I've worked out this issue.
We recently changed our inbound routing to go from;
MessageLabs -> OnPrem Exchange 2010 -> back out to MessageLabs (if required)
to
MessageLabs -> Office365 -> back out to MessageLabs (if required)
Exchange 2010 was doing a rewrite of the message header, specifically the Return-Path, to be the email address of the distribution list. As this was an internal email address, MessageLabs would relay it succesfully.
Office 365 does not rewrite the message header, so the Return-Path is the external email sender. MessageLabs rejects the relay for that external domain from that email address (as you would expect).
The fix at the moment for us, is to do the following;
- Set a "Manager" for the Distribution Group to be an internal user.
- Run the following Exchange PowerShell command (we did ours on our onPrem Exchange server as we are in a Hybrid configuration)
- Set-DistributionGroup "fstestdl" -ReportToManagerEnabled:$true -ReportToOriginatorEnabled:$false
Once that change was synced to Azure/EOL, any email to that DL had the Return-Path set to the manager's email address (which is internal) and MessageLabs now routes it correctly.