Office 365 Exchange Dynamic Distribution Group External Sender Access

How to allow External Senders to submit email to a Dynamic Distribution Group in Office 365 Exchange Online

Problem:

Office 365 Exchange Online by default will not allow external senders to submit email to a Dynamic Distribution Group, even if the group's Delivery Management is set to allow "Senders inside and outside of my organization".

An example of what the sender will see in the NDR (bounce email) is below:

550 5.4.1 [MySpecialDDG@mydomain.com]: Recipient address rejected: Access denied [BL2NAM02FT035.eop-nam02.prod.protection.outlook.com]

Solution:

When creating a Dynamic Distribution Group in Exchange on Office365, if you want external senders to be able to send email to the group, you have to adjust the Accepted Domain in the ECP Mail Flow Settings.

The domain type must be changed from Authoratative to Internal Relay.

Details & Discussion:

This is kind of an abnormal use of the Internal Relay setting:

Normally you would use Internal Relay if there are other email servers (Exchange or non-Exchange) that some mailboxes may reside on besides the O365 tenant. This is sometimes used during migration scenarios where a company has some mailboxes on-prem and others already functioning in their O365 Exchange tenant.

Anyway, in the case of the Dynamic Distribution Group, apparently the Exchange edge protection rejects the message due to Directory Based Edge Blocking (DBEB) not recognizing the DDG as a valid recipient in the directory. I don't know why this behavior is any different from a normal Distribution Group, but it is.

So by changing the domain type to Internal Relay, you are essentially disabling DBED and telling the Exchange Online Edge Protection to allow emails to be received for any address at our domain. Then as the message traverses into the Exchange Online environment, additional scrutiny will happen at the various layers and eventually the message will be delivered (or in the case of an invalid recipient, the message would still be rejected. Just further upstream).

This Breaks/Disables Recipient Verification

This solution disables Recipient Verification. This is because changing a domain's type to "Internal Relay" effectively turns off "Directory Based Edge Blocking" and DBEB is O365 Exchange Online's recipient verification system.

This creates 2 potential problems:

  1. Increased server resource utilization to O365 because all messages to invalid recipients are still received & processed until later rejected down the line. This is inefficient. It doesn't affect fees paid to O365 (at least not today), and likely not mail flow performance in any appreciable way. But it is not ideal.
  2. 3rd Party spam/mail security solutions used before messages reach O365 (ie have your MX point to a different service provider who filters spam first before relaying into O365) will not be able to rely on recipient verification to determine valid senders. As a result, your administrative overhead of these services will typically increase because you will have to add/remove users to/from the 3rd party email security service manually as users are added to/removed from your organization over time.

Bottom Line / Summary:

I think Microsoft should change internally how DBEB handles DDGs. Whether or not they are accessible for External senders to submit mail to should be controlled solely by the DDG's Delivery Management setting as with traditional Distribution Groups. Until then, this is the way to work around that.

Personally, I will not be leaving any O365 tenants with DBEB disabled for any length of time, so this is not a solution I would implement any longer than the 5-10 minutes I would actually need the feature. But it would be ideal to use a different method altogether (such as submit the messages using an internal address), rather than regularly change a mail flow setting for your primary email domain.

My primary source on this solution is here:

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_dep365-mso_o365b/dynamic-distribution-group-and-external-sender/4ce9f7f1-7d66-4d6b-bce6-1b0f731ccf38?auth=1

More info on Directory Based Edge Blocking (DBEB) can be found at:


  • https://technet.microsoft.com/en-us/library/dn600322(v=exchg.150).aspx
  • https://technet.microsoft.com/en-us/library/jj723153(v=exchg.150).aspx

Comments

  1. KippleSeptember 4, 2019 at 12:08 PM

    Thank you for the article, Google should pick it up, this Microsoft stuff is absurd, Thank you again

    ReplyDelete
  2. AjiOctober 22, 2020 at 2:57 AM

    Instead of changing the accepted domain settings, Just create a DL and open that up to external. Then add the DDG as a member of the DL

    ReplyDelete

Post a Comment

Popular posts from this blog

StarTech PEXM2SAT3422 initial problems

Image
Background The card: The StarTech PEXM2SAT3422 is a PCIe 4x card featuring 4 SATA ports as: 2 x SATA connector 2 x M.2 NGFF connector It uses the Marvell 88SE9230 chipset The card features RAID 1, 0, 10, as well as SATA pass-through. Upon initially deploying the card, I experienced some very serious problems with it My setup: Server is a SuperMicro X9SCM in a 2U half-depth chassis. 3Ware Card exists with 2 1TB WD Black HDs. Motherboard Intel SATA has 2 Kingston SSDs installed in a RAID1 (Microsoft Dynamic Disk) OS is Server 2012 R2 This server has been rock solid for 3 years. About 1 year ago: I added an Ablecomm SATA card that has 2 M.2 connectors. It has housed a single Crucial CX300 M.2 SATA SSD. This setup has been rock solid with no hiccups whatsoever. Today: I replaced the Ablecomm PCIe card with the StarTech card and moved the CX300. I also installed a 2nd 1TB CX300 alongside. The plan was to mirror the 2 CX300s and start using them for prod...
Read more

Team Conflict Avoidance System Erratic Behavior

The below video shows me discovering conflicting games that were auto-scheduled by the StackSports scheduling system despite a team conflict rule having been previously created to prevent this. Usually the system adheres to the team conflict rules I create. Sometimes (inexplicably) it doesn't. This video is an excellent example showing this is actually a bug, and not intended behavior. After making a subtle adjustment to a game time, it's like the existing team conflict rule "woke up", and triggered the red alerts it should have done all along. In fact it should have scheduled these games in a way to avoid the conflicts in the first place, and therefore the alerts wouldn't have ever had need to exist. This video shows problems such as: Conflicting games that should never have been scheduled at the same time (based on the team conflict rules that were already defined). Missing alert/warnings for "error" games that have problems (i.e. the gam...
Read more

No grace in verbatim communion prayers

Image
I do not appreciate the intolerance for minor grammatical errors in the spoken (typically ‘read’) communion sacrament prayers when recited by the LDS young men during congregation worship services. I understand the covenant nature of the prayer, and thus the importance of the meaning of the covenant being accurately conveyed in the prayer. But the intolerance for minor nuanced accidental variations that do not change the details of the covenant or prayer seems nonsensical. It is disruptive to the service to require the young man to repeat the entire prayer for such an error. And it potentially embarrasses the young man unnecessarily. Considering the degree of grace and leniency church members seem to grant Joseph Smith for much more significant variations in details he communicated (such as stating he was 14 years old, and also that he was 16 years old, when he had his first vision), I don’t understand why we can’t grant our young men a bit of grace for a much-less significant nuanced...
Read more