I came across an issue while working with one of my client. This client uses Salesforce for mass mailing, since they are on Office 365 emails are relayed through Office 365.
Recently they have noticed emails from Salesforce destined for the Internet not being delivered, while the same mail for their own users were delivered.
Troubleshooting
- The following error was generated on Office 365 “Relay Access Denied ATTR36”
- Salesforce sends and relayed emails using their corporate email address.
- “Partner Connector” using Port 25 with TLS and Salesforce IPs were configured to allow relay of mail from Salesforce to Office 365.
- Salesforce MTA IPs were added to the allow relay list on the partner connector.
After some researching on the Internet it turns out this is a known issue by Salesforce Knowledge Article Number: 000337644 and other people using Salesforce and Office 365 are also experiencing the same issue.
Issue
Office 365 attributes each inbound message to a specific Office 365 tenant based on the IP on the message and the IP in the partner connector. Since Salesforce is a SaaS offering and does not provide dedicated IPs, all messages sent by Salesforce use the same range of IPs which is added to tenants across all their customers. Therefore when Office 365 receives a message from Salesforce it treats it as a normal inbound message which is why internal users are able to receive it, and since its unable to attribute the message to a specific tenant its unable to apply the correct relay rules for the message to relay externally.
Workaround
Based on Salesforce’s knowledge article they have recommend customers to setup SMTP relay on IIS as a workaround.
