Unable to forward emails from Microsoft 365 accounts

Updated 13 hours ago by admin

If you are having issues with forwarding emails from Microsoft 365 accounts and you are receiving the following errors, this article discusses possible solutions depending on your configuration.

‎550 5.4.300 Message expired -> 421 4.4.0 Remote server response was not RFC conformant

550 5.0.1 Unable to Relay

Microsoft Office 365 supports Sender Rewriting Scheme (SRS), as per the following Microsoft Article: https://learn.microsoft.com/en-us/exchange/reference/sender-rewriting-scheme (external link)

Without SRS emails will be rejected. Although the Email Security service knows the IP Address is part of the SPF record an will know it has originated from Microsoft 365, the systems also needs to be able to assign it to an account and this is why we have implemented additional authentication for the SMTP From and From addresses, as per the following article:

https://help.clouduss.com/ems-knowledge-base/unable-to-relay-error-on-outbound-email

Without the additional authentication, an open relay would exist, allowing malicious actors to use the email service to potentially deliver spam emails. 

There are 3 optional solutions depending on your service’s configuration to resolve these mail-forward delivery issues

  1. Check your default domain in Microsoft 365:

The first solution is to check your default domain and make sure that your external domain is set as the default. You can find this by navigating to the following Microsoft 365 section: https://admin.microsoft.com/Adminportal/Home?#/Domains (external link)

If you are using a hybrid configuration, you cannot change your Default Domain within Microsoft 365. Please see alternative options below.
  1. Add your onmicrosoft.com domain with the default route to the list of Email Security domains:

Log in to the dashboard and navigate to Email Security -> Product Configuration -> Domains

Add a new domain that matches the domain section from Microsoft 365 and add a domain route accordingly e.g. <your domain-TLD>.mail.protection.outlook.com.

Please refer to your Microsoft documentation for your domain route.
  1. Bypass Email Security for Forwarded Addresses

This is a final option, if you are unable to configure domains within Microsoft 365 or the Email Security service. You can create a rule and a connection policy that bypasses Email Security for Forwarded Addresses.

Firstly, log in to your Exchange Admin Console with an Administrator Account, you can use the following link:

https://admin.exchange.microsoft.com/#/homepage (external link)

Navigate to Connectors, and click Add a connector, then use the following process:

Select Office 365 under "Connection From"

Select Partner Organization under "Connection to"

Select Next

Give the Connector a friendly name and description for your own identification and optionally add a description.

Select Next

Select Only when I have a transport rule set up that redirects messages to this connector

Select Next

For Routing, select Use the MX record associated with the partner’s domain

Select Next

Select the defaults in the Security Restrictions section

Select Next

Enter the forwarding address that are being forwarded to and click Validate

The validation process will start and this will send a test email automatically to the configured address to verify delivery. Please check you have received it.

Select Next

Review the connector configurations and click Create Connector.

Navigate to Rules within the Exchange Admin Console, and click Add a rule -> Create a new rule:

Enter the following configuration;

Please use the forwarding address where the email is going to be delivered too.

Select Next

Set rule conditions to make sure that the Rule Mode is set to Enforce, and the tick box for Stop processing more rules is enabled

Select Next

Review the rule and click Finish

This can take some time to replicate in Microsoft 365, so please be patient before testing Auto Forwarded Emails.


How did we do?