"550 5.4.1 Recipient address rejected: Access denied" When Sending to Mail-enabled Public Folders in Microsoft 365
What is the issue?
When sending to mail-enabled public folders in Microsoft 365, a bounce is returned stating the following:
"550 5.4.1 Recipient address rejected: Access denied"
Why is this happening?
This is caused by Directory Based Edge Blocking (DBEB):
- DBEB will reject external email addresses that are not present within Azure Active Directory
- Public folder mailboxes are not synchronised with Azure AD
- These email are now considered external because they are routing through Black Pearl Mail
You can find more information around this in the below Microsoft article:
How can we fix it?
We have compiled the below solutions / workarounds:
Solution 1 - Prevent emails sent to public folders from routing through Black Pearl Mail; This is our recommendation as it will have the least impact, however emails sent to mail-enabled public folder will not be branded.
Solution 2 - Migrate from public folders to shared mailboxes; the most work involved, but may not suit your requirements.
Solution 3 - Change the domain from “authoritative” to “relay”, in turn disabling DBEB (please consider any security implication if implementing this solution).
Solution 1 - Prevent emails sent to public folders from routing through Black Pearl Mail
With this option, we will modify your existing Black Pearl Mail routing rule to prevent emails sent to you mail-enabled public folder mailboxes from routing through Black Pearl Mail, therefor considering the mail as internal and ensuring delivery. This is the workaround we recommend as it will have the least impact on your environment. The downside of this solution is if someone sends to the mail-enabled public folder mailbox then the email will not be branded. Please follow the below steps to achieve this solution.
1. Log into your Microsoft 365 Exchange Online admin console.
2. Navigate "Mail flow" and select "Rules".
3. Select the "Black Pearl Mail" rule and click on the "edit" icon.
4. Click on "Add exception".
5. Select "the recipient..>is this person"
6. From the pop up box, select all of the mail-enabled public folder addresses and click "ok".
7. Ensure that the addresses have been populated next to the exception and click "Save".
Solution 2 - Migrate from public folders to shared mailboxes
Shared mailboxes are synchronized with Azure AD, and will therefor accept mail from external sources. Migrating from public folders to shared mailboxes will involve some technical work. See the article below for more information around shared mailboxes:
Solution 3 - Change the domain from “authoritative” to “relay” / disabling DBEB (not recommended)
Disabling DBEB will switch off the security feature that is rejecting the messages. This option is not recommended as it could open up security holes to your environment, so please carry out the below steps at your own risk.
1. Log into your Microsoft 365 Exchange Online admin console.
2. Navigate "Mail flow" and select "Accepted domains".
3. Select the domain that related to the mail-enabled public folder then click Edit.
4. Under "This accepted domain is" select "Internal relay".
5. Click Save.
1. Log into your Microsoft 365 Exchange Online admin console.
2. Navigate "Mail flow" and select "Accepted domains".
3. Select the domain that related to the mail-enabled public folder then click Edit.
4. Under "This accepted domain is" select "Internal relay".
5. Click Save.
If you have any questions regarding the steps in this documentation, please contact support@blackpearlmail.com.
Related Articles
Configure Microsoft 365 with Black Pearl Mail
These steps will route all of your users through the Black Pearl Mail platform. If you would prefer to start with a test/pilot group before rolling out with all of your users, follow these instructions. The following steps will need to be done within ...Configure Microsoft 365 with Black Pearl Mail - Using a Test/Pilot Group
You may want to set up a specific group of users to test the Black Pearl Mail system before deploying to your entire organization. This article explains how to create a test group in Microsoft 365 and where to make the change in the Black Pearl Mail ...Adding People to Black Pearl Mail - Synchronize your Email Users saved in your Email Admin Portal to Black Pearl Mail to Create People Profiles and Field Mapping
Looking to Import your user database? Please Click Here for more information about importing and exporting users via CSV file. One method to add your staff emails and signature details into Black Pearl Mail is by using the People Synchronize option ...Pictures cannot be displayed and are shown as a red "X" in Microsoft Outlook
When you open an email message that contains images in Microsoft Office Outlook, the image areas are blocked. These areas display a red "X" placeholder. Blocking pictures can help protect your computer. Microsoft Outlook is configured by default to ...Obtain M365 Tenant Address for Onboarding
What will you need to do? If you are using a mail filter with M365, then the Black Pearl Mail Onboarding team require your M365 tenant address in order for us to send the email back to you after branding. This document details the steps to follow to ...