Outlook 550 5.7.515 and friends

Microsoft's 550 5.7.515 means the sending domain did not meet Outlook's authentication requirements — it is Microsoft's analogue of Gmail's 550 5.7.26. The domain must pass SPF or DKIM and, for bulk mail, have DMARC with an authenticated identifier that aligns with the visible From:. Related codes in the 5.7.5xx family point at reputation and policy rather than DNS.

Updated July 14, 2026 · Bounce codes

What Microsoft is telling you

The 5.7.5xx family is Microsoft's authentication-and-policy bucket. The specific code narrows it, but the shape of the fix is nearly always the same, and it is the same fix as for Gmail's 550 5.7.26: produce an authenticated identifier that aligns with the domain in your visible From: header.

Work it in this order

  1. Read the bounce. Get the SPF result, the DKIM signing domain, and the From: domain. Three facts. Do not skip this to go edit DNS.
  2. One SPF record, inside 10 lookups. Two records or a PermError and SPF contributes nothing.
  3. DKIM signing on your domain. If Microsoft 365 is your sender, that means enabling DKIM for the custom domain — the default is signing with onmicrosoft.com, which authenticates fine and aligns with nothing. This single default is behind a large share of these rejections.
  4. DMARC published at _dmarc.<domain>.
  5. Retest with a new message.
The Microsoft 365 default that catches everyone. A fresh tenant signs outbound mail with <tenant>.onmicrosoft.com. DKIM passes. DMARC still fails, because the signing domain is not your domain and therefore does not align with your From:. You must explicitly enable DKIM for your custom domain and publish the two CNAMEs (selector1 and selector2). Everything "looks configured" until you check alignment.

Check what you publish

We probe selector1/selector2 among others — see the DKIM notes if nothing is found.

Frequently asked

What does 550 5.7.515 mean?

Outlook/Microsoft refused the message because the sending domain did not satisfy its authentication requirements. It is a permanent rejection. In practice it means SPF and DKIM both failed to produce an authenticated identifier that aligns with your From domain.

How do I fix Outlook rejecting my email for authentication?

Confirm a single valid SPF record inside the 10-lookup limit; confirm DKIM is actually signing outbound mail with your domain as the signing domain, not your ESP's; confirm a DMARC record exists; and confirm alignment. Alignment is the usual culprit — three valid records with none of them aligned to your From domain still fails.

Is 550 5.7.515 the same as going to junk?

No. It is a 5xx permanent rejection at SMTP. The message was refused outright and never reached the mailbox, junk folder included.

Related

Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.