Xapity Blog

Exchange Distribution List not Relaying to Member Contacts

When an external user sends to an Exchange distribution list with external contacts, the contacts do not get the email. The Exchange Server does the expansion and then relays the email to the member contact as expected, but in the header information the Exchange Server is sending the email as the external sender and the email gets blocked as a result.

Exchange Distribution List Email Flow

The example from the graphic shows a distribution list, DistList@Conteso, that has two members, one an internal mailbox, Jill@Conteso and the other an external contact, Bob@CompanyB.

When an email is sent from an external user, Joe@ComapnyA it is delivered to the distribution list and then expanded to send to the members, Jill and Bob. Exchange delivers an email to Jill's mailbox and then sends and email to Bob. And this email to Bob is not delivered.

In our case the gateway SMTP server does a check to make sure that all emails going out are from our internal email domain ie no spoofing and as the email looks like it is being sent by Joe@CompanyA our gateway blocks the email.

If the email was not blocked, the receiving SMTP server could do an SPF check (if configured on the senders email domain) and potentially mark our SMTP gateway as spoofing the @CompanyA email domain - not good for our email reputation.

This is a change in Exchange 2016 and possibly in Exchange 2013 as well. I am not sure when it changed as I had issues with in Exchange 2013 with some servers and not with others.

In Exchange 2013 I was able to use a work around by setting an expansion server for the distribution list that pointed to an Exchange 2013 server that did not have the issue. But after upgrading to Exchange 2016, all servers have the issue and no emails were getting past our gateway for the member contacts.

Header Information

Looking at the headers of a successful message from the Exchange 2013 server (example below) we can see that after the distribution list expansion, the headers had these two lines in them:

Return-Path: <prvs=245420=DistList@conteso>

Resent-From: <DistList@conteso>

These headers are missing after the Exchange 2016 expansion of the distribution list.

The headers Return-Path and Resent-From will indicate to SMTP servers where the email is originating from, ie our domain. When these are missing from the Exchange 2016 headers, it looks like the email is coming from the original sender and that Exchange is spoofing the sending domain.

Workaround - Rewrite Headers

The only way around it at the moment, is to re-write the email headers on the way out so that it is not sending from the original sender. In our case, it was acceptable to use the Distribution List email address as the sender, but this might not be appropriate in all cases.

Hopefully this will be fixed in a update from Microsoft. The use case is fairly rare as the email has to be coming from an external source and to a distribution list with external contacts.

If an internal user emails the distribution list there is no problem as the sender is from an internal domain. And if the distribution list has no external contacts, again there is no problem regardless of where the original email came from.


I have included these example email headers that have been edited to use the email addresses with no .com on them, from the example above.

Example Successful Header from Exchange 2013 (edited)

Delivered-To: Bob@CompanyB

Received: by xx.xx.xx.xx with SMTP id e13267474064vsc;

Sun, 17 Dec 2017 11:30:32 +0000

X-Google-Smtp-Source: I1QRqRpXNAJWSGGDkdsscdsBt5ehhDfwESsdfaASfFYbVlBq3gjvsfW

X-Received: by xx.xx.xx.xx with SMTP id d3mr65csascasc4pfl.38.150123446545;

Sun, 17 Dec2017 11:30:31 +0000

ARC-Authentication-Results: i=1; mx.google.com;

dkim=pass header.i=@onmicrosoft.com header.s=selector1-Conteso header.b=1zHKFX8w;

spf=pass (google.com: domain of prvs=245420=DistList@conteso designates xx.xx.xx.xx as permitted sender) smtp.mailfrom=prvs=245420=DistList@conteso

Return-Path: <prvs=245420=DistList@conteso>

Received: from SMTProuter.Conteso (SMTProuter.Conteso . [xx.xx.xx.xx])

by mx.google.com with ESMTPS id 2si7603pla.xx.xx.xx.xxx.xx

for <Bob@CompanyB>

(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);

Sun, 17 Dec 2017 11:30:31 +0000

Received-SPF: pass (google.com: domain of 245420=DistList@conteso designates xx.xx.xx.xx as permitted sender) client-ip=xx.xx.xx.xx;

Authentication-Results: mx.google.com;

dkim=pass header.i=@onmicrosoft.com header.s=selector1-conteso header.b=1YHUnFX8w;

spf=pass (google.com: domain of 245420=DistList@conteso designates xx.xx.xx.xx as permitted sender) smtp.mailfrom=245420=DistList@conteso

Resent-From: <DistList@Conteso>

To: undisclosed-recipients:;

Authentication-Results: SMTProuter.Conteso; spf=Pass smtp.mailfrom=Joe@CompanyA

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=onmicrosoft.com; s=selector1-conteso;




From: Joe External <Joe@CompanyA>

Subject: Test Email

Thread-Topic: Test Email


Date: Sun, 17 Dec 2017 11:30:10 +0000

Message-ID: <SG248341F8FB5800302MB2637.prod.outlook.com>

Return-Path: Joe@CompanyA

Example Unsuccessful Header from Exchange 2016 (edited)

Received: from ExchangeServer.local (xx.xx.xx.xx) by

ExchangeServer.local (xx.xx.xx.xx) with Microsoft SMTP Server

(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id

xx.xx.xx.xx; Sun, 17 Dec 2017 14:22:47 +0000

Received: from SMTPRouter01.Conteso (Unknown_Domain [xx.xx.xx.xx])

by InboundGateway.local (Inbound Gateway) with SMTP id BA.39.142.7593; Sun, 17 Dec 2017 14:22:47 +1100

Authentication-Results: SMTPRouter01.Conteso; spf=Pass smtp.mailfrom=Joe@CompanyA

Received-SPF: Pass (SMTPRouter01.Conteso: domain of

Joe@CompanyA designates xx.xx.xx.xx as

permitted sender) identity=mailfrom;

client-ip=xx.xx.xx.xx; receiver=SMTPRouter01.Conteso;


x-sender="Joe@CompanyA"; x-conformance=spf_only;


Received: from mail-met.outbound.protection.outlook.com (HELO MT1-be.outbound.protection.outlook.com) ([xx.xx.xx.xx])

by SMTPRouter01.Conteso with ESMTP/TLS/AES256-SHA256; 17 Dec 2017 14:22:45 +0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=Conteso; s=selector1-Conteso;




Received: from PR123.prod.outlook.com (xx.xx.xx.xx) by

PR123.prod.outlook.com (xx.xx.xx.xx) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

xx.xx.xx.xx; Sun, 17 Dec 2017 14:22:42 +0000

Received: from PR123.prod.outlook.com ([xx.xx.xx.xx]) by

PR123.prod.outlook.com ([xx.xx.xx.xx]) with mapi id

15.20.0197.017; Sun, 17 Dec 2017 14:22:42 +0000

From: Joe External <Joe@CompanyA>

To: "DistList@Conteso"


Subject: Test External 2

Thread-Topic: Test External 2

Thread-Index: AdNWjsdvvHHHFC3r/Spl3AVHQ==

Date: Sun, 17 Dec 2017 14:22:41 +0000

Message-ID: <SYXPSBHFJSBF530@SYXP423.prod.outlook.com>

Return-Path: Joe@CompanyA

Featured Posts
Recent Posts