Managing Directory Based Edge Blocking (DBEB) feature in Exchange Online Protection (EOP)

Share this:

The DBEB feature is a powerful resource for Exchange Administrators that are using Exchange Online Protection where only the valid e-mail addresses in Office365 will be able to receive e-mails. Basically, any SMTP address that is not recognized by EOP is dropped at the Edge and that mail will not be processed any longer which saves you the trouble to deal with a message on your environment that is not valid.


In the previous version of Exchange Online Protection (EOP) the administrator had an option to enable DBEB in the portal however with all integration between Office365 and Exchange Server 2013 management interfaces the feature is not easy spotted and to be honest we are able to read DBEB only when we need to confirm the change.

In this Tutorial, we are using EOP standalone where all mailboxes are on-premises and the EOP is the responsible to receive all Internet traffic and after cleaning up all messages against virus, malware and spam, then the messages are delivered on the on-premises servers.

Understanding where to check DBEB feature…

In order to check the feature, we need to open the Office365 portal, and then click on Admin and then Exchange Online Protection (Note: we are using the EOP standalone in this Tutorial).


In the new page, click on mail flow, and then accepted domains. A list containing all the existent domains will be displayed.

Here is the trick part: domains that are listed as Internal Relay have the DBEB feature disabled, on the other hand domains configured as Authoritative have the DBEB feature enabled. That’s it pretty simple and straight forward.


When we edit an existent domain like the one below, we can can notice in the explanation the implications of each type. That is common for Exchange Administrators since ever, but now that we have EOP we need to be aware that enabling such feature will require that Office365 contain a list of all SMTP address through synchronization otherwise some valid mailboxes will not receive e-mail.


How to enable the DBEB feature…

If you have a domain defined as Internal Relay, just change it to Authoritative and hit Save. The following image will be displayed and that is the first time that you read the DBEB feature description in the management interface. To continue, click on Yes and you will have enable DBEB feature in the chosen domain.



In this Tutorial we went over the process to enable DBEB in an Exchange Online Protection (EOP) standalone.

Written by Anderson Patricio

Anderson Patricio is a Canadian Exchange Server MVP and MCSM (Solutions Master) and he contributes to the Microsoft Community with articles, tutorials, blog posts, forums and book reviews. He is a regular contributor at, and (Portuguese).