Recipient rejects mail from Exchange Online or Exchange Online Protection and host name does not match IP address error
Original KB number: 3019655
Symptoms
When users try to send mail from Microsoft Exchange Online or Microsoft Exchange Online Protection to an external recipient, the destination message transfer agent (MTA) rejects the message. The error message that users receive may vary. Typically, it states that the source server's host name does not match its IP address.
Cause
The recipient server requires that the server name that's contained in the message HELO string have a corresponding pointer (PTR) resource record (reverse IP lookup). Exchange Online and Exchange Online Protection use multiple IP addresses to send mail. Because of DNS limitations, all these IP addresses can't be mapped through the PTR record to the server name that's in the message HELO string.
Resolution
The method in which Exchange Online and Exchange Online Protection send email by using multiple IP addresses is typical for most large mail systems and is by design. Contact the recipient system administrator for help.
More information
In Exchange Online and Exchange Online Protection, outgoing email settings use specific patterns. It's important to be aware of these patterns if your recipient servers use PTR record lookups for validation. This is because they explain why messages that are sent from the service might be rejected. The patterns are as follows:
The sending IP addresses that are used by Exchange Online and Exchange Online Protection have forward-confirmed reverse DNS records. This means that each sending IP address has both a forward (name-to-IP address) and a reverse (address-to-name) DNS record that contains matching information. For example:
Outbound IP address: 157.56.110.65 PTR record: 157.56.110.65 = mail-bn1on0065.outbound.protection.outlook.com A-record : mail-bn1on0065.outbound.protection.outlook.com = 157.56.110.65The HELO/EHLO strings that are used to identify the mail servers that are used by the service also contain
outbound.protection.outlook.com. For example:
na01-bn1-obe.outbound.protection.outlook.comAll these HELO/EHLO strings have A records that contain some outgoing IP addresses that correspond to the sending mail servers. (However, the A records do not contain all these outgoing IP addresses.) For example:
HELO na01-bn1-obe.outbound.protection.outlook.comA record:
na01-bn1-obe.outbound.protection.outlook.com:207.46.163.150
207.46.163.151
207.46.163.152
207.46.163.153
207.46.163.154
207.46.163.155
207.46.163.156
207.46.163.157
207.46.163.158
207.46.163.149The PTR records of the IP addresses in the A record of the EHLO/HELO string will not match the HELO/EHLO string of the sending mail server. For example:
PTR record: 207.46.163.150:mail-bn1lp0150.outbound.protection.outlook.comNotice that
mail-bn1lp0150.outbound.protection.outlook.comdoes not matchna01-bn1-obe.outbound.protection.outlook.com.
Still need help? Go to Microsoft Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for