"550 5.4.1 Recipient address rejected: Access denied" When Sending to Mail-enabled Public Folders in Microsoft 365

"550 5.4.1 Recipient address rejected: Access denied" When Sending to Mail-enabled Public Folders in Microsoft 365

What is the issue?

When sending to mail-enabled public folders in Microsoft 365, a bounce is returned stating the following:
"550 5.4.1 Recipient address rejected: Access denied"

Why is this happening?

This is caused by Directory Based Edge Blocking (DBEB):
- DBEB will reject external email addresses that are not present within Azure Active Directory
- Public folder mailboxes are not synchronised with Azure AD
- These email are now considered external because they are routing through Black Pearl Mail

You can find more information around this in the below Microsoft article:

How can we fix it?

We have compiled the below solutions / workarounds:
Solution 1 - Prevent emails sent to public folders from routing through Black Pearl Mail; This is our recommendation as it will have the least impact, however emails sent to mail-enabled public folder will not be branded.
Solution 2 - Migrate from public folders to shared mailboxes; the most work involved, but may not suit your requirements.
Solution 3 - Change the domain from “authoritative” to “relay”, in turn disabling DBEB (please consider any security implication if implementing this solution).

Solution 1 - Prevent emails sent to public folders from routing through Black Pearl Mail

With this option, we will modify your existing Black Pearl Mail routing rule to prevent emails sent to you mail-enabled public folder mailboxes from routing through Black Pearl Mail, therefor considering the mail as internal and ensuring delivery. This is the workaround we recommend as it will have the least impact on your environment. The downside of this solution is if someone sends to the mail-enabled public folder mailbox then the email will not be branded. Please follow the below steps to achieve this solution.

1. Log into your Microsoft 365 Exchange Online admin console.
2. Navigate "Mail flow" and select "Rules".
3.  Select the "Black Pearl Mail" rule and click on the "edit" icon.


4. Click on "Add exception".
5. Select "the recipient..>is this person"


6. From the pop up box, select all of the mail-enabled public folder addresses and click "ok".


7. Ensure that the addresses have been populated next to the exception and click "Save".


Solution 2 - Migrate from public folders to shared mailboxes


Shared mailboxes are synchronized with Azure AD, and will therefor accept mail from external sources. Migrating from public folders to shared mailboxes will involve some technical work. See the article below for more information around shared mailboxes:

If you have any questions regarding the steps in this documentation, please contact support@blackpearlmail.com.
    • Related Articles

    • Configure Microsoft 365 with Black Pearl Mail

      These steps will route all of your users through the Black Pearl Mail platform. If you would prefer to start with a test/pilot group before rolling out with all of your users, follow these instructions. STEP 1 – Log in to M365 1) Open the Microsoft ...
    • Configure Microsoft 365 with Black Pearl Mail - Using a Test/Pilot Group

      You may want to set up a specific group of users to test the Black Pearl Mail system before deploying to your entire organization. This article explains how to create a test group in Microsoft 365 and where to make the change in the Black Pearl Mail ...
    • Pictures cannot be displayed and are shown as a red "X" in Microsoft Outlook

      When you open an email message that contains images in Microsoft Office Outlook, the image areas are blocked. These areas display a red "X" placeholder. Blocking pictures can help protect your computer. Microsoft Outlook is configured by default to ...
    • Understanding why your mail provider isn't supported by Black Pearl Mail

      This document provides a list of the current mail providers that can be configured for Black Pearl Mail, why these mail providers are supported, and why other mail providers are not supported. What is a mail provider? A mail provider is essentially ...
    • Obtain M365 Tenant Address for Onboarding

      What will you need to do? ​If you are using a mail filter with M365, then the Black Pearl Mail Onboarding team require your M365 tenant address in order for us to send the email back to you after branding. This document details the steps to follow to ...