SMTP error code · permanent failure (5xx)

SMTP error 553 5.7.1: sender address rejected, not owned by user

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 17, 2026

553 5.7.1 means the mail server refused your From address: you authenticated as one account but set a sender address that account doesn't own, or you tried to relay without logging in at all. It's a permanent, sender-side rejection: make your SMTP login match your sender address and the mail goes through.

553 5.7.1 at a glance
Code553 5.7.1
ClassPermanent (5xx): the message was refused and will not retry
CategoryPolicy
Side at faultSender
Auth-relatedYes (SPF/DKIM/DMARC)

What the bounce actually says

The exact wording varies by provider. These are the documented strings, verbatim. Match yours to pin down which variant you hit.

Hosting.XYZ and other Postfix-based mail hosts

553 5.7.1 5.7.1 <admin@example.com>: Sender address rejected: not owned by user mail@example.com

Source: hosting.xyz

Namecheap Private Email (anti-spoofing filter)

553 5.7.1 host mx1.privateemail.com [198.187.29.233]: 553 5.7.1 <user@domain.com>: Sender address rejected: not logged in

Source: www.namecheap.com

Standard meaning of the 5.7.1 status code (no vendor wording)

553 5.7.1 Delivery not authorized, message refused

Source: datatracker.ietf.org

Why you're seeing 553 5.7.1

Unlike most bounce codes, 553 5.7.1 usually comes from the server you send through, not the one you send to. Submission servers enforce a simple ownership rule: the account you authenticate with must own the address you put in MAIL FROM. In Postfix this is reject_sender_login_mismatch backed by smtpd_sender_login_maps; hosting providers ship the same idea as an anti-spoofing filter, and some, like Namecheap Private Email, also enforce it at the receiving MX for domains they host, which is where the not logged in variant above comes from. It exists for a good reason: without it, any authenticated mailbox could impersonate any other user, and an unauthenticated connection could use the server as an open relay. RFC 3463 defines the 5.7.1 status as "delivery not authorized, message refused": the server understood you fine, it just refuses to send as an identity you haven't proven you own.

Likely causes, ranked

Likely causeWhat's happening
Your From address doesn't match your SMTP loginThe most common trigger. A mail client, script, or app authenticates as one mailbox but sets MAIL FROM to a different address: a colleague's mailbox, an alias, or another domain entirely. The bounce text names both: the rejected sender in angle brackets and the account you actually logged in as.
SMTP authentication is off, so the server sees a relay attemptOne source of the `not logged in` wording (the other is the anti-spoof filter below). The client connects without authenticating, often on port 25 with SMTP AUTH disabled, or with credentials that silently stopped working after a password change. Accepting that mail would make the server an open relay, so it refuses.
Your domain's own mail host rejects outside mail claiming to come from it (anti-spoof filter)Some providers run the ownership check on the receiving side too. Namecheap Private Email's Anti-Spoof Filter, for example, rejects any message arriving at its MX (`mx1.privateemail.com`) that claims to be from a domain it hosts but didn't come through its own servers. That's the `not logged in` bounce quoted above. It fires even on legitimate mail: a newsletter ESP, a CRM, or another provider sending as your domain to a recipient on the same host.
You're sending as an alias the server hasn't mapped to your accountYou legitimately send as sales@ or a shared mailbox, but the server's sender-ownership map (`smtpd_sender_login_maps` in Postfix, "send as" settings in hosting panels) only lists your primary address. The server can't tell an unauthorized colleague from an unlisted alias.
A third-party app injects mail through your host with your addressA CRM, invoicing tool, printer, or scan-to-email device is pointed at your provider's SMTP server with stale or borrowed credentials, then sends as an address those credentials don't own. Devices configured years ago are the usual suspects.
Someone else is spoofing your addressIf the bounce is for a message you never sent, a spammer used your address in MAIL FROM somewhere else and a rejection notice found its way back to you. The server that returned `553 5.7.1` did its job. Your job is making sure every receiver can reject those forgeries too, which is what SPF and DMARC are for.

How to fix 553 5.7.1

  1. Check who's authorized to send as your domain

    Run your domain through the free SPF checker below. This bounce is an ownership check at your submission server; SPF is the same check run by every receiving server on the internet. If the server you're sending through isn't in your SPF record, fixing the login mismatch can just move the problem one hop downstream: receivers that check SPF and enforce DMARC may reject or junk the same mail.

    Run the check now

    Enter the sending domain and the check runs instantly on the next page. Free, no signup.

  2. Make your From address match your SMTP username

    In the failing client, script, or device, set both the visible From and the envelope sender to the mailbox you authenticate as. In PHPMailer and similar libraries that means From and Sender equal to the SMTP username, not a display alias.

  3. Turn SMTP authentication on and use port 587

    If your variant says not logged in, enable SMTP AUTH with the full mailbox address as the username, on submission port 587 (or 465 with TLS). Unauthenticated relay on port 25 is exactly what this rejection is built to stop, so no client tweak talks the server out of it. One exception: if the bounce names the recipient domain's own mail host (like mx1.privateemail.com) and you sent through a different service on purpose, it's an anti-spoof filter, not an authentication problem; see the anti-spoof step below.

  4. Authorize aliases and shared senders on the server side

    If you genuinely send as another address, grant it properly: add the alias to your account's allowed senders in the hosting panel, or map it to your login in smtpd_sender_login_maps on a self-hosted Postfix. For an alias or shared mailbox on the provider's own servers, don't disable the anti-spoofing filter to make it work; that reopens impersonation for every mailbox on the server.

  5. Sending through an external service? Adjust the provider's anti-spoof filter

    If your domain's mailboxes live at a provider like Namecheap Private Email but the failing mail goes out through an ESP, a CRM, or another host, the provider's anti-spoof filter will bounce it at the provider's own MX. Two clean fixes: route that mail through the provider's authenticated SMTP instead, or, if sending via the external service is deliberate, disable the provider's anti-spoof filter for the domain per its documentation (Namecheap: uncheck the Anti-Spoof Filter box for the domain) and let a correct SPF, DKIM, and DMARC setup do the anti-spoofing job for every receiver, not just this one.

  6. Give third-party apps their own authenticated identity

    Point each CRM, billing tool, and scan-to-email device at credentials that own the address it sends as, or let the service send from its own infrastructure and add it to your SPF record with your domain as the aligned sender. Verify the result at /tools/spf and /tools/dkim after every change.

  7. If you never sent the bounced mail, check your DMARC policy

    Bounces for mail you didn't send mean your address is being forged elsewhere. Run your domain through the DMARC checker at /tools/dmarc: aggregate reports will show every source using your domain, and a policy of p=reject tells every receiver to refuse the forgeries the way this server just did.

Related free tools: DMARC checker · DKIM checker · Email security score

Authentication is the fix, not a workaround

Every path out of 553 5.7.1 runs through the same three DNS records: SPF, DKIM, and DMARC. Mailbox providers no longer treat them as best practice; they're the entry ticket, and a domain that drifts out of alignment starts bouncing again without anyone changing a thing on your side.

The durable fix is enforcement: publish correct records, watch the DMARC reports for senders you missed, and move the domain to p=reject so receivers drop spoofed mail instead of bouncing yours.

Enforce it — don't just monitor it

Palisade's AI agent takes domains all the way to enforcement: hosted SPF, DKIM, DMARC, and MTA-STS records, DMARC reports monitored continuously, and policies advanced to p=reject automatically. Your first domain is free, and the full product is open for 15 days, no card.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Why it matters for MSPs

Every MSP fleet is full of devices and line-of-business apps that authenticate as one mailbox and send as another: the scan-to-email copier sending as office@, the ticketing system sending as support@, the invoicing tool a client set up in 2019. Each one is a 553 5.7.1 ticket waiting for a password change or a host migration, and the same unanswered question (who may send as this domain?) is what keeps client domains spoofable on the open internet. Palisade answers it once per domain: it hosts and manages the SPF, DKIM, and DMARC records, surfaces every sending source in the DMARC reports so unauthorized senders show up before they bounce, and executes enforcement to p=reject automatically. Native ConnectWise, HaloPSA, and Autotask integrations put the findings in your existing workflow, and your own MSP domain is a free NFR domain: prove it on yourself before rolling it out to clients.

Frequently asked questions

It's permanent. Any 5xx code tells the sending system not to retry, so the message is gone until you fix the mismatch and send it again. If you're seeing repeated bounces, that's the client or app attempting fresh sends, not the server retrying the old one.

Yours, and in most cases the server rejecting you is your own (or your provider's) submission server, not the recipient's. It refused to accept the message for delivery because your login doesn't own the sender address. The recipient never saw the message at all.

Because the ownership check runs per connection. Your mail client authenticates as the mailbox it sends from, so it passes; the printer, script, or CRM that fails is using credentials that don't match its configured From address, usually settings that predate a password change, a mailbox migration, or a provider's anti-spoofing rollout.

Someone forged your address in the envelope of spam sent elsewhere, and a rejection notice came back to you. The rejecting server worked correctly. Check your domain's DMARC reports to see who is sending as you, and move your policy to p=reject so receivers everywhere refuse the forgeries.

Same principle, different checkpoint. This code is your submission server verifying address ownership before the mail leaves; SPF, DKIM, and DMARC are how every receiving server runs that verification after it leaves. A domain that only relies on the submission-side check is still trivially spoofable from anywhere else. You need both.

Related error codes

Email deliverability, fixed: the full guide