When you have configured two Exchange organizations for a shared SMTP namespace you may encounter a problem with non-delivery reports (NDRs) being generated for a domain name that is configured as an Internal Relay.

In the following scenario there are two organizations. Company A is configured with both an Authoritative domain and an Internal Relay domain for Company B.

Your expectation of this configuration is that if Company A receives an email for a recipient in the companyb.com namespace that does not exist in the Company A organization, that the email will be relayed to Company B instead.

NDR 550 5.5.1 User Unknown for Internal Relay Domain

However, under certain conditions you may receive an unexpected NDR instead that contains the error “550 5.1.1 User unknown“.

NDR 550 5.5.1 User Unknown for Internal Relay Domain

The cause of this issue is the Recipient Filtering feature of Exchange’s anti-spam functionality, which is an optional component for Hub Transport servers but is available by default on Edge Transport servers.

NDR 550 5.5.1 User Unknown for Internal Relay Domain

Recipient Filtering will block messages that are addressed to a recipient that does not exist in the organization.

This is undesirable behavior in an Internal Relay scenario because the assumption in that scenario is that the SMTP namespace is shared and therefore many of the recipients will not exist in the first organization that processes the email.

This is normally not a problem though because a domain that is added to the Accepted Domains list as an Internal Relay domain is exempt from recipient filtering. This setting is configured in the AddressBookEnabled attribute of an Accepted Domain.

[PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled

Name                     DomainType AddressBookEnabled
----                     ---------- ------------------
companya.com          Authoritative               True
companyb.com          InternalRelay              False

However, if a domain is added as Authoritative at first, and then later changed to Internal Relay, the AddressBookEnabled attribute remains set to True, which creates the NDR situation if the recipients have not already been created within the organization (eg as contacts).

[PS] C:\>Set-AcceptedDomain companya.com -DomainType InternalRelay

[PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled

Name                     DomainType AddressBookEnabled
----                     ---------- ------------------

companya.com          InternalRelay               True
companyb.com          InternalRelay              False

The solution is to use Set-AcceptedDomain to set AddressBookEnabled to False after converting the domain from Authoritative to Internal Relay.

[PS] C:\>Set-AcceptedDomain companya.com -AddressBookEnabled $false

[PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled

Name                     DomainType AddressBookEnabled
----                     ---------- ------------------
companya.com          InternalRelay              False
companyb.com          InternalRelay              False

When Edge Transport servers are involved this change will take some time to synchronize before it takes full effect.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.


  1. Jesus Marin

    I have the “too many hops” NDR for a few emails , I have a hybrid configuration, the internet inbound and outbound on prem passes thru a smart host, most of the mailboxes are in O365, I have a transport rule to say all that comes to a specific domain goes to a mailbox living in O365, then I created a connector from on prem pointing to a MX record on O365. Any ideas?

  2. Oshada

    Hi Paul
    We r having a same kind of a problem only for a shared mailbox that we we created in Cloud .
    other migrated users from onprem receives mails both cloud and onprem but that shared mailbox only accepting mails form other cloud user . (No external emails and Onprem user emails)

    Onprem connector is sending NDR 550 5.1.1 User unknown (in reply to RCPT TO command)


    1. Avatar photo
      Paul Cunningham

      I assume this is a hybrid environment. The correct process is to create the shared mailbox on-premises, then move it to Exchange Online after directory synchronization has synced the object to Azure AD.

  3. SMallett

    Hi, we are getting this scenario with our Exchange 2013 on premise server, which is rejecting messages intermittently to users on Office 365 that use the same namespace. Can you show me where to look?

  4. Shimon Adimor

    Well, this is still in a test lab so I created the mailboxes myself a few days ago and did not set any forwarding rules.
    There are a few more things I’m not yet sure about:
    1. my mx record points to mail.accepteddomain.com but the diagnostic header I am getting in the bounce back message shows that it’s coming from the internal server name (i.e. the hostname.internaldomain.mycompany.com – is it because postmaster is automatically defined like that ? How should I define the postmaster ?
    2. when I ping smtp.accepteddomain.com I still get the previous ip being resolved (but no replies) – should this be modified in the DNS as well ?
    3. what’s the best practice for creating mailboxes ? I thought that it’s better to first have an AD account for the user, then create the mailbox (which makes sense when going live), but there is a way to create the mailbox for a new user and it will be added to AD.
    4. When having more than one accepted domains – what needs to be defined and where for the 2nd accepted domain ?

    I of course will continue researching online, but so far I got quite a few conflicting pieces of information, so still confused.
    Thanks a lot !

  5. Shimon Adimor

    Hi Paul,
    I actually ran the Microsoft connectivity analyzer for inbound mail, found a problem and fixed it, then ran it again and it was successful, but I am getting a different bounce back error now:
    Hostname.MYdomain.mycompany.com rejected your message to the following email addresses:

    Jon Doe (jon.doe@accepteddomain.com)

    Hostname.MYdomain.mycompany.com gave this error:
    Hop count exceeded – possible mail loop
    A problem occurred during the delivery of this message. Please try to resend the message later. If the problem continues, contact your helpdesk.

    Here are the configuration details:
    Hostname.MYdomain.mycompany.com is the internal fqdn of the exchange server.
    mail.accepteddomain.com and Hostname.mycompany.com have the same ip address and A record is defined for them.
    MX record is defined for mail.accepteddomain.com

    I have a feeling that something is messed up in defining the DNS or domains, but not sure what exactly, and I can’t find any log file that shows the details of the hops…
    Thanks !

      1. Shimon Adimor

        Right now yes – one recipient out of 3 has this problem (still in testing environment).

        1. Avatar photo
          Paul Cunningham

          Check for auto-forwarding rules. Sometimes people set up a rule to forward from Mailbox1 to Mailbox2, but then Mailbox2 also has a rule to forward back to Mailbox1.

  6. Shimon Adimor

    Hi Paul,
    I actually figured out how to modify the MX record and it is pointing correctly now.
    I have set the PTR (SPF) record as well.
    The issue now is that external emails are still not received but the sender has no bounce back error, which is hard to troubleshoot…
    My feeling is it’s because of the PTR record not resolving yet, but is there a good way to troubleshoot such a scenario ?

  7. Shimon Adimor

    Looks like mycompany.com mx record is still pointing to the previous hosting…
    So for now I will have to see how to modify the MX record to point to my own exchange server…
    Can you please help me with this process ?

    1. Avatar photo
      Paul Cunningham

      Your MX records are managed through your DNS control panel for whoever hosts your public DNS.

  8. Shimon Adimor

    When I check the MX record (according to the command described in your MX record article) I get the following
    Default Server: UnKnown

    > set type=mx
    > mycompany.com
    Server: UnKnown

    Non-authoritative answer:
    mycompany.com MX preference = 10, mail exchanger = mailstore1.secureserver.net

    mycompany.com MX preference = 0, mail exchanger = smtp.secureserver.net

    mailstore1.secureserver.net internet address = xx.xxx.xxx.32
    smtp.secureserver.net internet address = xx.xxx.xxx.29

    These last two ips are different than the exchange server public ip.
    Also when I ping the mailstore1 I get a different ip than the one showing.
    When I ping the smtp it resolves to the correct ip as shown in the MX record but doesn’t respond…
    I hope this additional info will lead to the resolution.
    What I’d like to know is what needs to be defined in the global DNS.
    Right now the mail.mycompany.com is pointing to the public ip address of the echange server, which I’m now guessing is not the correct one.
    Thanks again for looking into it !

  9. Shimon Adimor

    Thanks for responding quickly !
    I tried both to reply and to send new.
    Verified that mail.mycompany.com is pointing to the public ip of the exchange server.
    Is there any need to create a DNS record in the DC AD which the Exchange works with ?
    Also – is there any detailed log anywhere that shows that the server rejected this email ?
    Thanks !

  10. Shimon Adimor

    I just finished installing a brand new Exchange server and AD on a separate domain controller.
    I have set two mailboxes (using existing AD users) and I was able to send emails out successfully.
    When I try to send an email from an external address to any of these new mailboxes I get NDR 550 5.1.1 recipient not found.
    I verified that the receive connectors are all enabled (they were by default) and I have not set any restrictions on any user.
    I’m sure I am missing some essential setting, but couldn’t find anything in log files.
    Any idea ?

  11. A.A.

    Dear Paul,

    I followed your instruction, It worked and my problem resolved. Thanks a lot.
    But there is a question for me that why this happened suddenly for new users? Old users don’t have any problems.

    1. Alex

      Yes i would like to ask same thing.
      Why this happened to new users and not old?

  12. Ahmad

    Evening Paul,

    I have Exchange 2013 and it is not generating NDRs when email is sent to some Dummy email address e.g cvt@mail.com

    Can you point me in the right direction please?

  13. Tamara Felton

    I am having an issue for just one user. (A new user). This mailbox is set up just like any mailbox. (No restrictions). You can find the user’s mailbox on the exchange server. The issue is that this mailbox is not receiving email from external senders. (The box is NOT check to “Require Authentication” in the mailbox properties.

    1. Avatar photo
      Paul Cunningham

      Does the sender get an NDR? If so, what does it say? If not, have you tried using message tracking to trace the missing emails?

  14. PvdK

    Great solution, couldn’t figure out what went wrong and nog it’s fixed. Thx.

  15. Arul Jose

    I am creating an email msg programatically and sending to the exchange server (only one company configuration).

    When all the recipient addresses are correct, the mail is sent successfully.

    But if one of the addresses is incorrect, the server gives a “550 5.1.1 User unknown” error and the email msg is not being sent to the correct addresses as well.

    When this is tested via Outlook, the mail is sent to the correct addresses and there is an error mail from the server stating that the mail was not sent to the incorrect address, this is the expected behaviour.

    What needs to be done to get the expected behaviour? There must be some alternative setting being used by outlook.

    1. Avatar photo
      Paul Cunningham

      My guess is that you’ll need to modify your code to handle the error better and not terminate the session when a bad address is encountered.

  16. Farrukh

    If CompanyA and CompanyB both are internal Relay Domains then what will happen to any internal email for non-existing recipient. Will it stuck in loop or generate NDR?

  17. rejith

    May be i am wrong, but have a doubt. Why are we making companya.com as internal relay? By keeping companya.com as Authoritative and making AddressBookEnabled to False is enough right?

    1. Avatar photo
      Paul Cunningham

      The problem occurs when switching a domain from Authoritative to Internal Relay. If you left the domain as Authoritative you wouldn’t run into the problem at all.

      1. rejith

        Thanks Paul

Leave a Reply