It's frustrating when you get an error after sending an email message. This article describes what you can do if you see error code 550 5.7.515 in a non-delivery report (also known as an NDR, bounce message, delivery status notification, or DSN) when you try to send email to Outlook.com and related Microsoft consumer email services (Hotmail, Live.com, MSN, etc.).
The full error is:
-
550 5.7.515 Access denied, sending domain <domain> does not meet the required authentication level.
-
The sender's domain in the 5322.From address doesn't meet the authentication requirements defined for the sender.
Use the information in the NDR to help you fix the problem.
Why did I get this bounce message?
This error indicates your message was rejected because the domain in your 5322.From email address (also known as the From address or P2 sender) didn't pass the required email authentication level for senders of large volumes of email to Microsoft consumer email services.
As part of our efforts to improve email security and reduce spam and phishing, we now enforce stricter email authentication requirements for high-volume (large) email senders. For more information, see Strengthening Email Ecosystem: Outlook's New Requirements for High-Volume Senders.
What defines a high volume (large) sender?
-
You send 5,000Ā or more email messages to Microsoft consumer email services.
and
-
All of the messages use the same domainĀ in the 5322.FromĀ address.
After you reach this threshold, we expect all messages from senders in the domain to meet all of the following email authentication requirements:
-
Publish SPF and DKIM records for the domain: Both SPF and DKIM checks must pass.
-
Publish a DMARC record for the domain: For example:
Hostname: _dmarc
TXT value: v=DMARC1; p=none
-
Messages from senders in the domain must pass DMARC validation:Ā The SPF and/or DKIM record (at least one)Ā must align withĀ (effectively, "include" or "match") the domain in the 5322.FromĀ address.
Details about the required SPF, DKIM, and DMARC records are described in the next section.
For general information about email authentication records, see Email authentication in Microsoft 365.
How do I fix this?
Step 1: Check the message header
Use Outlook to view the message header fields and see the results of SPF, DKIM, and DMARC. For more information, see:
Verify the domain in the return-path address (also known as the 5321.MailFrom address, P1 sender, or envelope sender) aligns with the domain in the 5322.From address.
Step 2: Verify your SPF, DKIM, and DMARC records
-
SPF: Verify the following settings:
-
The message came from an authorized source for the 5321.MailFrom address domain.
-
To use theĀ SPF record to pass DMARC validation, verify the domainsĀ in theĀ 5321.MailFrom andĀ 5322.From addresses are aligned (effectively, the authorized sources are in the 5322.From address domain).
-
-
DKIM: Verify the following settings:
-
The message is signed by DKIM.
-
To use the DKIM record to pass DMARC validation, verify the domain that signed the message aligns with the 5322.FromĀ address domain.
-
-
DMARC: Verify the following settings:
-
The DMARC TXT record contains a valid DMARC policy (p=reject, p=quarantine, or p=none).
-
Ā DMARC validation passes using SPF and/or DKIM (only one is required).
-
For more information, see Set up DMARC to validate the From address domain for senders in Microsoft 365.
Step 3: Verify the configuration of any third-party email sending services
-
Verify email sent by the service on your behalf is configured with the following settings:
-
The 5322.MailFrom address contains your domain.
-
DKIM signs messages with your domain.
-
-
Verify the SPF record for your domain includes the IP address orĀ include values required by the service.
-
Verify DMARC validation usesĀ your domain.
