Provider deliverability · Outlook (Outlook.com / Hotmail / Live)
Why is Outlook blocking my emails?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 17, 2026
Outlook blocks outbound mail for three reasons: your domain fails SPF, DKIM, or DMARC checks; your sending IP or domain has a poor reputation with Microsoft's SmartScreen filter; or your IP sits on a Microsoft block list. Fix authentication first, then check SNDS and request delisting; most blocks trace back to those three.
The 30-second check
Before anything else, test the domain you send from. The free Microsoft compliance checker runs the same checks Outlook applies at the SMTP door: SPF, DKIM, DMARC, and Microsoft's 2025 authentication requirements, and tells you which one is failing right now.
Check your domain now
Enter your sending domain and the check runs instantly on the next page. Free, no signup.
Why Outlook is blocking your email
| Likely cause | What's happening |
|---|---|
| Your domain fails SPF, DKIM, or DMARC | The most common trigger since Microsoft's May 2025 sender requirements. Outlook checks the connecting IP against your SPF record and looks for a DKIM signature that aligns with your From domain. Domains sending 5,000+ messages a day to Outlook.com addresses must pass SPF, DKIM, and DMARC or the mail is refused outright; smaller senders that fail authentication start in the Junk folder and slide toward blocks (per Microsoft's postmaster site, checked 2026-07-17). |
| Your sending IP is on a Microsoft block list | Bounces that mention a block list (the S3150 marker inside a 550 5.7.1 bounce) mean the IP, or often your provider's whole range, is on Microsoft's internal list. You can inherit this from a noisy neighbor on shared hosting or a shared email platform without sending a single bad message yourself. |
| Poor sender reputation with SmartScreen | Microsoft's SmartScreen filter scores every sender on history. Microsoft's postmaster documentation names the junk-complaint rate as one of the principal factors driving reputation down: too many recipients clicking Junk and your mail stops arriving, authenticated or not. |
| Policy blocks from spam-like behavior (SC codes) | Outlook.com returns 550 SC-001 through SC-004 for policy rejections: mail with spam characteristics, namespace mining (guessing addresses), open proxies, and complaint-driven blocks. SC-004 specifically means user complaints put you there, which is a list-hygiene problem, not a DNS problem. |
| New domain or a sudden volume spike | Outlook rate-limits senders without history. Deferrals in the 421 RP-001 to RP-003 range mean you hit connection or volume limits for your current reputation tier. New domains and IPs must warm up gradually; a cold start at full volume reads as a spam cannon. |
| Sending from dynamic or residential IP space | The 550 DY-001 and DY-002 rejections target mail sent directly from IPs Microsoft classifies as dynamic (home connections, some VPS ranges). Outlook barely accepts direct-to-MX mail from this space; route through your provider's smarthost or a proper sending service instead. |

How to fix it, step by step
Run the Microsoft compliance check on your sending domain
Use the free checker above (or at /tools/microsoft-compliance-checker). It verifies SPF, DKIM, and DMARC exactly as Microsoft's requirements define them and pinpoints which record is missing, misaligned, or failing, so you fix the actual cause instead of guessing.
Fix SPF, DKIM, and DMARC for every sending service
Add each platform that sends as your domain to your SPF record, turn on DKIM signing with your own domain (not the provider's default), and publish a DMARC record. Verify each with the free checkers at /tools/spf, /tools/dkim, and /tools/dmarc; Microsoft requires the passing domain to align with your From address.
Register for SNDS and JMRP
Microsoft's Smart Network Data Services shows how Outlook rates your IP space, and the Junk Email Reporting Program sends you a copy of every message recipients mark as junk. Together they replace guesswork with Microsoft's own data.
Request delisting from Microsoft
For an IP block, submit the IP through Microsoft's self-service delist portal at sender.office.com. If the bounce directs you to sender support, or the portal doesn't clear it, file the sender support request form linked from Microsoft's postmaster troubleshooting page.
Cut the complaint rate before you resume volume
Delisting doesn't survive a bad list. Remove addresses that never engage, honor unsubscribes immediately, and ramp volume back up gradually. Microsoft names the junk-complaint rate a principal reputation factor, so JMRP data tells you exactly which mail streams to cut.
Re-test, then keep DMARC reports flowing
Re-run the compliance check, send a test to an Outlook.com mailbox, and confirm spf=pass, dkim=pass, and dmarc=pass in the received headers. Then monitor DMARC aggregate reports so the next unauthenticated sender on your domain shows up in a report instead of a block.
Related free tools: SPF checker · DKIM checker · DMARC checker · Domain reputation · Blocklist checker
If you send in volume: Outlook's published rules
Since May 5, 2025, Microsoft requires domains sending more than 5,000 messages a day to Outlook.com consumer addresses (outlook.com, hotmail.com, live.com) to pass all three checks: SPF, DKIM, and a published DMARC policy of at least p=none that passes with alignment. Non-compliant mail went to Junk first; Microsoft's documented rejection for it is "550 5.7.515 Access denied, sending domain <domain> does not meet the required authentication level." (per Microsoft's postmaster site and support documentation, checked 2026-07-17). Below 5,000 a day the same checks still drive filtering, so treat the requirements as the baseline for any volume.
Check your standing with Outlook
- Smart Network Data Services (SNDS)
Microsoft's own view of your IP space: filter results and complaint rates per sending IP. Free; register the IPs you send from.
- Junk Email Reporting Program (JMRP)
Emails you a copy of every message Outlook.com users mark as junk, so you can remove complainers and spot the mail streams driving complaints.
- Anti-spam IP delist portal
Microsoft's self-service delisting: submit the blocked IP and a contact address, verify, and request removal.
- Outlook.com sender support form
The escalation path Microsoft's postmaster troubleshooting page links for blocks the delist portal doesn't resolve.
- Outlook.com postmaster site
Microsoft's sender documentation hub: requirements, the SMTP code reference, and troubleshooting for blocked or junked mail.
Bounce codes you may be seeing
Blocks in this cluster surface as specific SMTP codes. Match yours below; the linked guides cover each code's verbatim provider messages and full fix.
- 550 5.7.515 (sending domain does not meet the required authentication level): Microsoft's high-volume authentication rejection under the sender requirements enforced since May 2025
- 550 5.7.1 carrying an S3150 marker: your IP, or your provider's network range, is on Microsoft's block list Full guide →
- 550 5.7.509: the sending domain fails DMARC verification Full guide →
- 421 RP-001 to RP-003: reputation-based rate limiting, common on new IPs and volume spikes Full guide →
- 550 SC-001 to SC-004: Outlook.com policy blocks; SC-004 is driven by user junk complaints
The real root cause: unenforced authentication
Every cause above feeds one loop. Unauthenticated or misaligned mail scores badly with SmartScreen, bad scores raise the odds of junking and complaints, and complaints push your IP toward the block list, where delisting only buys you a round trip back if the underlying records are still wrong. The way out is to make authentication a settled fact: correct SPF and DKIM for every sending service, DMARC alignment on the From domain, and a policy enforced at p=reject so spoofers can't spend your reputation for you. Monitoring tells you which senders are failing; enforcement is what makes Outlook's blocking stop and stay stopped.
Enforce it — don't just monitor it
Palisade's AI agent takes domains all the way to enforcement: hosted SPF, DKIM, DMARC, and MTA-STS records, DMARC reports monitored continuously, and policies advanced to p=reject automatically. Your first domain is free, and the full product is open for 15 days, no card.
Free 15-day trial · No credit card · Your own domain free forever (NFR)
Fixing this across every client domain
One Outlook block is an afternoon; the same block across a client fleet is a week of tickets, because Microsoft evaluates every tenant domain separately and each one needs SPF, DKIM, DMARC, SNDS, and a delist request of its own. Palisade does this once per fleet: it hosts and manages the SPF, DKIM, DMARC, and MTA-STS records for every client domain, flags failing senders from DMARC reports before Microsoft starts refusing them, and walks each domain to p=reject automatically. Tickets land in ConnectWise, HaloPSA, or Autotask through native PSA integrations, pricing is per domain ($9, dropping to $7 at 100+ and $5 at 1,000+), and your own MSP domain is a free NFR domain to prove it on.
Frequently asked questions
Related guides
550 5.7.1550 5.7.509421 4.7.0p=rejectadkim / aspfinclude: