Overview + Setup Information

This issue relates to Exchange, SharePoint Online and Office 365. 

Here's a quick summary of our setup:

• We've integrated our on-prem AD with Azure AD via Azure AD Connect.
• We have hybrid Exchange set up, with some mailboxes hosted on-prem (Exchange Server 2010 SP3) and others hosted on Exchange Online.
• Inbound mail flow is directed to Exchange Online so that we can use EOP for anti-spam and anti-malware protection.

Issue

Users with on-prem mailboxes are unable to send emails to distribution groups using the 'Send by Email' functionality in SharePoint Online sites.

These users are able to select the distribution group and send the email, however, the message is not received by any of the members of the distribution group.

Solution

Disabling the 'Require that all senders are authenticated' option in EMC > Distribution Groups > [desired group] > Mail Flow Settings > Message Delivery Restrictions, fixes this issue. As in, members of the group will then receive emails that users with on-prem mailboxes send using the 'Send by Email' button on SharePoint Online.

FYI, the equivalent setting on Exchange Online seems to be EAC > Recipients > Groups > [desired group] > Delivery Management > Senders inside and outside my organization.

Issue with Solution

This is not an acceptable solution as it leaves the door open for external senders to send emails to all the members in our distribution groups. This is problematic for a number of reasons, particularly from a security perspective.

Question

It seems like either Exchange Online or our on-prem Exchange server is deeming these users (who have on-prem mailboxes) to be unauthenticated/outside the organization - as a reminder, our inbound mail flow goes through Exchange Online.

Hence, how can we make Exchange Online/on-prem Exchange consider these users to be authenticated/inside the organization? I am of course also open to trying other solutions that might fix the issue we're having.

Any help would be much appreciated.