sfw/fix
550 5.7.708 high

550 5.7.708 Access Denied, Traffic Not Accepted From This IP (Microsoft 365)

Microsoft 365 blocked your outbound mail because the sending IP has low reputation, common on new or trial tenants.

What you see

550 5.7.708 Service unavailable. Access denied, traffic not accepted from this IP. For more information please go to https://go.microsoft.com/fwlink/?LinkID=526655 AS(7171)

What’s actually happening

Outbound mail from an Exchange Online or Microsoft 365 tenant bounces back with 550 5.7.708 and an AS() code. It usually hits brand-new tenants, trial subscriptions, or any account whose outbound IP Microsoft has flagged. Every external recipient is affected, since the block is on your sending IP rather than any one mailbox. Internal mail between users in the same tenant keeps flowing.

Common causes

  • A new or trial M365 tenant has no established sending reputation, so Microsoft throttles or blocks its outbound IP by default.
  • A compromised mailbox or a misconfigured app sent spam, which dropped the tenant's outbound IP reputation.
  • You share an outbound IP pool with other tenants and a neighbor's bad behavior dragged the shared reputation down.
  • A sudden spike in send volume (a new campaign, a runaway loop, a forwarding rule) tripped Microsoft's abuse heuristics.
  • Mail is relayed through the tenant from an on-prem device or app with no SPF/DKIM, so it looks unauthenticated and risky.

How to fix it

  1. Check the Restricted entities portal firstIn the Microsoft Defender portal go to Email & collaboration > Review > Restricted entities. If a specific user is listed as blocked for sending, the real problem is a compromised account — reset its password, revoke sessions, and unblock it there. Delisting the IP will not help if the underlying account is still locked.
  2. Submit the IP to the Office 365 delist portalGo to https://sender.office.com/ (the Office 365 anti-spam IP delist portal), enter the exact IPv4 address from the NDR, and your email address. You receive a confirmation mail and a delisting decision. The portal only accepts IPv4, so pull the v4 address from your sending host even if you also send over IPv6.
  3. Email [email protected] if the portal refusesIf the self-service portal will not process the address, send the full NDR including the AS() code to [email protected] from an admin address on the tenant. Include the sending IP, the tenant domain, and a short note that you have fixed any abuse.
  4. Fix the root cause before retryingConfirm SPF (include:spf.protection.outlook.com), DKIM, and DMARC are published for your domain. Audit transport rules and connectors for loops or open relay. Ramp volume gradually on a fresh tenant rather than blasting thousands of messages on day one — delisting without a fix gets you relisted.

Stop it recurring

On a new tenant, publish SPF/DKIM/DMARC and warm up send volume slowly so Microsoft can build positive reputation for your outbound IP before you push real campaigns.

Related errors

554 5.7.1 Client Host Blocked Using Spamhaus

critical

The receiving server refused your connection because your sending IP is listed on a Spamhaus DNSBL.

550-5.7.26 Unauthenticated Email Not Accepted (Gmail)

high

Gmail rejected your mail because it passed neither aligned SPF nor DKIM, violating Google's bulk-sender authentication rules.

550 5.4.1 Recipient Address Rejected: Access Denied (Exchange Online)

medium

Exchange Online rejected the mail because the recipient address has no matching object in the tenant, or a policy blocked the sender.

550 5.7.1 Message rejected by policy (DMARC/SPF/DKIM or blocklist)

high

The receiving server accepted the connection but refused the message on policy grounds — authentication failure or a bad sender reputation.