Office 365 Returns NDRs to Inbound Email

Author by Michael Epping

All mail that comes into Office 365 must pass through the Forefront Online Protection for Exchange service for message hygiene purposes. Typically the FOPE service is provisioned automatically when the Office 365 tenant is created and when vanity domains are verified for use with Exchange. However, there are some edge cases where this provisioning process fails, primarily when the vanity domain was used with a trial of BPOS (Business Productivity Online Suite) in the past. Any domain that was verified with BPOS at any point still exists today, so when one of these domains is re-verified with Office 365 years later FOPE is provisioned incorrectly. This can be seen by going to the FOPE administration center, which can be accessed by signing into login.microsoftonline.com as a tenant administrator, clicking on Manage under Exchange, going to the Mail Control tab on the left, and selecting this link: At the FOPE administration webpage click the Administration link and the Domains sub-link. Here you will find a list of domains for the tenant. Normally all domains verified in Office 365 are listed here, but if one of these domains was already verified in BPOS prior to the creation of the Office 365 tenant then it will listed here as DuplicateDomain-(GUID). When this DuplicateDomain issue is occurring mail sent inbound to FOPE may be bounced back to the external sender with a 550 5.4.1 Relay Access Denied, or in some cases a 554 5.4.6 Hop count exceeded. This issue can be resolved with a few simple PowerShell commands in some cases:
  1. Open a PowerShell Window
  2. Type $cred = Get-Credential
  3. Enter your Office 365 administrator credentials
  4. Type $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection
  5. Type $importresults = Import-PSSession $s
  6. You are now connected to Exchange Online, so you can use any Exchange Management Shell cmdlets allowed by Office 365
  7. Type Set-AcceptedDomain -Identity "domainname.com" -OutboundOnly $True
  8. Type Set-AcceptedDomain -Identity "domainname.com" -OutboundOnly $False
After entering these commands it will take about 45 minutes for the changes to replicate throughout FOPE.  These commands will not work in all cases, so if mail flow issues are not resolved after 45 minutes then the tenant administrator will need to contact Office 365 support to have the old BPOS duplicate domain removed.  After support removes the old duplicate the administrator may need to run the above PowerShell commands again.
Author

Michael Epping

Systems Engineer