PROBLEM:
You are getting relay access denied with external forwards or distribution groups with external members. This can also happen with internal forwards since often O365 will tag them as non-local even though they are internal.
ISSUE:
You have an external forward either through a contact or a distribution group with members outside the organisation
The group allows external parties to email it
Example lets say you have a distribution group called support@yourdomain.com that has as member say, people in your organisation and a person who is on gmail (lets say, supportdude@gmail.com). If an external sender @hotmail.com emails support@yourdomain.com, everybody in your org will get it but the email to supportdude@gmail.com will get bounced with "Relay Access Denied".
This happens because what Proofpoint sees is an Email from someone@hotmail.com to supportdude@gmail.com. Obviously Proofpoint is pretty restrictive and will not relay mail for hotmail.com which is effectively what you're asking it to do.
So in these cases, you need to bypass Proofpoint altogether using a bypass connector and rule.
IMPORTANT NOTE: Recently microsoft seems to have made changes to the platform where for some reason, even if SRS is enabled for your organisation, microsoft is not rewriting the sender in forwards and is delivering those via their high risk IP range. So there's been an uptick as of december 2023 of clients getting this "relay access denied" message. It's important that you know how to bypass the issue and also you may want to add this IP range to your SPF record. See article here: |
SOLUTION:
The solution for this scenario is:
1- Create a CONNECTOR that sends email directly to the internet
2- Create a RULE that calls the CONNECTOR created above if the condition in the RULE is met
DETAILS:
1- Create a CONNECTOR that sends directly to the Internet
2- Create a RULE that looks for these message headers info "X-MS-Exchange-Organization-AutoForwarded " and "TRUE" the calls the connector created above
Important:
- Move the RULE to the top of the list
- Caveats: Those emails will not transit through Proofpoint. Also in many cases, this will break SPF/DKIM/DMARC for the original sender. But that's outside of your control.