [email protected] (#5.1.1)

Release : 

Supported versions of the DLP Cloud Service for Email

Email Security.cloud

Per the Engineering teams for DLP, ESS splits emails by domain, routes via DNS lookup, and sends NDRs for unknown recipients.

The following edge case in this mail flow gives undesirable results:

If an email recipient also happens to be an ESS customer, and happens to be provisioned on the tower that DLP sent the mail to, then the ESS tower can reject unknown recipients.

The ESS tower acts an an "inbound" hop in this scenario, instead of the expected "outbound" hop DLP expected.

The following detail in the ESS error above explains why:

"SMTP Status: blocked by address reg"

In this case, Address Registration is enabled, by the recipient's ESS configuration, thus rejected additional recipients that are not part of that organization.

The error occurs because AR is a setting that applies to inbound email.

Thus, to correct it, a customer whose mail was rejected would have to ask the recipients to verify their address is part of their company's AR lists (including external ones).

If it's not possible to have those external recipients update their own, separate AR lists in Email Security.cloud, it's also suggested to reroute messages from DLP Cloud back to O365, before sending them on for final delivery to Email Security.cloud.

See KB: Error: "550-Invalid recipient" after sending email (broadcom.com).

More information about the Address Registration part of this issue is also available here: About Address Registration (broadcom.com)