Skip to main content
Contact Us
My preferencesSign out
Proofpoint, Inc.

Sending to Distribution Groups With External Domain Recipients, Out of Offices, or Auto-Forwards

  1. Last updated
  2. Save as PDF
Situation You want to configure Outbound Relay for domains utilizing Distribution Groups sending to external domain recipients but you receive a Relay Access Denied error.
Solution At this time, this is not a supported configuration. Details below.

 

Sending to Distribution Groups with external domain recipients, Out of Offices, Auto-Forwards

Proofpoint Essentials is a closed relay system. This means that all mail going through the Essentials platform must have a user associated with the platform, whether that be an End User, alias, or Functional Account. 

An external recipient consists of an email address that is not part of one of the customer's listed domains. You may also experience bounceback messages containing Relay Access Denied with the external recipients address or the original sender listed in the bounceback

proofpoint@gmail.com
mx1-eu1.ppe-hosted.com #554 5.7.1 proofpoint@gmail.com>: Relay access denied ##

Mail sent to a distribution groups containing external domains, out of offices, and auto-forwards need to be routed through a different outbound mail route because Proofpoint Essentials SmartHost will give the Relay Access Denied error since the email message will not be coming from a user associated with the platform, or your domain. You will need to contact your mail server's routing guide/expert to set this up correctly. We have provided the following instructions on how to set this up for Microsoft 365

 

 

Please note, these steps are within Microsft 365 and outside of Proofpoint Essentials. Some steps or words may require approximation depending on what version of M365 you are using and any potential UI modifications they may make to their product.

Create an Outbound Connector That Uses MX Records.
  1. Open the Exchange Admin Center (https://admin.exchange.microsoft.com)
  2. Click Mail Flow on the Left Panel and then click Connectors
  3. Click Add a connector

Add connector.PNG

  1. Under New connector, for Connection from, chose Office 365. For Connection to, choose Partner Organization and then press Next

New Connector.PNG

  1. Fill in the connector name, and add a description (having a description is important if you have multiple connectors). Leave the "Turn it on box" checked and press Next

Connector name.PNG

  1. Under Use of connector, change this to Only when I have a transport rule set up that redirects messages to this connector and press Next

use of connector.PNG

  1. Under Routing, choose Use the MX record associated with the partner's domain and click Next

Routing.PNG

  1. Under Security restrictions, leave these as default and press Next

security restrictions.PNG

  1. Under Validation email, put in an external email (i.e. user@externaldomain.com), click the + button, and press Validate. ***It is OK if the validation fails*** Once it is done validating, whether it passes or fails, click Next. If it failed, you will then click Yes, proceed

Validation email.PNG

  1. A Review connector window will show next. Click Create connector

review connector.PNG

 

 

 

Create a Mail Flow Rule That Triggers For a Message Type that is created by auto-forward

  1. Open the Exchange Admin Center (https://admin.exchange.microsoft.com)
  2. Click Mail Flow on the left hand panel, and then click Rules
  3. Click on Add a rule, and then click Create a new rule
  4. Under Set rule conditions, give the rule a Name. You can also mention Proofpoint in the rule name if that helps. 
  5. Under Apply this rule if, choose The Sender then from the Select one dropdown, choose is external/internal
  6. A new pop-up window named select sender location will appear. Select Outside the organization from the drop down and click Save
  7. Click the blue icon next to the is external/internal box to add a condition
  8. Under the new section that says And, choose the Select one drop down and choose The Recipient, then from the new Select one dropdown, choose is external/internal
  9. A new pop-up window named select sender location will appear. Select Outside the organization from the drop down and click Save

Set rule conditions.PNG

  1. Under Do the following, chose Redirect the message to then chose the following connector
  2. In the select connector pop up window, choose the connector you just created. In our example, it is the Special Outbound Connector. Click Save
  3. Leave Except if as it is, then click Next

rule conditions2.PNG

 

  1. Under Set rule settings, check the box that says Stop processing more rules and leave the rest as default then click Next

set rule settings.PNG

  1. You will now have the Review and finish window now. Click Finish

 

If this Rule is not triggering, you may need to restart the exchange hub transport service, and you may want to change the priority of this filter by moving it up to the highest spot on the Rules page (Priority 0)

Additional help: 

If you are using Microsoft 365, this Microsoft article may assist in creating outbound connectors to change mail routing

https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner

Rule Setup for out of office

  1. Click on Add a rule, and then click Create a new rule
  2. Under Set rule conditions, give the rule a Name. You can mention Out of Office if that helps
  3. Under Apply this rule if, choose The Sender then from the Select one dropdown, choose is external/internal
  4. A new pop-up window named select sender location will appear. Select Outside the organization from the drop down and click Save
  5. Click the blue icon next to the is external/internal box to Add a condition
  6. Under the new section that says And, choose the Select one drop down and choose The Recipient, then from the new Select one dropdown, choose is external/internal
  7. A new pop-up window named select sender location will appear. Select Outside the organization from the drop down and click Save
  8. Click the blue icon next to the is external/internal box to Add a condition
  9. Under the new section that says And, choose the Select one drop down and choose The message properties, then from the new Select one dropdown, choose include the message type
  10. A new pop-up window named select message type will appear. Select Automatic reply and press Save
  11. Under Do the following, chose Redirect the message to then chose the following connector
  12. In the select connector pop up window, choose the connector you just created. In our example, it is the Special Outbound Connector. Click Save

ooo rule conditions.PNG

  1. Leave Except if as it is, then click Next
  2. Under Set rule settings, check the box that says Stop processing more rules and leave the rest as default then click Next
  3. You will now have the Review and finish window now. Click Finish

 

If you setup this option, please make sure that you enable DKIM on the domain. If you go to Policies & Rules > Threat Policies > Email Authentication settings. Then choose the domain you are doing this for and when you go into the settings, Enable the radio button Sign Messages for this domain with DKIM signatures. As it has been explained to us, M365 signs all mail with DKIM. If this is disabled then this rule will fail.