sfw/fix
550 5.7.1 high

550 5.7.1 Message rejected by policy (DMARC/SPF/DKIM or blocklist)

The receiving server accepted the connection but refused the message on policy grounds — authentication failure or a bad sender reputation.

What you see

550 5.7.1 Message rejected due to local policy
550-5.7.1 [203.0.113.5] Our system has detected that this message
550 5.7.1 does not meet IP/domain reputation standards

What’s actually happening

The recipient's mail server takes the message, then bounces it with a 550 5.7.1. The address is valid — this isn't "no such user" (that's 5.1.1) — the server is rejecting on policy or reputation. The exact wording varies by provider (Google, Outlook, Proofpoint all phrase it differently), and the bounce text usually hints at which: DMARC, SPF, an RBL listing, or a spam-content flag.

Common causes

  • SPF, DKIM, or DMARC failed or didn't align to the From: domain, so the receiver treats the mail as spoofed
  • The sending IP or domain is on a blocklist (Spamhaus, Barracuda, SORBS) from prior spam or a compromised account
  • The message tripped a content/spam policy — link reputation, attachment type, or a spammy payload
  • You're sending from a new IP with no warmup history, so reputation is effectively zero
  • The specific recipient (or their org) has blocklisted your address or domain

How to fix it

  1. Read the enhanced status code and bounce textThe 5.7.1 plus the human-readable line tells you the lane. Mentions of DMARC/SPF mean fix authentication; an IP in brackets with "reputation" means a blocklist or warmup problem; a URL or "spam" reference means content. Don't fix all four blind.
  2. Verify SPF, DKIM, and DMARC alignmentSend a test to a Gmail address, open Show original, and confirm SPF=pass, DKIM=pass, and DMARC=pass with alignment. The return-path domain (SPF) and DKIM d= must match your visible From: domain, or DMARC fails even when SPF/DKIM individually pass.
  3. Check every blocklist for your sending IPRun the IP through MXToolbox blacklist check or Spamhaus directly. If listed, follow each list's delisting process and fix the root cause first — an open relay, a compromised wp-admin sending spam, or a hijacked SMTP credential — or you'll be relisted within hours.
  4. Warm up and authenticate properly for bulk sendingOn a new IP/domain, ramp volume gradually over days, publish SPF + DKIM + DMARC, and set up reverse DNS (PTR) matching your HELO hostname. Use a reputable relay (SES, Postmark, SendGrid) rather than sending bulk straight from a shared host IP.
  5. For a single blocking recipient, contact them directlyIf only one domain rejects you and authentication and reputation are clean, their admin has likely blocklisted you. Reach them out-of-band to get the sender allowlisted — no DNS change on your side will override a recipient's local block.

Stop it recurring

Publish aligned SPF/DKIM/DMARC, monitor your sending IP against blocklists, and send bulk mail through a reputable relay with warmed reputation.

Related errors

DMARC fail (p=reject / p=quarantine) — message rejected or sent to spam

high

Mail failed DMARC because neither SPF nor DKIM passed with alignment to the From: domain, so the receiver bounced or spam-foldered it.

550 5.1.1 User unknown / recipient address does not exist

medium

A hard bounce: the mailbox in the RCPT TO doesn't exist on the receiving server, so delivery permanently fails.

421 4.7.0 Temporary deferral / too many connections / rate limited

medium

A soft bounce: the receiving server is throttling you for sending too fast or opening too many connections, and asks you to slow down and retry.

550 5.7.1 Unable to Relay

high

The receiving server refuses to relay your message because the connection isn't authenticated or the recipient isn't a local domain.