Reminder – Upcoming Change in Office 365 EOP Connectors

There is an upcoming planned change in Office 365 to restrict relaying email messages in certain scenarios.  This change has been scheduled many, many months in advance.


This post is just a reminder to raise awareness and to hopefully ensure that everyone who needs to update their Exchange Online Protection (EOP) connectors has done so.


For all the details please refer to these two resources:

Important notice for Office 365 email customers who have configured connectors

KB 3169958


From the KB:

Starting on February 1, 2017, by default, Microsoft Office 365 will no longer support relaying email messages in the following scenarios:

  • Your organization has to send non-delivery reports (NDRs) from the on-premises environment to a recipient on the Internet, and it has to relay the messages through Office 365. For example, somebody sends an email message to john@contoso.com, a user who used to exist in your organization's on-premises environment. This causes an NDR to be sent to the original sender.
  • Your organization has to send messages from the email server in your on-premises environment from domains that your organization hasn't added to Office 365. For example, your organization (Contoso.com) sends email as the fabrikam.com domain, which doesn’t belong to your organization.
  • A forwarding rule is configured on your on-premises server and messages are relayed through Office 365.
    For example, Contoso.com is your organization’s domain. A user on your organization’s on-premises server, kate@contoso.com, enables forwarding for all her messages to kate@tailspintoys.com. When john@fabrikam.com sends a message to kate@contoso.com, the message is automatically forwarded to kate@tailspintoys.com.
    From the point of view of Office 365, the message is sent from john@fabrikam.com to kate@tailspintoys.com. Because Kate’s mail is forwarded, neither the sender domain nor the recipient domain belongs to your organization.

Additionally, your message transfer agent (MTA) will receive a rejection with the following message:

550 5.7.64 Relay Access Denied ATTR36. For more details please refer to: https://support.microsoft.com/kb/3169958.

If any of these scenarios apply to you, follow the steps in the Resolution section in KB 3169958.

Update 30-1-2017 This will kick in later this CY. Please see this post for details



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *