We're experiencing an issue where some users in our organization receive a "550 5.7.520 Access denied, Your organization does not allow external forwarding" error when trying to email a customer from another organization. Based on the NDR, it seems like the issue arises because the recipient's mailbox may have a forwarding rule that fails due to restrictions on external forwarding. I'm trying to understand why we receive this error message as the sender. Can anyone shed some light on this?
4 Answers
I personally block all external forwarding in our tenants, and I think Microsoft enforces that by default too. If you need to allow forwarding to an external address, you usually have to set that up specifically. This might have changed recently, but there was a time when external forwarding was blocked by default.
It sounds like there might be a compromised mailbox involved. If the recipient has a forwarding rule set up that directs emails outside their organization, and their organization has restrictions in place, that's likely causing the issue. Maybe check if there’s any unusual activity in their account?
You might need more troubleshooting to see what works and doesn’t for the users affected. Identifying patterns with users who get this error could provide some insights.
I've seen this happen especially when dealing with Google Work domains. Once, I had to tweak my SPF record to make sure Google’s mail proxy could forward emails from my domain without issues.
Which mailbox do you think might be compromised? I checked our end for any forwarding rules, but everything seems fine. I'm just puzzled as to why we're getting the NDR.