Use Directory-Based Edge Blocking to reject messages sent to invalid recipients in Exchange Online

Directory-Based Edge Blocking (DBEB) lets you reject messages for invalid recipients at the service network perimeter in Microsoft 365 organizations with Exchange Online mailboxes and in standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes. DBEB lets admins add mail-enabled recipients to Microsoft 365 or Office 365 and block all messages sent to email addresses that aren't present in Microsoft 365 or Office 365.

If a message is sent to a valid email address in Microsoft 365 or Office 365, the message continues through the rest of the service filtering layers: anti-malware, anti-spam, and mail flow rules (also known as transport rules). If the address doesn't exist, the service blocks the message before filtering even occurs, and a non-delivery report (also known as an NDR or bounce message) is returned to the sender. The NDR looks like this: 550 5.4.1 Recipient address rejected: Access denied.

If all recipients for your domain are in Exchange Online, DBEB is already in effect, and you don't need to do anything. If you're migrating from another email system to Exchange Online, you can use the procedure in this topic to enable DBEB for the domain before the migration.

Note

  • In hybrid environments, in order for DBEB to work, the MX record for the domain must point to Microsoft 365 or Office 365 so that email for the domain is routed to Microsoft 365 or Office 365 first.

  • There are additional considerations when using DBEB with mail-enabled public folders. DBEB is not supported for mail-enabled public folders that are hosted in Exchange Online. DBEB is only supported for mail-enabled public folders hosted on-premises. For more information about DBEB and mail-enabled public folders, see Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders.

What do you need to know before you begin?

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.

Configure DBEB

This section describes the procedure to configure DBEB for both the New Exchange admin center (EAC) and Classic EAC.

For New EAC

  1. Verify that your accepted domain in Exchange Online is set to Internal relay:

    a. Navigate to Mail flow > Accepted domains. The Accepted domains screen appears.

    b. Select an accepted domain and click it. The accepted domain's details screen appears.

    c. Ensure that the domain type is set to Internal relay. If it's set to Authoritative, change it to Internal relay.

    d. Click Save.

  2. Add users to Microsoft 365 or Office 365. For example:

  3. Set your accepted domain in Exchange Online to Authoritative:

    a. Navigate to Mail flow > Accepted domains. The Accepted domains screen appears.

    b. Select an accepted domain and click it. The accepted domain's details screen appears.

    c. Ensure that the domain type is set to Authoritative. If it's set to Internal relay, change it to Authoritative.

    d. Click Save.

For Classic EAC

  1. Verify that your accepted domain in Exchange Online is set to Internal relay:

    a. Navigate to Mail flow > Accepted domains.

    b. Select an accepted domain and click Edit.

    c. Ensure that the domain type is set to Internal relay. If it's set to Authoritative, change it to Internal relay.

    d. Click Save.

  2. Add users to Microsoft 365 or Office 365. For example:

  3. Set your accepted domain in Exchange Online to Authoritative:

    a. Navigate to Mail flow > Accepted domains.

    b. Select an accepted domain and click Edit.

    c. Set the domain type to Authoritative.

    d. Click Save.

  4. Choose Save to save your changes, and confirm that you want to enable DBEB.

Note

  • Dynamic distribution groups do not sync to Azure AD and are therefore blocked by DBEB. As a workaround in hybrid environments, you can create a mail contact with the same external email address of the blocked dynamic distribution group. In cloud-only environments, this workaround will not work. To use dynamic distribution groups that receive email from external senders in cloud-only environments, you need to disable DBEB (change the domain from Authoritative to Internal relay).

  • Until all of your valid recipients have been added to Exchange Online and replicated through the system, you should leave the accepted domain configured as Internal relay. Once the domain type has been changed to Authoritative, DBEB is designed to allow any SMTP address that has been added to the service (except for mail-enabled public folders). There might be infrequent instances where recipient addresses that do not exist in your Microsoft 365 or Office 365 organization are allowed to relay through the service.