Unable to deliver NDR because of Bounce verification

Brass Contributor


We use Exchange 365 for our mailbox-storage and an external system for sending and receiving mail to/from the internet. We sometimes have the issue that a NDR cannot be delivered to the end-user. Our external system generates this NDR, but sends this to a mailaddress where bounce-verification is included (such as: prvs=tag-value=email address removed for privacy reasons). Exchange 365 than generates an error: access denied, as described here: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-directory-based-edge-blockin....


Is it possible to configure so the NDR is delivered to the end-user mailbox?


Kind regards,


3 Replies

Hi @ArjanBroekhuizen,

To make sure that Non-Delivery Reports (NDRs) are successfully delivered to the end-user mailbox in Exchange Online (Office 365), you can try to use these options (steps):

1. Make sure that the external system sending NDRs uses a valid email address that can be accepted by Exchange Online.

Email non-delivery report (NDR) and SMTP errors in Exchange Online - Exchange | Microsoft Learn

2. turn off the Directory Based Edge Blocking (DBEB) feature for your verified domain in Exchange Online. DBEB is a security measure that can sometimes mistakenly block legitimate NDRs. 

To disable DBEB, you can use the following PowerShell command:

Set-RemoteDomain -Identity "Default" -UseDirectoryEdgeBlockList $false

Use Directory-Based Edge Blocking to reject messages sent to invalid recipients in Exchange Online |...

3. Configure a transport rule in Exchange Online to redirect NDRs to the end-user mailbox. 

To create the transport rule, you can use the following PowerShell command:

New-TransportRule -Name "Redirect NDRs to End-User Mailbox" -RecipientDomainIs "yourdomain.com" -MessageTypeMatches "NDR" -RedirectMessageTo "email address removed for privacy reasons"


*Replace "yourdomain.com" with your actual domain and "email address removed for privacy reasons" with the email address of the end-user.

Mail flow rules (transport rules) in Exchange Online | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Kindest regards,

Leon Pavesic

Hi @LeonPavesic

I was checking the current setting for our default domain, but the parameter UseDirectoryEdgeBlockList isn't displayed with Get-Remotedomain.
In the documentation for Set-Remotedomain this parameter isn't mentioned also. Is there something I overlook?

Kind regards,

@LeonPavesic The parameter MessageTypeMatches does not accept the value "NDR" as per the documentation for New-TransportRule (ExchangePowerShell) | Microsoft Learn.

Also see below error:

New-TransportRule: Cannot process argument transformation on parameter 'MessageTypeMatches'. Cannot convert value "NDR" to type "Microsoft.Exchange.MessagingPolicies.Rules.Tasks.MessageType". 
Error: "Unable to match the identifier name NDR to a valid enumerator name. Specify one of the following enumerator names and try again: OOF, AutoForward, Encrypted, Calendaring, PermissionControlled, Voicemail, Signed, ApprovalRequest, ReadReceipt"