550 5.7.1 Unable to Relay

What’s actually happening

Mail to an external recipient bounces immediately with a 550 5.7.1 NDR. The server you connected to is saying "I will accept mail for my own domains, but I won't forward this one for you." It usually hits a specific path — an app, a copier/scanner, or a script sending through an Exchange or SMTP relay — while normal Outlook mail flows fine. The 550 means a hard, permanent refusal, so it won't retry itself.

Common causes

• The SMTP session isn't authenticated. The server only relays to outside domains for authenticated senders, and the client is connecting anonymously.
• The recipient domain isn't an accepted/internal domain on the server, so to the server this is an open-relay request it's correctly refusing.
• An Exchange receive connector (or the relay connector) isn't configured to allow that client IP to relay — the IP isn't in the remote IP allow list.
• An app or device is pointed at the wrong port or isn't using SMTP AUTH (e.g. sending on 25 anonymously instead of 587 with credentials).
• On Exchange Online, the connector or authentication submission settings for the sending app aren't set up, so M365 rejects the relay.

How to fix it

1. Authenticate the sessionPoint the client at the submission port 587 and turn on SMTP AUTH with a valid mailbox username and password. Most 550 5.7.1 bounces from apps and devices are simply an unauthenticated connection on port 25 — switching to authenticated submission fixes it outright.
2. Confirm the recipient domain handlingIf you only ever send to internal addresses and external ones bounce, the server has no relay path out. Either authenticate (step 1) or route outbound mail through a smart host / send connector that's allowed to deliver externally.
3. Allow the client IP on the Exchange connectorOn-prem Exchange: create or edit a dedicated relay receive connector, add the device/app IP to the remote IP allow list, and set the appropriate authentication and permission groups (Anonymous + ms-Exch-SMTP-Accept-Any-Recipient for a locked-down internal relay only).
4. Set up the connector in Exchange OnlineFor M365, configure an inbound connector for your app's static IP, or use authenticated client SMTP submission (smtp.office365.com:587 with a licensed mailbox). Don't add a public connector that turns you into an open relay.
5. Verify against the live SMTP conversationTelnet or openssl s_client to the server on the submission port and step through EHLO / AUTH / MAIL FROM / RCPT TO. The exact command that returns 550 5.7.1 tells you whether it's the AUTH step or the RCPT TO recipient that's being refused.