Recipient address rejected: Access denied - when external user sending to dynamic distribution group

Our dynamic distribution groups had been working for more than a year, until Sep 6th, 2018. We used a custom domain. Internally, we are able to send emails to it. All external email addresses sending to it will get a bounced email with this error.

5.4.1 [*** Email address is removed for privacy ***]: Recipient address rejected: Access denied []

The fact that it doesn't show up in Message Trace just makes it harder to troubleshoot. These are the distribution lists that were working for a long time, and we didn't make any change to it. They were created in Office 365 cloud. In Office 365 Admin Center's Group Panel, these don't show up there. What is showing up there are Office 365 group and regular distribution groups only. Contacted Office 365 tech support and after extensive troubleshooting steps, I was asked to change all domain in the Accepted Domain from Authoritative to Internal Relay, and the email started flowing. I was sent with this article ( about Directory BasedEdge Blocking. My question is these are Office 365 cloud based dynamic distribution groups, why it is not able to recognize these dynamic distribution groups?

I found the following question someone else posted two years ago, but it has no answer on it.

Is changing the accepted domain from Authoritative to Internal Relay the right way to do? What changed on Sep 6th, 2018?



Hi Byron,

Yes, please change it to verify the result.

Please use the Exchange Admin Center to manage these dynamic distribution groups:

1. In the EAC, navigate to Recipients > Groups, find the Dynamic distribution group you want to edit, and then double click it.

2. Choose delivery management, check if Senders inside and outside of my organization has been selected as below:

3. Then go to message approval, check if the Message sent to this group have to be approved by moderator checkbox has been ticked. 

4. You can run the PowerShell script and share the snapshot of it with us.

Please replace the ddgname to the correct name of the DDG.

If all the settings shows good and the accepted domain has been changed to Internal Relay but the issue persists, please provide the complete Non-delivery Report for analysis. I've sent a private message to you and you can click the link below to share the NDR with me.



1 person was helped by this reply


Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.


Question Info

Last updated September 8, 2020 Views 10,330 Applies to: