--- title: "Recipient Address Rejected: Access Denied, Fix SMTP 550 5.7.1 Errors | DMARC Report" description: "When you get a 550 5.7.1 non-delivery report, the mail system is saying “recipient address rejected” or “access denied” because the receiving server enforc" image: "https://dmarcreport.com/og/blog/recipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors.png" canonical: "https://dmarcreport.com/blog/recipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors/" --- Quick Answer When you get a 550 5.7.1 non-delivery report, the mail system is saying “recipient address rejected” or “access denied” because the receiving server enforced a policy. The NDR error code in the bounce explains which policy blocked you. In Microsoft Exchange Online and other cloud gateways, 550 5.7.1 typically indicates sender authentication failures, poor reputation, missing encryption, or that the. Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Frecipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Recipient%20Address%20Rejected%3A%20Access%20Denied%2C%20Fix%20SMTP%20550%205.7.1%20Errors&url=undefined%2Fblog%2Frecipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Frecipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Frecipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors%2F&title=Recipient%20Address%20Rejected%3A%20Access%20Denied%2C%20Fix%20SMTP%20550%205.7.1%20Errors "Share on Reddit") [ ](mailto:?subject=Recipient%20Address%20Rejected%3A%20Access%20Denied%2C%20Fix%20SMTP%20550%205.7.1%20Errors&body=Check out this article: undefined%2Fblog%2Frecipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors%2F "Share via Email") ![recipient address rejected: access denied](https://media.mailhop.org/dmarcreport/images/2026/04/what-is-dmarc-8367.jpg) When you get a 550 5.7.1 non-delivery report, the mail system is saying “recipient address rejected” or “access denied” because the receiving server enforced a policy. The NDR error code in the bounce explains which policy blocked you. In Microsoft Exchange Online and other cloud gateways, 550 5.7.1 typically indicates sender [authentication failures](https://www.networkworld.com/article/4037965/ibm-cloud-hit-by-fourth-major-outage-since-may-as-authentication-failures-expose-systemic-issues.html), poor reputation, missing encryption, or that the recipient’s domain refuses your message due to security restrictions. In Microsoft Exchange Online, **directory-based edge blocking (DBEB)** is a common cause of a “recipient address rejected” response. DBEB validates the recipient’s email address against the tenant directory; if the address is an invalid email address or doesn’t exist, the NDR error code will show 550 5.7.1, and the message is blocked before it reaches the mailbox. _This protects mail flow but can confuse senders who mistype the recipient’s SMTP address_. Be aware that 550 5.4.1 is a different NDR error code that points to routing or addressing problems (for example, target domain not accepting mail, or looping). You might see both 550 5.7.1 and 550 5.4.1 in related email delivery issues: 5.7.1 for “access denied” policy rejections, and 5.4.1 for “addressing or routing” failures. The non-delivery report details which system refused the message, why it was refused, and how to fix it. ### Common policy triggers behind 550 5.7.1 - Sender authentication not aligned (SPF/DKIM/DMARC) - TLS or port misuse; **unauthenticated SMTP clients** - Blocklisted IPs or domains; poor reputation - Recipient verification failures via directory-based edge blocking - Group or domain restrictions in [Exchange Online](https://spin.ai/blog/what-is-exchange-online-everything-you-need-to-know-about-microsoft-product/) or Google Workspace ![Email Error 550 Troubleshooting Infographic ](https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-record-generator-5086.jpg) #### Policy-based rejections (access denied) 550 5.7.1 “access denied” often results from [DMARC alignment](/blog/what-is-dmarc-alignment-and-how-does-it-work/) failures, forwarding without SRS, or senders connecting on port 25 from residential IPs. If your NDR message references reputation or authentication, fix sender identity first. #### Recipient verification failures (recipient address rejected) If DBEB returns “**recipient address rejected**,” the recipient’s email address is likely an invalid email address, disabled, or not synced yet. This also shows up when the recipient domain uses strict mail recipient verification. #### Routing and addressing (550 5.4.1) A 550 5.4.1 NDR error code highlights domain type or routing issues like misconfigured accepted domains (authoritative vs internal relay), MX changes without domain replication, or hybrid environment connectors misrouting messages. ## Fast Triage Checklist: Read the Bounce, Scope the Issue, Confirm Who Is Rejecting and Why ### 1) Read the non-delivery report carefully - _Capture the exact NDR error code (550 5.7.1 vs 550 5.4.1) and the rejecting host_. - Note whether the message was blocked by the recipient domain, your outbound relay, or an **intermediate gateway**. - Look for hints like “directory-based edge blocking,” “policy,” “TLS required,” or “spam/virus.” ### 2) Scope the issue - One recipient’s email address or many? If only one, check for an invalid email address or email address spelling errors. - One recipient domain or all? If one domain, focus on that recipient domain’s policies. - One sender or all users? If all, suspect DNS, SPF/DKIM/DMARC, or IP reputation. ### 3) Confirm the rejecting system and rationale - If the bounce cites **Microsoft Exchange Online**, check the tenant’s Exchange admin center and message trace. - For on-premises or hybrid environment, inspect connectors, accepted domains, and directory sync status. - If a third-party filter is listed, run their reputation and blocklist checks. ## Fixes for Users and SMTP Clients: Auth, Ports/TLS, Sending Server, Message Hygiene ![SMTP Port Comparison Infographic](https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-generator-3785.jpg) ### Authenticate and use the right submission path - Use authenticated SMTP submission on port 587 with STARTTLS. Port 25 is often restricted and can trigger “access denied.” - For Microsoft 365, modern clients like Outlook or apps using authenticated SMTP should sign in with Microsoft [Entra ID](https://www.eginnovations.com/blog/what-is-entra-id-and-how-entra-id-has-evolved-since-the-azure-ad-rebranding/) credentials. - If you see 550 5.7.1 due to authentication, switch to the provider’s recommended SMTP relay or use Exchange Online’s authenticated submission. #### Practical checks - **Confirm username/password** and that SMTP AUTH is allowed for the mailbox. - Ensure the client supports TLS 1.2+ and presents a proper EHLO/HELO. ### Validate the recipient’s email address and spelling - Re-enter the recipient SMTP address carefully; autocorrected or cached entries often create an invalid email address scenario that triggers “recipient address rejected.” - _If you still get a non-delivery report, ask the email administrator on the recipient side to verify the mailbox exists_. ### Choose the correct sending server - If you’re sending from a web app, use the provider’s recommended **relay with proper SPF**. - Avoid residential IPs; use reputable cloud relays (Exchange Online, [Azure-hosted IPs](https://community.spiceworks.com/t/azure-public-ips/966083), or vetted ESPs). ### Message hygiene to avoid “message blocked” - Scan for [malware](https://www.securityweek.com/new-wiper-malware-targeted-venezuelan-energy-sector-prior-to-us-intervention/), remove suspicious links, and avoid URL shorteners. - Keep From/Reply-To consistent; don’t spoof the domain without DKIM/DMARC. - If forwarding, preserve alignment or use SRS to prevent 550 5.7.1 access denied rejections. ## Admin Remediation: SPF/DKIM/DMARC, Reverse DNS/EHLO, Blocklists, Alignment/SRS ### Authenticate the sender domain - Publish SPF that includes your [outbound IPs](https://pressable.com/knowledgebase/understanding-outbound-ip-addresses-on-pressable/) or Exchange Online include. Add [DKIM keys](/blog/setting-dkim-keys-for-salesforce/) and enforce [DMARC](/) with a monitored rua/ruf. - Align visible From with the domain signing DKIM to **prevent policy-based 550 5.7.1**. ![Email Connection Security Pillars](https://media.mailhop.org/dmarcreport/images/2026/04/create-dmarc-record-3567.jpg) ### Reverse DNS, EHLO, and TLS - Ensure PTR maps to a meaningful hostname, EHLO matches, and TLS is current. Mismatches can yield “access denied.” - Verify [cipher suites](https://www.networksolutions.com/blog/what-is-cipher-suite/) and MTA-STS/TLS-RPT if the recipient domain requires encryption. ### Reputation and blocklists - Check RBLs for your IP/domain; delist if needed. Improve sending behavior to restore trust. - Throttle bulk sends and **maintain list hygiene** to reduce complaint rates and NDR messages. ### Forwarding and SRS alignment - When forwarding across tenants or from an on-premises mailbox, enable SRS on relays so DMARC doesn’t break and trigger 550 5.7.1. - For apps in Dynamics 365, Power Platform, Windows 365, or external [SaaS](https://www.ibm.com/think/topics/saas#:~:text=Software%20as%20a%20service%20%28SaaS%29%20is%20a%20cloud%2Dbased,a%20web%20browser%20or%20app.), send through approved relays aligned with SPF/DKIM. #### Exchange Online and hybrid considerations - In the Exchange admin center, manage accepted domains and confirm domain type: authoritative for hosted mailboxes; internal relay if you share routing with on-prem. - If a recipient address is rejected due to DBEB, confirm the mail recipient exists, has the correct SMTP proxy address, and that **directory sync has completed**. Use a PowerShell script to compare Azure objects with on-prem AD and validate mailbox synchronization. - If you made mailbox changes (new aliases, external email address on a mail contact, or a dynamic distribution group), allow time for domain replication. If needed, resync the domain or force directory sync. - **Special objects**: ensure mail-enabled public folder addresses exist during or after public folders migration. _Tools like Sync-ModernMailPublicFolder can help align modern public folders with Exchange Online_. - For hybrid environment connectors, verify send/receive connector scoping, certificate selection, and that accepted domains are not misclassified (avoiding 550 5.4.1 loops). ## Special Cases and Prevention: Microsoft 365/Google Policies, Groups, TLS, Long-Term Health ### Microsoft 365 specifics - [Microsoft Exchange Online](https://en.wikipedia.org/wiki/Microsoft%5FExchange%5FServer) uses directory-based edge blocking to stop mail to invalid email address targets; if a non-delivery report shows 550 5.7.1, confirm the recipient’s email address exists in Microsoft 365. - **Group restrictions can reject external senders**: check whether a Microsoft 365 Group, dynamic distribution group, or mail-enabled public folder allows messages from outside. - For cross-product notifications (Outlook, Microsoft Teams, OneDrive, OneNote, Copilot, Dynamics 365), ensure service domains are authenticated so notifications aren’t “message blocked.” ### Google Workspace and other providers - Google enforces **DMARC, SPF, and DKIM** at scale; forwarding without SRS or poor reputation leads to “access denied” or “recipient address rejected” responses similar to 550 5.7.1. - Enforce TLS when recipients require it; some orgs mandate TLS or [MTA-STS](https://globalcyberalliance.org/work/mta-sts/), otherwise you’ll get an NDR error code with policy text. ### Groups, allow lists, and recipient verification - If an NDR message cites permission, have the recipient’s email administrator add your sender to an allow list or relax settings for that mail recipient. - Some orgs use strict mail recipient verification. Work with the email administrator to confirm the recipient SMTP address is present and active. ![Deliverability Best Practices Infographic](https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-report-5833.jpg) ### Long-term deliverability practices - Maintain consistent branding and alignment across Exchange Online and other relays; monitor DMARC reports and adjust. - **Keep lists clean**, respect bounces, and fix typos to avoid repeated “recipient address rejected” events. - Monitor Microsoft 365 message trace and the Tech Community for guidance. Automate checks with a PowerShell script for accepted domains, connector health, and DBEB catches. ## Related NDR Codes: 550 5.7.1 vs 550 5.4.1 ### How to distinguish symptoms - **550 5.7.1**: policy “access denied,” authentication, encryption, reputation, or directory-based edge blocking. _Often references spam, DMARC, or invalid email address in the non-delivery report_. - **550 5.4.1**: addressing/routing, wrong accepted domains configuration, domain not found, or hybrid connector misroutes. ### Fix patterns by code - For 550 5.7.1, validate SPF/DKIM/DMARC, TLS, blocklists, and recipient existence. Coordinate with the **recipient’s email administrator** when necessary. - For 550 5.4.1, review manage accepted domains in the Exchange admin center, correct domain type (authoritative vs internal relay), verify MX and connector routes, and ensure domain replication has completed. **Note**: Although this guidance centers on Microsoft and Exchange Online, the principles apply broadly. Whether you’re sending from **Azure-hosted services**, Windows or Surface devices, HoloLens or Surface Hub collaboration rooms, or even transaction emails from the Microsoft Store or Small Business Portal, the same fundamentals keep mail flowing and prevent “recipient address rejected” and “access denied” bounces. These practices protect your brand across Office, Xbox accounts, PC Accessories registrations, and enterprise workflows alike. ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ SPF ](/tags/spf/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Uncategorized 3m 4 situations in which you should use the DMARC’s p=none policy Nov 13, 2024 ](/blog/4-situations-when-to-use-dmarc-p-none-policy-effectively/)[ Uncategorized 8m Best DMARC Tools for 2025 Oct 9, 2025 ](/blog/best-dmarc-tools-for-2025/)[ Uncategorized 13m What are the best practices for setting a strict DMARC policy when sending to Gmail addresses? Mar 12, 2026 ](/blog/best-practices-setting-strict-dmarc-policy-sending-gmail-addresses/)[ Uncategorized 12m What are the common problems a DMARC generator can help me discover and fix? Feb 27, 2026 ](/blog/common-problems-dmarc-generator-helps-discover-and-fix/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Recipient Address Rejected: Access Denied, Fix SMTP 550 5.7.1 Errors","description":"When you get a 550 5.7.1 non-delivery report, the mail system is saying “recipient address rejected” or “access denied” because the receiving server enforc","url":"https://dmarcreport.com/blog/recipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors/","datePublished":"2026-04-25T12:13:37.000Z","dateModified":"2026-04-25T12:13:42.000Z","dateCreated":"2026-04-25T12:13:37.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/recipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors/"},"articleSection":"uncategorized","keywords":"dkim, DMARC, dmarc record, SPF","wordCount":1567,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2026/04/what-is-dmarc-8367.jpg","caption":"recipient address rejected: access denied","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Uncategorized","item":"https://dmarcreport.com/uncategorized/"},{"@type":"ListItem","position":4,"name":"Recipient Address Rejected: Access Denied, Fix SMTP 550 5.7.1 Errors","item":"https://dmarcreport.com/blog/recipient-address-rejected-access-denied-fix-smtp-550-5-7-1-errors/"}]} ```