What does 550 5.7.1 mean in a DMARC context?
550 5.7.1 is a general policy rejection SMTP code used by many mail servers and gateways. When it appears with a DMARC-related diagnostic string, it means the message failed DMARC and the sender's domain policy instructed the receiver to reject it.
Common diagnostic strings include:
550 5.7.1 Unauthenticated email from [domain] is not accepted due to domain's DMARC policy
550 5.7.1 Email rejected per DMARC policy
550 5.7.1 Your message was rejected due to example.com's DMARC policy
This code is used by many receiving systems and mail gateways, so the specific fix depends on what actually failed.
DMARCit breaks down authentication failures by sender and by result type — so you can pinpoint whether the issue is SPF, DKIM, or alignment without parsing bounce messages manually.
Why did this happen?
550 5.7.1 with a DMARC diagnostic is always caused by one of these underlying failures:
- If Authentication-Results shows
spf=pass; dkim=pass; dmarc=fail: this is an alignment problem. Both SPF and DKIM passed, but neither aligned with your From: domain. → See DMARC alignment failure — pass, pass, fail. - If Authentication-Results shows
spf=failorspf=permerror: SPF is failing — either the sending IP isn't in your SPF record, or your SPF record is broken. If DKIM also isn't aligned, DMARC fails. → See SPF PermError — Too many DNS lookups or 550 5.7.23 — Microsoft SPF violation. - If Authentication-Results shows
dkim=fail (body hash did not verify): the message was modified after DKIM signing. → See DKIM body hash did not verify. - If Authentication-Results shows
dkim=noneordkim=fail (no key): DKIM isn't configured for this sender, or the DNS key record is missing/broken. → See What is DKIM?. - If the message was forwarded: Forwarding commonly breaks both SPF (wrong sending IP) and DKIM (if the message was modified). If both fail, DMARC fails.
How to fix 550 5.7.1
Step 1: Check Authentication-Results to identify the actual failure
This error is a container — the fix depends on the underlying cause. Get the full message headers and check Authentication-Results for SPF, DKIM, and DMARC results.
Step 2: Follow the fix for the specific failure
| What you see | Root cause | Fix guide |
|---|---|---|
spf=pass; dkim=pass; dmarc=fail | Alignment failure | DMARC alignment failure |
spf=permerror | Too many DNS lookups | SPF PermError |
spf=fail | Sending IP not authorized | 550 5.7.23 |
dkim=fail (body hash) | Message modified after signing | DKIM body hash |
dkim=none / dkim=fail (no key) | DKIM not configured | What is DKIM? |
Step 3: Confirm the fix in your DMARC reports
After making changes, verify in your next DMARC aggregate report cycle (24-48 hours) that the sender now passes DMARC with alignment.
This isn't a one-time fix
Because 550 5.7.1 can be triggered by any DMARC failure, the recurrence risk depends on the underlying cause. SPF lookup limits drift as vendors change. DKIM keys rotate and need DNS updates. Many third-party senders start misaligned by default. Forwarding breaks SPF structurally.
The most reliable way to stay ahead of these failures is continuous monitoring of your DMARC aggregate reports.
See every authentication failure in one place
DMARCit processes your DMARC aggregate reports and shows SPF, DKIM, and alignment results for every sending source — so you can diagnose issues like 550 5.7.1 from a dashboard instead of parsing bounce headers.
7-day free trial · Cancel anytime