Email To/From Microsoft Distribution Lists failing

From the sounds of it you are in gateway mode. In gateway mode Sophos Central does not any list of recipients contained inside the DL so when the message for external users is sent we reject since we aren't a relay. In MFR mode, since the message goes to M365 first, Microsoft will unpack/expand the DL and route individual messages to Sophos for inspection and then if permitted in M365 it will deliver to the external recipients.

Thank you so much - I've been going crazy looking for an answer.  Would you be able to point me to something that would give me the steps to move from Gateway to Mailflow?  The things I see in the Community Discussions are several years old.

Follow these instructions: https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/SophosMailflow/index.html

Once you have mail flowing (you've moved your MX to domain-com.protection.outlook.com then you can delete the domain in Central under the current location.

 SteveGross I’d recommend staying with gateway mode. Once you are in mailflow mode, Microsoft will start quarantining and blocking emails before they even reach Sophos. They call it “high phishing spam”. This will mean you’ll have multiple quarantines and unless you issue your users two quarantine digest each day, one from Microsoft and one from Sophos, you’ll have emails falling in to an abyss.

Each to their own, but I’d never configure an external DL. We’d setup a shared mailbox instead. If you’re trying to achieve an external person sending email to another external person via your tenant (again, we’d never do this as it makes us a relay), you could setup a rule in O365 to redistribute as appropriate.

Steve/Stuart, one of the initiatives we are working on is the ability to show a consolidated quarantine where you can see what Microsoft has put into their quarantine along with the ability to release messages from the Microsoft quarantine. As Microsoft made the Secure by Default hard stance last year, i.e. if your mx points to .protection.outlook.com then you cannot disable Defender Spam scanning. We do have thousands of customers using mailflow mode without issues but you have to decide what works best for your organization.

Steve/Stuart, one of the initiatives we are working on is the ability to show a consolidated quarantine where you can see what Microsoft has put into their quarantine along with the ability to release messages from the Microsoft quarantine. As Microsoft made the Secure by Default hard stance last year, i.e. if your mx points to .protection.outlook.com then you cannot disable Defender Spam scanning. We do have thousands of customers using mailflow mode without issues but you have to decide what works best for your organization.