SMTP error code · permanent failure (5xx)

SMTP error 550 5.7.509: access denied, sending domain does not pass DMARC verification

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 16, 2026

550 5.7.509 is Microsoft 365's rejection of mail that fails DMARC when the sending domain's policy is p=reject: Exchange Online found no aligned SPF pass and no aligned DKIM pass for the From domain, so it refused the message, exactly as the domain's own policy instructs. It's sender-side: authenticate the sending service and mail flows again.

550 5.7.509 at a glance
Code550 5.7.509
ClassPermanent (5xx): the message was refused and will not retry
CategoryAuthentication
Side at faultSender
Auth-relatedYes (SPF/DKIM/DMARC)

What the bounce actually says

The exact wording varies by provider. These are the documented strings, verbatim. Match yours to pin down which variant you hit.

Microsoft 365 (Exchange Online / Outlook)

550 5.7.509 Access denied, sending domain [$SenderDomain] does not pass DMARC verification and has a DMARC policy of reject.

Source: learn.microsoft.com

Why you're seeing 550 5.7.509

Enhanced status codes in the 5.7.x range mean the receiver refused the message on security or policy grounds (RFC 3463); 509 is Microsoft's own subcode for one specific verdict. The domain in the message's From address publishes a DMARC policy of p=reject, and this message failed DMARC: no SPF pass aligned with that domain, and no DKIM signature aligned with it either. Exchange Online used to soften other domains' p=reject down to quarantine, but since mid-2023 it honors the published policy by default, which is why this bounce shows up "suddenly" for domains that had been failing quietly for years. Microsoft isn't blocklisting you; it's executing the instruction the sending domain itself published in DNS. The bounce even includes the original message's Authentication-Results header, so you can see exactly which check failed.

Likely causes, ranked

Likely causeWhat's happening
A sending service was never authenticated for your domainThe most common trigger. A CRM, invoicing platform, ticketing system, scan-to-email device, or marketing tool sends as your domain, but its IPs aren't in your SPF record and it doesn't DKIM-sign with your domain. Under `p=reject`, every message it sends to a Microsoft-hosted mailbox bounces.
SPF or DKIM passes, but not for your From domainDMARC needs alignment: the domain that passes SPF or DKIM must match the visible From domain. A platform that passes SPF on its own bounce domain, or signs DKIM as `d=provider.com`, technically authenticates, just not as you. Microsoft counts that as a DMARC fail.
DKIM isn't enabled for the domain in Microsoft 365For domains that send through Microsoft 365 themselves: DKIM for the custom domain was never enabled in the Defender portal, so messages go out unsigned (or signed as `onmicrosoft.com`). The moment SPF breaks (a connector, a relay, forwarding), there's no aligned DKIM to fall back on.
Forwarding broke SPF and the DKIM signature didn't surviveA forwarder re-sends the message from its own IP, which fails your SPF. If the message was never DKIM-signed, or a disclaimer or subject rewrite broke the signature in transit, the forwarded copy fails DMARC at the final Microsoft hop.
The domain moved to p=reject before every sender was readyEnforcement went live while a legitimate source was still failing. This is the classic rushed-rollout bounce: the policy is doing its job, it's just aimed at your own mail.
The message really was spoofedIf you're seeing `5.7.509` for mail you never sent, DMARC is working as designed: someone tried to send as your domain and Microsoft refused it. Check your DMARC aggregate reports to see where the spoofed traffic originates.

How to fix 550 5.7.509

  1. Run the sending domain through the Microsoft compliance checker

    Use the free checker below to test the From domain of the bounced message the way Microsoft evaluates it: SPF, DKIM, DMARC, and whether the pieces align. It tells you in one pass which leg of DMARC the bounce is pointing at.

    Run the check now

    Enter the sending domain and the check runs instantly on the next page. Free, no signup.

  2. Read the Authentication-Results header in the bounce

    Microsoft includes the original message's headers in the 5.7.509 NDR. Find the Authentication-Results line and note the spf= and dkim= verdicts and the header.from domain. That's the exact evidence Exchange Online rejected on.

  3. Authenticate that sender for your From domain

    Add the service's documented include: or IPs to your SPF record, enable DKIM signing with your domain (not the provider's default), and set the custom return-path the provider offers so alignment holds. Verify with the free checkers at /tools/spf and /tools/dkim.

  4. Sending through Microsoft 365? Enable DKIM for the custom domain

    In the Defender portal, go to Email authentication settings, select the domain under DKIM, publish the two selector CNAME records it gives you, and turn signing on. This keeps DMARC passing even when SPF breaks in transit.

  5. Re-test, then re-send the bounced mail

    550 is a permanent failure, so nothing retries on its own. After DNS propagates, send a test to a Microsoft-hosted mailbox and confirm dmarc=pass in the received headers, then re-send whatever bounced.

  6. Keep DMARC reports flowing: don't retreat to p=none

    Downgrading the policy stops the bounces by reopening the domain to spoofing, and Gmail and Yahoo enforce the same records anyway. Fix alignment, stay at p=reject, and watch aggregate reports so the next unauthenticated sender surfaces as a report line instead of a bounce.

Related free tools: DMARC checker · SPF checker · DKIM checker

Authentication is the fix, not a workaround

Every path out of 550 5.7.509 runs through the same three DNS records: SPF, DKIM, and DMARC. Mailbox providers no longer treat them as best practice; they're the entry ticket, and a domain that drifts out of alignment starts bouncing again without anyone changing a thing on your side.

The durable fix is enforcement: publish correct records, watch the DMARC reports for senders you missed, and move the domain to p=reject so receivers drop spoofed mail instead of bouncing yours.

Enforce it — don't just monitor it

Palisade's AI agent takes domains all the way to enforcement: hosted SPF, DKIM, DMARC, and MTA-STS records, DMARC reports monitored continuously, and policies advanced to p=reject automatically. Your first domain is free, and the full product is open for 15 days, no card.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Why it matters for MSPs

A 550 5.7.509 ticket rarely arrives alone. A huge share of B2B mail terminates at Exchange Online, so the moment one client domain reaches p=reject with an unauthenticated line-of-business app (the ERP that emails invoices, the on-prem scanner, the marketing platform nobody told you about), everything it sends to Microsoft-hosted recipients bounces at once. Multiply that by a fleet of managed tenants and DMARC enforcement becomes the project MSPs keep stalling on. Palisade is built for exactly this: it hosts and manages the SPF, DKIM, and DMARC records for every client domain, reads the DMARC reports to catch unauthenticated senders before Microsoft bounces them, and its AI agent advances each domain to p=reject only once every legitimate source passes. Native ConnectWise, HaloPSA, and Autotask integrations put the work in your existing ticket flow, and your own MSP domain is a free NFR domain, so you can prove the rollout on yourself before touching a client.

Frequently asked questions

It's permanent. Any 550 rejection means the receiving server refused the message for good; nothing retries automatically. Fix the sending domain's SPF or DKIM alignment first, confirm a test message shows dmarc=pass, then re-send the original mail manually.

The sender's. Microsoft is enforcing the DMARC policy that the sending domain itself published in DNS. The recipient's server is behaving correctly, so there's nothing to ask Microsoft to unblock. The fix is aligned SPF or DKIM for whatever service sent the message.

Three usual reasons: Exchange Online has honored sender p=reject policies by default since mid-2023 (it previously downgraded them to quarantine), your domain recently moved its DMARC policy to reject, or a new service started sending as your domain without being authenticated. The bounce's Authentication-Results header shows which one applies.

No. That trades a visible bounce for silent spoofability, and Gmail and Yahoo demand the same authentication anyway. The bounces are telling you exactly which sender isn't aligned. Fix that sender's SPF or DKIM and keep the enforcement you already earned.

That's DMARC succeeding. Someone spoofed your domain, Microsoft checked your p=reject policy, and refused the mail; the NDR backscatter is the receipt. Check your DMARC aggregate reports to see where the spoofed traffic comes from; no action is needed on the bounce itself.

Related error codes

Email deliverability, fixed: the full guide