Our dynamic distribution groups had been working for more than a year, until Sep 6th, 2018. We used a custom domain. Internally, we are able to send emails to it. All external email addresses sending to it will get a bounced email with this error.
5.4.1 [*** Email address is removed for privacy ***]: Recipient address rejected: Access denied [DM3NAM03FT041.eop-NAM03.prod.protection.outlook.com]
The fact that it doesn't show up in Message Trace just makes it harder to troubleshoot. These are the distribution lists that were working for a long time, and we didn't make any change to it. They were created in Office 365 cloud. In Office 365 Admin Center's Group Panel, these don't show up there. What is showing up there are Office 365 group and regular distribution groups only. Contacted Office 365 tech support and after extensive troubleshooting steps, I was asked to change all domain in the Accepted Domain from Authoritative to Internal Relay, and the email started flowing. I was sent with this article (https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-directory-based-edge-blocking) about Directory BasedEdge Blocking. My question is these are Office 365 cloud based dynamic distribution groups, why it is not able to recognize these dynamic distribution groups?
I found the following question someone else posted two years ago, but it has no answer on it.
Is changing the accepted domain from Authoritative to Internal Relay the right way to do? What changed on Sep 6th, 2018?