So I have some user who is apparently tying to forward emails sent to him to an outside account.. I have confronted both of my domain users that have a matching address prefix. They both deny and say they've never seen that domain in this email address before.
It mainly occurs when HR send out emails to the masses (company-wide DL), so of course they're griping about it now. I need to find and stop it. Any pro tips?