This article will cover the latest changes which are affecting forwards and causing the "Relay access denied" error.

You are getting relay access denied with external forwards or distribution groups with external members.|

Microsoft made a change towards the back end of 2023 which is now affecting users utilising forwards through ProofPoint. 

Originally, when O365 forwarded a message, the sender was the original recipient. Since is on ProofPoint, they were authorized to send out emails. However, with these new changes, when O365 forwards a message, it keeps the original sender and try to relay to ProofPoint - in most cases the original sender is not on ProofPoint causing the bounces/relay access denied error. 


So in these cases, you need to bypass proofpoint altogether using a bypass connector and rule.


1 - Create a new connector in Exchange Admin Center under Mail Flow > Connectors

2 - From O365 > Partner Organisation

3 - Name "ProofPoint Forward Bypass" 

4 - Use of connector - "Only when i have a transport rule set up that redirects messages to this connector"

5 - Routing - Use MX record associated with the partners domain

6 - Validate the connector using any internal address (this may fail), proceed to the next steps

1 - Create a new rule in EAC under Mail Flow > Rules
2 - Name the rule "ProofPoint Forward Bypass Rule"
3 - Rule Logic: 
Apply this rule if > the sender > is internal/external > NotInOrganization
Apply this rule if > the recipient > is internal/external > NotInOrganization
Do the following 
Redirect the message to > the following connector > connector you just created.
4 - In the rule settings, select "Stop Processing More rules" and save the rule.

*By using this bypass, the outbound mail from forwarded messages will not be filtered by ProofPoint, it can also cause SPF, DKIM and DMARC to fail for the original sender - this is beyond your control.