Open navigation

Non-delivery report 550 5.4.1 Recipient address rejected: Access denied

Problem

When you send an email, the email is not delivered, and you receive a non-delivery report with an error message similar to this:

550 5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT019.eop-gbr01.prod.protection.outlook.com]

Reason

The email was blocked by Directory-Based Edge Blocking (DBEB) in Microsoft 365.

DBEB is enabled by default for your domains in Microsoft 365. DBEB will block external emails sent to email addresses that do not exist within your Azure Active Directory.

Microsoft 365 does not currently synchronise mail-enabled public folder mailboxes with Azure AD. When emails have been processed by Signature 365 and are routed back to Microsoft 365, they are considered external by DBEB.

Note

This problem only affects emails that are forwarded to the Signature 365 service for signature injection. If you use the Signature 365 add-in for Outlook, then emails sent from Outlook and Outlook on the Web are not affected by this issue.

Solution

See below depending on your environment:

  • If your public folders are hosted in Exchange Online
  • If your public folders are hosted in Exchange Server on-premise

If your public folders are hosted in Exchange Online

Directory-Based Edge Blocking (DBEB) does not currently support mail-enabled public folders in Exchange Online.

There are two workarounds:

  1. Stop routing emails sent to public folders via Signature 365 (Recommended)
  2. Disable Directory-Based Edge Blocking (Not recommended)

Stop routing emails sent to public folders via Signature 365 (Recommended)

Note this workaround means server-side signatures will not be applied to email sent to public folders.

  1. Log on to Exchange admin center
  2. Navigate to Mail flow > Rules
  3. Select the rule Send to Signature 365 for signature injection and click Edit
  4. In the Except if... section, click add exception
  5. Select The recipient... and is this person
  6. In the Select Members dialog, select all mail enabled public folders and click Add
  7. Click OK, then click Save

Disable Directory-Based Edge Blocking (Not recommended)

  1. Log on to Exchange admin center
  2. Navigate to Mail flow > Accepted domains
  3. Select the domain of the public folder
  4. Change the domain type to Internal relay
  5. Click Save

If your public folders are hosted in Exchange Server on-premise

Completing the steps below will ensure that mail-enabled public folders will no longer be considered invalid addresses by DBEB:

  1. Open Microsoft Azure Active Directory Connect
  2. On the Optional Features pane, tick the Exchange Mail Public Folders option:


  3. Complete the wizard

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.