SMTP error code · permanent failure (5xx)

SMTP error 550 5.7.1: delivery not authorized, message refused

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 17, 2026

550 5.7.1 is the catch-all "delivery not authorized" rejection: the receiving server deliberately refused your message. The bounce text tells you which variant you hit: failed SPF/DKIM/DMARC authentication, a relay the server won't perform, a blocklisted sending IP, or a recipient-side restriction. It's permanent; fix the cause the text names, then re-send.

550 5.7.1 at a glance
Code550 5.7.1
ClassPermanent (5xx): the message was refused and will not retry
CategoryPolicy
Side at faultEither side
Auth-relatedYes (SPF/DKIM/DMARC)

What the bounce actually says

The exact wording varies by provider. These are the documented strings, verbatim. Match yours to pin down which variant you hit.

Gmail (Google Workspace) — sender or recipient policy

550 5.7.1 The user or domain that you are sending to (or from) has a policy that prohibits the email that you sent.

Source: knowledge.workspace.google.com

Gmail (Google Workspace) — unauthorized direct sending

550 5.7.1 The IP you're using to send email is not authorized to send email directly to our servers.

Source: knowledge.workspace.google.com

Gmail (Google Workspace) — low IP reputation

550 5.7.1 This message is likely suspicious due to the very low reputation of the sending IP address.

Source: knowledge.workspace.google.com

Microsoft 365 (Exchange Online) — recipient requires authenticated senders

550 5.7.1 RESOLVER.RST.AuthRequired; authentication required [Stage: CreateMessage]

Source: learn.microsoft.com

Microsoft 365 (Exchange Online) — sending IP on Microsoft's blocklist

550 5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using Blocklist 1; To request removal from this list please forward this message to delist@microsoft.com

Source: learn.microsoft.com

Microsoft 365 (Exchange Online) — blocklisted IP hidden by the customer's IP Allow list

550 5.7.1 Unable To Relay: Blocked by Customer Allow list

Source: learn.microsoft.com

Exchange Server (on-premises) — relay not allowed for this sender

550 5.7.1 Unable to relay

Source: learn.microsoft.com

Generic MTAs — the RFC 3463 standard text

550 5.7.1 Delivery not authorized, message refused

Source: www.rfc-editor.org

Why you're seeing 550 5.7.1

5.7.1 is the broadest security code in the SMTP standard. RFC 3463 defines it as "delivery not authorized, message refused" (the sender is not authorized to send to this destination) and deliberately says nothing about why. So every provider reuses it for its own refusals: Gmail returns it for admin-policy and IP-reputation refusals, Exchange Online for denied relays, blocklisted IPs, and recipients that only accept authenticated senders, and countless MTAs for per-host or per-recipient filtering. That's why the number alone can't be diagnosed. The human-readable text after 550 5.7.1 is the actual verdict. Match it against the variants above, then work the fix that matches. The one constant: some policy on the receiving side judged your message unauthorized, and it will keep doing so until something changes.

Likely causes, ranked

Likely causeWhat's happening
The message failed SPF, DKIM, or DMARCA common trigger. Generic MTAs and third-party gateways often return a bare `550 5.7.1` for authentication failures: a sending service missing from your SPF record, or DKIM signing left off, is enough to make your mail look unauthorized. Gmail and Microsoft 365 use more specific codes for DMARC rejections (`550 5.7.26` and `550 5.7.509`, both in the related codes below), and Gmail's 5.7.1 "policy that prohibits" variant signals a Workspace admin or organization policy, not DMARC.
You're relaying through a server that won't relay for youThe classic Exchange wording. A printer, scanner, or line-of-business app submits mail through a server that doesn't recognize it as an authenticated or internal sender, so the server refuses to pass the message on. Common right after migrations, IP changes, or password rotations.
The sending IP is on a blocklistExchange Online's blocklist variant and Gmail's low-reputation variant both fit here. So does Exchange's "Blocked by Customer Allow list" NDR, despite the relay wording: the tenant's own IP Allow list hides the blocklist's name. The receiving side checked your connecting IP against a real-time blocklist or its own reputation data and refused the connection outright; nothing about this specific message mattered.
The recipient's organization restricts who can send to that addressRestricted distribution groups, mail-enabled public folders that require authenticated senders, moderated recipients, and per-recipient allow-lists all bounce outsiders with 5.7.1. Your mail and your DNS are fine: the restriction lives entirely on their side.
You're sending directly to the provider from an unauthorized IPGmail refuses direct SMTP connections from IPs it considers unfit to send, typically dynamic or consumer ranges, or IPv6 senders without matching PTR records. Mail must go out through a proper mail server or smarthost instead.
A mail flow rule or content filter refused the messageMicrosoft 365 transport rules and third-party gateways commonly reject with a 5.7.1 when a message trips an org-level rule: attachment types, keywords, geo restrictions. The bounce usually carries the custom text the admin configured.

How to fix 550 5.7.1

  1. Check the sending domain's DMARC, SPF, and DKIM first

    Authentication failures are a common trigger and the only variant you can fully fix in DNS. Run the domain from the bounced message's From address through the free DMARC checker below. It shows what your SPF, DKIM, and DMARC records currently tell receivers, and whether your own policy could be ordering the rejection.

    Run the check now

    Enter the sending domain and the check runs instantly on the next page. Free, no signup.

  2. Match your bounce text to a variant

    The number is ambiguous; the sentence after it is not. Relay wording means a submission problem, blocklist wording means a reputation problem, a named group or folder means a recipient-side restriction. The exact string decides which of the next steps applies.

  3. Fix authentication: SPF includes and DKIM signing

    Add every service that sends as your domain to your SPF record and verify it with the free SPF checker at /tools/spf, staying under the 10-DNS-lookup limit. Enable DKIM signing for your domain (not the provider's default) at each service. If your DMARC policy is p=reject, any legitimate source you missed will bounce exactly like this.

  4. If it says relay: authenticate the submission

    This step is for the classic "Unable to relay" or "not authorized to relay" wording, but not "Blocked by Customer Allow list", which is a blocklist problem (next step). Stop submitting anonymously: point the device or app at authenticated SMTP submission (SMTP AUTH on port 587 with a real account) or set up a connector scoped to its IP address. A mail server only relays for senders it can identify, and this error means it couldn't identify yours.

  5. If it names a blocklist: check your IP and domain reputation

    Run the connecting IP through /tools/ip-reputation and the domain through /tools/domain-reputation, then check public blocklists with /tools/blocklist-checker. Microsoft's own variant tells you where to send the delisting request; public RBLs each have their own removal process. If the bounce says "Blocked by Customer Allow list", your own settings are hiding the culprit: remove the sending IP from the IP Allow list under connection filtering in the Exchange admin center, and the NDR will name the actual blocklist. Then delist. Fix the leak (open relay, compromised account, spam burst) before requesting removal, or you'll be relisted.

  6. If only one recipient bounces: ask their admin, then re-send

    A single failing address while everything else delivers points at a recipient-side restriction only their email admin can lift. Once the cause is fixed, whichever it was, re-send the message yourself: 550 is a permanent failure, so nothing retries automatically.

Related free tools: SPF checker · Domain reputation · Blocklist checker

Authentication is the fix, not a workaround

Every path out of 550 5.7.1 runs through the same three DNS records: SPF, DKIM, and DMARC. Mailbox providers no longer treat them as best practice; they're the entry ticket, and a domain that drifts out of alignment starts bouncing again without anyone changing a thing on your side.

The durable fix is enforcement: publish correct records, watch the DMARC reports for senders you missed, and move the domain to p=reject so receivers drop spoofed mail instead of bouncing yours.

Enforce it — don't just monitor it

Palisade's AI agent takes domains all the way to enforcement: hosted SPF, DKIM, DMARC, and MTA-STS records, DMARC reports monitored continuously, and policies advanced to p=reject automatically. Your first domain is free, and the full product is open for 15 days, no card.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Why it matters for MSPs

550 5.7.1 is the most ambiguous ticket in an MSP queue: the same code covers a client's scan-to-email copier that lost relay rights, a tenant whose SPF never listed the new CRM, and a mail server that landed on a blocklist over the weekend. Triaging it bounce-by-bounce across fifty client domains doesn't scale. But the biggest slice, the authentication variant, is preventable fleet-wide. Palisade hosts and manages the SPF, DKIM, DMARC, and MTA-STS records for every client domain, watches the DMARC reports so unauthenticated senders surface before they start bouncing, and advances each domain to p=reject automatically. It plugs into ConnectWise, HaloPSA, and Autotask so the fix lands in your existing workflow, and your own MSP domain is a free NFR domain you can prove it on first.

Frequently asked questions

It's permanent. Any 550 response is a hard failure: the receiving server refused the message, your server bounced it back to you, and nothing retries on its own. Once you've fixed the cause the bounce text names, you have to re-send the message yourself. Temporary refusals use 4xx codes instead; those defer and retry automatically.

It depends on the variant. Failed authentication, denied relays, unauthorized direct sending, and blocklisted IPs are sender-side: you fix DNS, submission settings, or reputation. Restricted groups, public folders that require authenticated senders, and per-recipient allow-lists are recipient-side: only their admin can permit you. The bounce text tells you which case you're in.

That pattern points at the receiving side: that organization's policy restricts who can send to the address, or its filter refuses your domain or IP specifically. Reach the recipient another way and ask them to loop in their email admin, and run your own domain through a DMARC and SPF check first, so you can show your mail authenticates cleanly.

Effectively, yes. The enhanced code `5.7.1` (delivery not authorized) is identical; only the basic reply code in front differs, and providers use 550 and 554 interchangeably for the same refusals. Diagnose from the human-readable bounce text either way. Both are permanent failures that will not retry.

Stop relaying anonymously. Configure the printer, scanner, or application to use authenticated SMTP submission (SMTP AUTH on port 587 with a licensed mailbox) or create a connector scoped to the device's IP address. Exchange only relays for senders it can identify; this error means it couldn't identify yours.

Related error codes

Email deliverability, fixed: the full guide