As part of the hybrid deployment testing at a customer site, emails that were sent from an on-premise mailbox to an Office 365 user was always failing and the NDR was very clear as well. The Exchange Online Protection was blocking emails from the customer's outgoing public IP address.
Below was the main error that was mentioned in the NDR by EOP.
550 5.7.606-649 Access denied, banned sending IP [IP address]; To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526653.
The issue is that the public IP address that is being used to send emails from on-premise Exchange to Office 365 (via EOP) is being blacklisted by Microsoft. The good thing is that Microsoft provides an easy way for submitting a request to get your IP address de-listed from the blacklist.
There are three steps to follow to delist your ip address.
- Enter a valid email address for your organization (yours) and the IP address in question in O365 Anti-Spam IP Delist Portal.
- Microsoft will send a verification email to your mailbox. Click on the link in the email to verify email address.
- A new webpage will open up confirming the email and providing an option to de-list the IP address mentioned in step one.
- It takes anywhere from 24 hours to couple of days for the whole process to be wrapped up.
Navigate to https://sender.office.com
Punch in your email address and the IP address to be de-listed, fill out the captcha and click Submit.
Click the link in the email that Microsoft sends to confirm your email address.
The link will open up the same page as before, but you will be given the option to de-list your IP address.
Wait for Microsoft to action your request and your emails will be accepted by Exchange Online Protection.
It is a good idea to check your public IP addresses in the initial phase of the Office 365 project to avoid any surprises in PoC or after user migrations!