Forwarding mail from local to outlook.com

[cDGo]

We need to forward the mail not to be delivered on the local server but to outlook.com.

So we did change the DNS settings accoring the customers specifications:
CNAME for autodiscover
MX record pointing to the mailbox at outlook.com
TXT Value: MS=ms########

The mail is coming in to the outlook mailbox.
But still also in the local server.

We have an A record called mail which points to the local server and the checkbox for local Mail Server is on.
When switching the checkbox for local Mail Server to off the test emails give this error from the outlook.com server:
550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources. [xxxxxx.xxxxx.prod.outlook.com 2025-10-08T09:04:40.372Z 08DE038C4BF811FE]

I think the mail A-record should also point to the outlook.com servers, but the customer tells me they don't need it.
Now the question is what to do with the A-record for mail to keep mail coming into the outlook.com box, and stop mail from being delivered local.

 

[zEitEr]

Hello,

All emails are to be delivered to servers specified in MX record in DNS only. So they should be delivered to MS. If you have "checkbox for local Mail Server is on", and some emails are originated from your DA server, then that's the reason, emails end in local DA email inboxes.

So you send emails from a DirectAdmin server? Is it the case? Do you have the server's IP in SPF records? Do you have the same email accounts both in DirectAdmin and MS?

When switching the checkbox for local Mail Server to off the test emails give this error from the outlook.com server

 

[DrWizzle]

Also might be a waiting game here. If your DNS MX record(s) pointed mail to your DA Server's local mail, all the root nameservers and their children may not have updated. This can take up to 48 hours (Often much less) for your new MX records to propagate the DNS hierarchy worldwide.

The fact that it's popping up in either box at the moment is a good sign that your MX record is starting to work, but leave as is, give it some time and all your mail will end up in Outlook by tomorrow i'd say. Then just forward all your mail from roundcube to Outlook, unless they have a migration tool like DA's Imapsync

All the major players will normally update within the 3600 seconds (or whatever you set your MX TTL for) and clear their cache.

Quick edit, you can always check to see how the propagation is going and what authoritative nameservers are using by visiting a checker like https://dnschecker.org/ or via CLI:

# dig @1.1.1.1 [yourdomain.com] MX   # dig @[any server IP] [yourdomain.com] [record type]

Output will look like:

root@v1 ~ # dig @8.8.8.8 google.com MX

; <<>> DiG 9.18.39-0ubuntu0.24.04.1-Ubuntu <<>> @8.8.8.8 google.com MX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12585
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      MX

;; ANSWER SECTION:
google.com.             267     IN      MX      10 smtp.google.com.

;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Oct 08 16:03:12 CEST 2025
;; MSG SIZE  rcvd: 60

You can also add +short to the end to get a simple output without all the SOA etc.

root@v1 ~ # dig @8.8.8.8 google.com MX +short
10 smtp.google.com.
root@v1 ~ #

 

[cDGo]

Hello Alex,

Let me try to rewrite the question.

In DNS we have an MX record which points to mail.mydomain.com
And an A-record named mail which points to the local servers/customers ip.
And the checkbox for local Mail Server is on.
All emails from external senders and the mail from the users website (on the DA server) are coming in the local mailbox on the DA server.

Now the customer wants to switch from mail on the DA server to outlook.com.
These changes where made:
The mx record is pointing to the mailbox on outlook.com
We still have the A-record named mail which points to the local servers/customers ip (can this be removed entirely?).
Now mail comes in on both the local DA server and the outlook.com server.
And as soon as we uncheck the local Mail Server to stop local delivery on the DA server we get the error:
550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources. [xxxxxx.xxxxx.prod.outlook.com 2025-10-08T09:04:40.372Z 08DE038C4BF811FE]

So the only change is the unchecking of the local Mail Server checkbox.
While the user before was an "authorized source" and now becomes an unauthorized source?

We do not have access to the MS envirement, so we have to assume they do have the same mailbox and mail is comming in there.
The DA server's IP is in the SPF record and also the "include:spf.protection.outlook.com".
There's also an external spam filter which is also included in the SPF record.

@DrWizzle:
This is not a new user, everything has worked for years before the 3 dns changes.
The DNS changes have been done like 2 weeks ago.
Now the last step is stopping mail coming in to the users local DA mailbox

 

[zEitEr]

Now mail comes in on both the local DA server and the outlook.com server.

Thank you for the details, they do not give new information about the setup and the usecase itself. I'd rather ask again which emails? From 3rd party's and remote domains? Or from the same directadmin server or even from the site on the same domain?

In general, it is sufficient to change a MX record in DNS to point all email traffic to a new Mail server. But if you want to point mails from your original directadmin server, where the site might still reside, and users might still connect over SMTP, POP, IMAP to, then you will need to apply extra actions:

1. instruct users to change SMTP, POP, IMAP host in their email clients
2. update a site to use new SMTP, POP, IMAP host for sending, reading emails
3. disable "checkbox for local Mail Server is on" in directadmin
4. etc.

A need to update SPF, DKIM goes without saying, by the way.

Outlook

Direct Send not allowed for this organization from unauthorized sources

I found the following explanation:

Direct Send is a feature in Exchange Online that allows on-premises devices and applications to send emails from own domain to your organization’s mailboxes, without authentication. It works by routing messages through a smart host.

So again, my guess is that you send emails from DirectAdmin to Outlook. Is that what you want? If not, then check the steps #1-#3 from above. So if your users connect to mail.domain.com, then of course you will need to instruct them to stop using it.

 

[DrWizzle]

I was just replying and was going to reply similar but @zEitEr beat me to it.

The error, as Alex has pointed out is MS 365 refusing the mail. Follow his instructions above, but I would reiterate very strongly to get the spf, dkim and dmarc records set up as MS is very touchy about security and preventing email spoofing. I've been told, Direct Send has to be on an authorised IP. Those records should hopefully help as they would act as some authorisation.

This is not a new user, everything has worked for years before the 3 dns changes.
The DNS changes have been done like 2 weeks ago.
Now the last step is stopping mail coming in to the users local DA mailbox

Removing the old mail.domain.com A record from DA servers should help as it's effectively redundant, and could be confusing for some servers. The MX record should be fine with the other CNAME and SRV records. Again, as Alex said, also update the SMTP, POP and IMAP records to point to MS if that's what they require.