Outlook 550 5.7.515 and friends
Microsoft's 550 5.7.515 means the sending domain did not meet Outlook's authentication requirements — it is Microsoft's analogue of Gmail's 550 5.7.26. The domain must pass SPF or DKIM and, for bulk mail, have DMARC with an authenticated identifier that aligns with the visible From:. Related codes in the 5.7.5xx family point at reputation and policy rather than DNS.
What Microsoft is telling you
The 5.7.5xx family is Microsoft's authentication-and-policy bucket. The specific
code narrows it, but the shape of the fix is nearly always the same, and it is the same fix as for
Gmail's 550 5.7.26: produce an authenticated identifier that aligns
with the domain in your visible From: header.
Work it in this order
- Read the bounce. Get the SPF result, the DKIM signing domain, and the
From:domain. Three facts. Do not skip this to go edit DNS. - One SPF record, inside 10 lookups. Two records or a PermError and SPF contributes nothing.
- DKIM signing on your domain. If Microsoft 365 is your sender,
that means enabling DKIM for the custom domain — the default is signing with
onmicrosoft.com, which authenticates fine and aligns with nothing. This single default is behind a large share of these rejections. - DMARC published at
_dmarc.<domain>. - Retest with a new message.
<tenant>.onmicrosoft.com. DKIM passes. DMARC still fails, because the
signing domain is not your domain and therefore does not align with your From:. You
must explicitly enable DKIM for your custom domain and publish the two CNAMEs
(selector1 and selector2). Everything "looks configured" until you check
alignment.
Check what you publish
We probe selector1/selector2 among others — see the DKIM notes if nothing is found.
Frequently asked
What does 550 5.7.515 mean?
Outlook/Microsoft refused the message because the sending domain did not satisfy its authentication requirements. It is a permanent rejection. In practice it means SPF and DKIM both failed to produce an authenticated identifier that aligns with your From domain.
How do I fix Outlook rejecting my email for authentication?
Confirm a single valid SPF record inside the 10-lookup limit; confirm DKIM is actually signing outbound mail with your domain as the signing domain, not your ESP's; confirm a DMARC record exists; and confirm alignment. Alignment is the usual culprit — three valid records with none of them aligned to your From domain still fails.
Is 550 5.7.515 the same as going to junk?
No. It is a 5xx permanent rejection at SMTP. The message was refused outright and never reached the mailbox, junk folder included.
Related
- Fixing Gmail 550 5.7.26 — Gmail rejects with 550 5.
- SPF PermError — PermError means SPF failed permanently — you get no authentication benefit at all.
- Setting up email authentication, in the right order — A working sequence for SPF, DKIM and DMARC that doesn't reject your own mail on the way.
- Gmail bulk sender requirements — What Google requires once you cross its bulk threshold to personal Gmail accounts: authentication, alignment, DNS, TLS, spam rate and one-click unsubscribe.
- Yahoo sender requirements — Yahoo's bulk sender rules track Google's closely: SPF and DKIM, DMARC, alignment, low complaint rate, one-click unsubscribe.
Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.