Damian Gardner
asked on
Office 365 / Exchange Online is rejecting our new, secondary alias domain we've added for our European division in France
Office 365 / Exchange Online is rejecting our new, secondary alias domain we've added for our European division in France. We've brought our French counterparts onboard our primary domain in Office 365 - but they need their old domain they have had to still continue to accept emails to their new accounts. So our main account is COMPANY.COM, and we've added EU.COMPANY.COM as an "accepted domain" in our Office 365 tenant "domains" setup screen. the domain passed the required DNS health checks, with 1 exception - Office 365 says "eu-company-com.mail.prote ction.outl ook.com" should be the MX record, but all our email must go through our 3rd-party Mimecast spam filter first, before reaching our Exchange Online. So I changed the MX record AFTER setting it up in the tenant account - and email IS routing thru our Mimecast filter as expected, and then being sent to Exchange Online. But once it reaches there, it is rejected with the following:
This is a delivery failure notification message indicating that an email you addressed to email address :
-- omagnin@eu.company.com
could not be delivered. The problem appears to be :
-- Recipient email server rejected the message
Additional information follows :
-- 5.4.14 Hop count exceeded - possible mail loop ATTR34 [SN1NAM02FT033.eop-nam02.p rod.protec tion.outlo ok.com]
This condition occurred after 1 attempt(s) to deliver over a period of 0 hour(s).
If you sent the email to multiple recipients, you will receive one of these messages for each one which failed delivery, otherwise they have been sent.
Not sure what the issue is now. Any help is much appreciated in resolving this before Monday.
Thank you,
Damian
This is a delivery failure notification message indicating that an email you addressed to email address :
-- omagnin@eu.company.com
could not be delivered. The problem appears to be :
-- Recipient email server rejected the message
Additional information follows :
-- 5.4.14 Hop count exceeded - possible mail loop ATTR34 [SN1NAM02FT033.eop-nam02.p
This condition occurred after 1 attempt(s) to deliver over a period of 0 hour(s).
If you sent the email to multiple recipients, you will receive one of these messages for each one which failed delivery, otherwise they have been sent.
Not sure what the issue is now. Any help is much appreciated in resolving this before Monday.
Thank you,
Damian
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
yes I do believe that is one of your issues....set it as an internal relay.
ASKER
very good - let me do that and see what happens. thanks and i'll revert back soon.
ASKER
Ok - so I'm having trouble on how to specify the "scenario" for the O365 connector - I've basically want email coming IN to our alias domain to be delivered to one of our mailboxes on our Exchange Online - no different from our primary domain addresses, except that its a secondary alias domain we also accept inbound. So -
1st question in the connector is who is the FROM and who is the TO:
Choices: A) Office 365, B) your org's email server, C) partner org, D) Internet
Would this be "Office 365 to Partner"?
If so, it asks :
How do you want to route email messages?
Specify one or more smart hosts to which Office 365 will deliver email messages. A smart host is an alternative server and can be identified by using a fully qualified domain name (FQDN) or an IP address. Learn moreSpecify one or more smart hosts to which Office 365 will deliver email messages. A smart host is an alternative server and can be identified by using a fully qualified domain name (FQDN) or an IP address. Learn more
Is it "Use MX record associated..." ?
Then it asks about TLS - should I restrict to "only TLS"?
Here's the summary of this - your thoughts?
Confirm your settings
Before we validate this connector for you, make sure these are the settings you want to configure.
Mail flow scenario
From: Office 365
To: Partner organization
Name
France Connector
Description
France for eu.laco.com
Status
Turn it on after saving
When to use the connector
Use only for email sent to these domains: eu.laco.com
Routing method
Use the MX record associated with the partner’s domain.
Security restrictions
None
Thanks Fox
1st question in the connector is who is the FROM and who is the TO:
Choices: A) Office 365, B) your org's email server, C) partner org, D) Internet
Would this be "Office 365 to Partner"?
If so, it asks :
How do you want to route email messages?
Specify one or more smart hosts to which Office 365 will deliver email messages. A smart host is an alternative server and can be identified by using a fully qualified domain name (FQDN) or an IP address. Learn moreSpecify one or more smart hosts to which Office 365 will deliver email messages. A smart host is an alternative server and can be identified by using a fully qualified domain name (FQDN) or an IP address. Learn more
Use the MX record associated with the partner's domainSelect to send messages to the MX record destination for the targeted recipients. |
Route email through these smart hosts |
Is it "Use MX record associated..." ?
Then it asks about TLS - should I restrict to "only TLS"?
Here's the summary of this - your thoughts?
New connector |
Before we validate this connector for you, make sure these are the settings you want to configure.
Mail flow scenario
From: Office 365
To: Partner organization
Name
France Connector
Description
France for eu.laco.com
Status
Turn it on after saving
When to use the connector
Use only for email sent to these domains: eu.laco.com
Routing method
Use the MX record associated with the partner’s domain.
Security restrictions
None
Thanks Fox
ASKER
I tested that previous one I described, and it fauiled. so I changed it to this - maybe this is now correct? (I'm testing it now):
Mimecast to O365
Mail flow scenario
From: Partner organization
To: Office 365
Description
None
Status
On
Turn it off
How to identify your partner organization
Identify the partner organization by verifying that messages are coming from these domains: *
Security restrictions
Reject messages if they aren’t encrypted using Transport Layer Security (TLS).
Reject messages if they don’t come from within these IP address ranges: 63.128.21.0/24,216.205.24.0/24,205.139.111.0/24,205.139.110.0/24,207.211.30.0/24,207.211.31.0/25
Mimecast to O365
Mail flow scenario
From: Partner organization
To: Office 365
Description
None
Status
On
Turn it off
How to identify your partner organization
Identify the partner organization by verifying that messages are coming from these domains: *
Security restrictions
Reject messages if they aren’t encrypted using Transport Layer Security (TLS).
Reject messages if they don’t come from within these IP address ranges: 63.128.21.0/24,216.205.24.0/24,205.139.111.0/24,205.139.110.0/24,207.211.30.0/24,207.211.31.0/25
ASKER
and it failed. I don't know why this is so difficult to grasp.
Your scenario doesnt sound uncommon at all - in fact it is very similar to a merger\acquisition scenario where the acquired organization wants to keep their legacy addresses as aliases in Exchange online.
From what i've read, mailboxes for your french division are already in your O365, correct? And you have set them up to have aliases of @eu.company.com?
Here are what i've done before for similar (acquisition) scenarios:
Since you have email going to mimecast first then you MX record should point to mimecast. The question is - from Mimecast, where are you pointing the email to be routed to for this domain? I am not familiar with the setup of Mimecast but it should be pointed to go to "eu-company-com.mail.protection.outlook.com" and not "company-com.mail.protection.outlook.com".
What i can suggest to make sure all is working as expected - change the public MX record for this domain to point directly to O365 ("eu-company-com.mail.protection.outlook.com") and see if the email gets delivered. If it does, then it is the way Mimecast is routing the emails that's causing the issue.
From what i've read, mailboxes for your french division are already in your O365, correct? And you have set them up to have aliases of @eu.company.com?
Here are what i've done before for similar (acquisition) scenarios:
- Added the new domain @eu.company.com into O365 domains and kept it as an authoritative domain. You only need to change it as internal relay IF you still have mailboxes for these uses using the same domain in a different email environment (i.e.: different exchange organization or even different O365 tenant)
- The MX record does need to be as you mentioned ("eu-company-com.mail.protection.outlook.com") if mail is coming straight into O365.
Since you have email going to mimecast first then you MX record should point to mimecast. The question is - from Mimecast, where are you pointing the email to be routed to for this domain? I am not familiar with the setup of Mimecast but it should be pointed to go to "eu-company-com.mail.protection.outlook.com" and not "company-com.mail.protection.outlook.com".
What i can suggest to make sure all is working as expected - change the public MX record for this domain to point directly to O365 ("eu-company-com.mail.protection.outlook.com") and see if the email gets delivered. If it does, then it is the way Mimecast is routing the emails that's causing the issue.
ASKER
thanks for your help guys. its all working now - turned out to be several problems altogether causing the alias domain to not work, including not having them in our 3rd-party email filter service, and not having the domain added to our Microsoft 365 tenant as an "accepted domain". Thanks for your help and I'll dole out the points.
ASKER
thanks for your help