Microsoft is changing the behavior of its inbound connector. Details about the change are at Updated Requirements for SMTP Relay through Exchange Online - Microsoft Community Hub.
This change only impacts Broadcom customers using Configuring Microsoft 365 to use Microsoft 365 for Email Delivery (Reflecting mode) (broadcom.com). Due to these changes, emails sent with a null sender will be rejected when delivered back to Office365. To avoid any issues, Broadcom is working on a set of instructions you can use to address this coming change. DLP Cloud Service for Email Reflecting mode customers will be required to make some configuration changes based on these instructions.
Update (January 2024):Product Advisory for this topic.. Further guidance on necessary changes to the Inbound Connector are given in this article. Updates will also be made to online help for Reflecting mode (link above) and to the
DLP 15.8 - Current
DLP Cloud Service for Email in Reflecting mode
As per their published notice, this is due to a change in Microsoft that will no longer allow null senders:
To ensure traffic for your O365 Reflecting mode Cloud Detector is not impacted, take the following steps to add a Broadcom-owned subdomain to Office 365.
From the Microsoft 365 admin center, go to Settings > Domains > Add domain.
Type the domain name provided by your Broadcom Support team in the Domain name field. The domain name should contain the first 13 characters of the detector ID plus the domain ds.dlp.protect.broadcom.com.
Example: Your detectorID looks like something like: 12345678-abcd-efgh-ijkl-12345678abcd
Your domain will be the first 13 characters, so per the above example, 12345678-abcd. Now you add the Broadcom domain (.ds.dlp.protect.broadcom.com), so it looks like:
Click Use this domain.
On the Verify you own your domain page, click Add a TXT record to the domain’s DNS record.
On the Add a record to verify ownership page, copy the TXT name, the TXT value, and the TTL. Provide these values to your Broadcom Support team. The Broadcom team will make the required changes in the backend. You can exit the setup and complete it later. The progress you have made so far will not be lost.
The Broadcom team will let you know when the changes are complete. This may take up to a day.
After you receive notification from your Broadcom Support team, go to the Add a record to verify ownership page and select the Verify.
Go to How do you want to connect your domain?
Click More options and Skip and do this later.
Go to the Domains page. The domain should now show a No services selected status. This status means that the domain was correctly added and the setup process is complete.
Update (January 2024): After making the changes above, follow these next steps to update the existing Inbound Connector in O365, for your DLP Cloud Service:
Find your DLP Inbound Connector in O365.
In the flyout configuration window, click on "Edit sent email identity".
In the configuration, you need to modify the entry for "By verifying that the subject name on the certificate that the sending server uses to authenticate with Microsoft 365 matches this domain name."
Previously, our instructions were to enter the FULL DETECTOR FQDN of your Cloud Detector (as per "Server > Detector Detail" page in the Enforce Server administration console).
This needs to be changed to match the above new "short" domain for the Detector, which was added in the steps above as an "accepted domain" in O365 for your account.
Per the example above, this field should now have an entry like this:
Click Save and verify the change has been applied.
The above change should not have any negative impacts on current mailflow. It will, however, allow any queued emails with "null sender" values to be delivered successfully.
Additional Microsoft reference:
This updated requirement came directly from Microsoft, and DLP documentation is being updated to reflect this new instruction.
If you have any questions or require assistance, contact Technical Support: Contact Support - Support Portal - Broadcom support portal.