Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

"Relay Access Denied" or "Hop Count Exceeded" non-delivery report (NDR) error message when users send mail to Office 365 users


View products that this article applies to.

Symptoms

When an external sender tries to send an email message to a Microsoft Office 365 user, the external user receives a non-delivery report (NDR) that resembles the following:
<Domain_URL> #5.7.1 smtp;554 5.71 <client_email_address>: Relay access denied

When an Office 365 user tries to send an email message, the Office 365 user receives an NDR that resembles the following:
<Domain_URL> <# <Domain_URL> #5.4.6 smtp;554 5.4.6 Hop count exceeded - possible mail loop> #SMTP#


↑ Back to the top


Cause

This issue may occur if one of the following conditions is true:
  • The domain is not added as an accepted domain (that is, the domain is not verified) in Office 365.
  • Domain propagation to the Microsoft Forefront Online Protection for Exchange (FOPE) Edge Transport servers requires up to 45 minutes after an Office 365-accepted domain is added, moved, or deleted in FOPE. Or, the domain is propagated, but it is configured as outbound-only.
  • In FOPE, the Exchange on-premises organization is not defined as being enabled to relay email messages.
  • Mail delivery settings in the FOPE Administration Center are not set correctly for the expected email flow.


↑ Back to the top


Resolution

To resolve this issue, use one of the methods in the following table, as appropriate for your situation.

CauseResolution
The domain is not added as an accepted domain (that is, the domain is not verified) in Office 365.Make sure that the domain has a status of "Verified" in the Office 365 domains section.

For more information about how to add and verify domains in Office 365, go to the following Microsoft website:
For more information about how to troubleshoot adding and verifying domains in Office 365, click the following article number to view the article in the Microsoft Knowledge Base:
2515404 Troubleshoot domain verification issues in Office 365
Domain propagation to the FOPE Edge Transport servers requires up to 45 minutes after an Office 365 accepted domain is added, moved, or deleted in FOPE. Or, the domain is propagated but is configured as outbound-only.Populate your domain in FOPE. To do this, use the following Windows PowerShell commands to force FOPE to recognize your Office 365 domain. This creates the necessary records.
Set-AcceptedDomain <domain> -OutboundOnly $true
Set-AcceptedDomain <domain> -OutboundOnly $false

Note The placeholder <domain> represents the vanity domain that you want to use.

It will take 30 to 45 minutes for propagation to all edge servers. During this time, you may receive an NDR message that states that the hop count is exceeded.
Hybrid coexistence scenarios only: In FOPE, the on-premises Exchange organization is not defined as being enabled to relay email messages.In the FOPE Administration Center, add the IP address of the on-premises server or servers to the IP addresses list on the outgoing (also known as "outbound") mail server. To do this, follow these steps:
  1. In the FOPE Administration Center, click Administration, click Domains, and then click the domain that is experiencing the issue.
  2. Under Outbound Mail Server IP Addresses, click Add, and then enter the IP address of the on-premises server or servers.
  3. Click Save.
It will take 30 to 45 minutes for propagation to all edge servers. During this time, you may receive an NDR message that states that the hop count was exceeded.
Mail delivery settings in the FOPE Administration Center are not set correctly for the expected email flow.If FOPE delivers mail directly to Exchange Online for the domain, make sure that the FOPE admin mail delivery settings are or the mail server address is set to Using inbound multi-SMTP profile: inboundsmtpprofile. If FOPE delivers mail to the on-premises Exchange organization, verify that the on-premises IP address is set as the address for delivery.


For more information about how to use the Set-AcceptedDomain cmdlet, go to the following Microsoft TechNet website:

↑ Back to the top


Keywords: KB2603474, o365m, o365a, o365p, o365062011, o365e, o365

↑ Back to the top

Article Info
Article ID : 2603474
Revision : 12
Created on : 10/10/2013
Published on : 10/10/2013
Exists online : False
Views : 587