sfw/fix
550 5.7.515 critical

Outlook 550 5.7.515 Access Denied (Bulk Sender Requirements)

Outlook.com permanently rejects bulk mail whose From domain fails Microsoft's required SPF, DKIM, and DMARC checks.

What you see

550 5.7.515 Access denied, sending domain [yourdomain.com] does not meet the required authentication level

What’s actually happening

Mail to outlook.com, hotmail.com, live.com, and msn.com bounces hard with this NDR. It's a permanent 5xx rejection, not a temporary deferral — the message never lands, not even in Junk. This started biting senders after Microsoft began enforcing on May 5, 2025: messages that previously went to spam are now refused outright. It hits domains pushing roughly 5,000+ messages a day to Microsoft consumer mailboxes.

Common causes

  • The From domain has no DMARC record (or a malformed one) — Microsoft now requires at least p=none for high-volume senders
  • SPF fails or doesn't authorize the sending IP/service
  • DKIM is missing or the signature doesn't validate
  • Alignment failure: the visible From domain doesn't match the domains SPF and DKIM authenticate, so DMARC can't pass
  • You crossed the ~5,000/day threshold to Microsoft consumer domains without all three of SPF, DKIM, and DMARC in place

How to fix it

  1. Publish a valid DMARC recordAdd a TXT record at `_dmarc.yourdomain.com` — start with `v=DMARC1; p=none; rua=mailto:[email protected]`. p=none is enough to satisfy Microsoft's bar while you confirm everything aligns; tighten to quarantine/reject later. This is the piece most rejected senders are missing.
  2. Fix SPF so the sending IP is authorizedYour SPF TXT record must include whatever actually sends — `include:` your ESP (e.g. `include:_spf.google.com`, SendGrid, Mailgun) plus any owned IPs. Keep it to one SPF record and under 10 DNS lookups or it'll fail to evaluate.
  3. Enable DKIM and confirm it validatesTurn on DKIM signing at your sending platform and publish the selector's public key in DNS. Send a test to a Gmail account and check Show Original — DKIM must read PASS. An enabled-but-unverified DKIM is as good as none.
  4. Get From-domain alignment rightDMARC passes only when SPF or DKIM authenticates a domain that aligns with the visible From address. If you send as `[email protected]` but DKIM signs as the ESP's domain, alignment fails. Configure the ESP to sign/return-path with your own domain (custom return-path / branded sending domain).
  5. Verify, then ramp back upUse Microsoft's SNDS / JMRP and a DMARC checker to confirm all three pass and align before resending the campaign. Microsoft has signaled enforcement will tighten over time, so don't stop at p=none indefinitely.

Stop it recurring

Set up SPF, DKIM, and aligned DMARC before any domain approaches 5,000 messages/day to Microsoft consumer inboxes — the bar is now mandatory, not advisory.

Related errors

550 5.7.25 Reverse DNS / PTR Record Failure

critical

The receiving server rejects the connection because the sending IP has no PTR record or it fails forward-confirmed reverse DNS.

550 5.7.1 Message rejected by policy (DMARC/SPF/DKIM or blocklist)

high

The receiving server accepted the connection but refused the message on policy grounds — authentication failure or a bad sender reputation.

550 5.1.1 User unknown / recipient address does not exist

medium

A hard bounce: the mailbox in the RCPT TO doesn't exist on the receiving server, so delivery permanently fails.

421 4.7.0 Temporary deferral / too many connections / rate limited

medium

A soft bounce: the receiving server is throttling you for sending too fast or opening too many connections, and asks you to slow down and retry.