Symantec Data Loss Prevention Cloud Service for Email enforces isolation between Microsoft 365 tenants.
Your detector will only accept mail from recognized Exchange Online Verified Domains and recognized "onmicrosoft" domains. The domain that must be recognized in this context is the domain presented by Microsoft 365 in the X-OriginatorOrg header; this is not the MAIL FROM domain.
Recognized domains include domains provided to Symantec during DLP detector provisioning, domains claimed through Enforce via DNS TXT record, domains claimed through Email Security.cloud, and in some cases domains that Symantec identified as part of your organization at the time this security feature was introduced.
DLP Cloud Service for Email
In use with Microsoft 365 (aka O365, Exchange Online, etc.)
This error occurs when Symantec Data Loss Prevention Cloud Service for Email is not configured with the domain presented in the X-OriginatorOrg header.
Claim the domain seen in the error returned by Symantec Data Loss Prevention Cloud Service for Email. This domain in the error matches the value in the X-OriginatorOrg header.
If you have issues adding the domains, contact Symantec Support to have this domain added as an authorized Exchange Online Verified Domain or "onmicrosoft" domain.
To learn more about this Microsoft header, see Advanced Office 365 Routing: Locking Down Exchange On-Premises when MX points to Office 365 - Microsoft Community Hub
The solution to this KB is similar to the one described in KB 206244.