sfw/fix
550 5.7.26 high

550-5.7.26 Unauthenticated Email Not Accepted (Gmail)

Gmail rejected your mail because it passed neither aligned SPF nor DKIM, violating Google's bulk-sender authentication rules.

What you see

550-5.7.26 Unauthenticated email is not accepted from this domain. This message does not pass authentication checks (SPF and DKIM both do not pass). To best protect our users from spam, the message has been blocked. See https://support.google.com/mail/?p=UnauthenticatedEmail

What’s actually happening

Mail to @gmail.com and Google Workspace recipients bounces immediately with a 550-5.7.26 NDR. Other providers like Outlook or Yahoo may still accept the same message, which makes it look intermittent. The bounce names both SPF and DKIM as failing, not one or the other. High-volume senders see it hit a large slice of their list at once after a previously clean reputation.

Common causes

  • Neither SPF nor DKIM produces a result that aligns with the From: header domain — both must fail for this exact code to fire.
  • SPF passes on the Return-Path (envelope sender) but that domain differs from the visible From: domain, so it is unaligned and does not count.
  • DKIM is not configured at all, or the signing d= domain does not match the From: domain.
  • You send 5,000+ messages a day to Google and lack the full SPF + DKIM + DMARC stack that Google has enforced since February 2024.
  • Mail leaves a relay (ESP, application server, marketing platform) whose IP is outside your SPF record and which does not DKIM-sign on your behalf.

How to fix it

  1. Confirm which check actually failedSend a test to a Gmail account you control, open the message, and use Show original. Read the SPF, DKIM, and DMARC lines. You need at least one of SPF or DKIM to show PASS *and* to be aligned with the From: domain. Aligned means the SPF domain (or DKIM d=) matches the domain after the @ in From:.
  2. Fix or add the SPF recordPublish one TXT record at the root of your sending domain: v=spf1 include:_spf.google.com ~all (swap in your ESP's include, e.g. include:sendgrid.net or include:spf.protection.outlook.com). Keep it to a single SPF record and under 10 DNS lookups, or it returns permerror and stops aligning.
  3. Turn on DKIM signing for the From: domainGenerate a key in your mail platform, publish the public key as a TXT record at selector._domainkey.yourdomain, and enable signing. Verify the d= in outbound signatures equals your From: domain. DKIM survives forwarding, so it is the more durable of the two.
  4. Publish DMARC and align From:Add a TXT record at _dmarc.yourdomain starting with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain. Google requires a DMARC record for bulk senders even at p=none. Make sure your application sends from your own domain, not a generic from-address on the relay's domain.
  5. Re-test and wait for DNSDNS TTL means changes can take up to a few hours. After propagation, send another Gmail test and confirm Show original reports dkim=pass and dmarc=pass before resuming bulk sends.

Stop it recurring

Run a weekly check that SPF resolves under 10 lookups and DKIM signs every outbound stream, and keep DMARC published so any new relay that breaks alignment shows up in aggregate reports.

Related errors

DKIM Fail: Body Hash Did Not Verify (bh= Mismatch)

high

DKIM failed because the receiver's recomputed body hash does not match the signed bh= tag — the body changed after signing.

554 5.7.1 Client Host Blocked Using Spamhaus

critical

The receiving server refused your connection because your sending IP is listed on a Spamhaus DNSBL.

550 5.7.1 Message rejected by policy (DMARC/SPF/DKIM or blocklist)

high

The receiving server accepted the connection but refused the message on policy grounds — authentication failure or a bad sender reputation.

550 5.1.1 User unknown / recipient address does not exist

medium

A hard bounce: the mailbox in the RCPT TO doesn't exist on the receiving server, so delivery permanently fails.