Use Directory Based Edge Blocking to reject messages sent to invalid recipients

Directory Based Edge Blocking (DBEB) in Exchange Online and Exchange Online Protection (EOP) lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Office 365 and block all messages sent to email addresses that aren't present in Office 365.

If a message is sent to a valid email address in Office 365, the message continues through the rest of the service filtering layers: antimalware, antispam, and mail flow rules (also known as transport rules). If the address isn't, the service blocks the message before filtering even occurs, and a non-delivery report (also known as an NDR or bounce message) is returned to the sender. The NDR looks like this: 550 5.4.1 Recipient address rejected: Access denied.

If all recipients for your domain are in Exchange Online, DBEB is already in effect, and you don't need to do anything. If you're migrating from another email system to Exchange Online, you can use the procedure in this topic to enable DBEB for the domain before the migration.


  • In hybrid environments, in order for DBEB to work, the MX record for the domain must point to Office 365 so that email for the domain is routed to Office 365 first.

  • There are additional considerations when using DBEB with mail-enabled public folders. DBEB is not supported for mail-enabled public folders hosted in Exchange Online. DBEB is only supported for mail-enabled public folders hosted on-premises. For more information about DBEB and mail-enabled public folders, see Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders.

What do you need to know before you begin?


Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.

Configure DBEB

  1. Verify that your accepted domain in Exchange Online is set to Internal relay:

    1. In the EAC, go to Mail flow > Accepted domains.

    2. Select the domain and click Edit.

    3. Ensure that the domain type is set to Internal relay. If it's set to Authoritative, change it to Internal relay and click Save.

  2. Add users to Office 365. For example:

  3. Set your accepted domain in Exchange Online to Authoritative:

    1. In the EAC, go to Mail flow > Accepted domains.

    2. Select the domain and click Edit.

    3. Set the domain type to Authoritative.

  4. Choose Save to save your changes, and confirm that you want to enable DBEB.


  • In hybrid environments, dynamic distribution groups do not sync to AAD and are therefore blocked by DBEB. As a work around, you can create a mail contact with the same external email address of the blocked dynamic distribution group.

  • Until all of your valid recipients have been added to Exchange Online and replicated through the system, you should leave the accepted domain configured as Internal relay. Once the domain type has been changed to Authoritative, DBEB is designed to allow any SMTP address that has been added to the service (except for mail-enabled public folders). There might be infrequent instances where recipient addresses that do not exist in your Microsoft 365 or Office 365 organization are allowed to relay through the service.