cr0x.net — Hard Problems. Clean Solutions.
English

Email “550 5.7.1” policy blocks — the realistic fix path

November 16, 2025 • February 3, 2026 • Read: 23 min • Views: 8

Was this helpful?

You’re shipping invoices, password resets, or a carefully written “please pay us” reminder. Everything looks healthy.
Then your queue starts to swell, users complain, and the remote server replies with the same blunt wall: 550 5.7.1.

This is the email equivalent of a bouncer tapping the sign: “policy.” Not “server down,” not “try later,” but “we don’t like what you are.”
The fix is rarely one magic DNS record. It’s a chain: identity, reputation, and behavior—proved with evidence.

What 550 5.7.1 actually means (and why it’s vague on purpose)

SMTP status codes are deceptively simple. 550 is a permanent failure: the remote server is saying
“don’t retry, fix something.” The enhanced status 5.7.1 generally maps to
“delivery not authorized, message refused”—but that’s a bucket, not a diagnosis.

The key detail: “policy” is a remote decision. It can be triggered by your authentication posture
(SPF/DKIM/DMARC), your IP or domain reputation, your reverse DNS and HELO/EHLO identity, your TLS posture,
your content, your sending patterns, or the recipient’s internal rules. Sometimes it’s a mix.

In production terms, 550 5.7.1 is not an error message. It’s a contract dispute.
The receiving system is asserting: “Your system is not meeting our bar right now.”
Your job is to determine which bar.

One practical mindset shift: stop thinking “email is down.” Think “deliverability is failing.”
That’s not pedantry. Availability is your server being up. Deliverability is other people trusting it.
Different tooling. Different fixes. Different timelines.

Fast diagnosis playbook (find the bottleneck fast)

When a queue is building and executives are pacing, you need an order of operations that cuts through noise.
Here’s the fastest path I’ve found that avoids the two classic traps: random DNS changes and panicked relay swaps.

First: classify the rejection

  • Where is it rejected? During SMTP dialogue (RCPT TO / DATA) or after acceptance (bounce later)?
  • Is it all recipients or one domain? “Only to Microsoft” is different from “to everyone.”
  • Is it all senders or one From domain? Misaligned DMARC often looks like “some brands break.”

Second: check identity and alignment (cheap wins)

  • SPF: authorized outbound IP(s) and include chains not broken.
  • DKIM: valid signature, correct selector, not expired keys, signing the right headers.
  • DMARC: alignment between visible From and SPF/DKIM identities.

Third: check reputation signals (the slow part)

  • Outbound IP reputation and blocklists (RBLs) that recipients actually use.
  • Domain reputation (especially if your domain was recently used for spam, compromised accounts, or lookalike behavior).
  • Behavioral red flags: sudden volume spikes, new IP, high bounce rate, low engagement.

Fourth: verify SMTP presentation (rDNS/HELO/TLS)

  • Reverse DNS exists and matches your announced hostname (or at least looks intentional).
  • HELO/EHLO is a real FQDN with matching forward DNS.
  • TLS is sane; certificates aren’t expired; you’re not advertising weird cipher junk.

Fifth: content and routing

  • Content triggers: URL shorteners, malformed MIME, missing List-Unsubscribe for bulk, sketchy attachment types.
  • Routing: are you unexpectedly relaying through a smart host or cloud NAT that changed the outbound IP?

If you follow this order, you’ll usually identify the dominant bottleneck within 30–60 minutes and stop bleeding.
The long tail—reputation recovery—may take days, but at least you’ll know you’re paying the right debt.

Interesting facts and historical context (so the weirdness makes sense)

  1. SMTP predates spam by decades. The original model assumed mostly cooperative peers; authentication was not a first-class requirement.
  2. Enhanced status codes (like 5.7.1) were standardized later to provide more nuance than “550,” but providers still overload them.
  3. SPF started as a “who can send for this domain” idea because forged envelope senders were cheap and common; it was never a complete anti-phishing solution.
  4. DKIM came from domain-level cryptographic signing to survive forwarding better than SPF; it’s still fragile when intermediaries rewrite content.
  5. DMARC’s real power is alignment and policy. It lets a domain owner say “if this doesn’t authenticate as me, reject or quarantine.”
  6. Reverse DNS became a social contract. It’s not a hard protocol requirement, but many receivers treat missing rDNS as “likely botnet.”
  7. Blocklists existed before modern reputation systems. Early operators shared lists because it was faster than arguing with every spammer individually.
  8. Large providers run proprietary reputation engines. You can pass SPF/DKIM/DMARC and still get blocked if your traffic looks abusive.
  9. “Policy” also means local compliance choices. Some orgs reject mail from residential IP ranges, certain geos, or low-TLS postures regardless of authentication.

Collect evidence first: what to capture before you “fix” anything

When email breaks, people start “trying things.” That’s how you end up with three half-configured DKIM selectors,
an SPF record that exceeds DNS lookup limits, and a reputation problem you can’t explain because you changed five variables at once.

Capture a small evidence bundle. It’s not bureaucracy; it’s how you avoid repeating outages.

  • One full bounce message including headers and SMTP transcript (not a screenshot).
  • Postfix/Exim logs around the failure with queue ID and remote response.
  • The sending IP and hostname as observed externally (not what you think it is).
  • Current DNS records for SPF, DKIM selectors, DMARC, MX, A/AAAA, PTR.
  • Recent sending changes: new marketing campaign, new IP, new relay, app deploy, NAT change, or compromised account remediation.

Joke #1: If your “fix” is editing DNS records from memory at 2 a.m., congratulations—you’ve reinvented roulette with fewer drinks.

Practical tasks with commands: what to run, what it means, what you decide

These are runnable tasks you can do from a Linux mail host or a troubleshooting box with network access.
Each task includes: command, example output, what the output means, and what you decide next.

Task 1: Find the exact remote rejection text and stage (Postfix)

cr0x@server:~$ sudo grep -E "status=bounced|status=deferred|5\.7\.1|policy" /var/log/mail.log | tail -n 8
Jan 04 10:11:22 mx1 postfix/smtp[18422]: 9C2E91A2C4: to=<user@recipient.example>, relay=mx.recipient.example[203.0.113.9]:25, delay=2.1, delays=0.1/0.02/0.6/1.4, dsn=5.7.1, status=bounced (host mx.recipient.example[203.0.113.9] said: 550 5.7.1 Message rejected due to policy (in reply to end of DATA command))
Jan 04 10:11:23 mx1 postfix/qmgr[913]: 9C2E91A2C4: removed

Meaning: Rejection at end of DATA means the remote accepted the envelope but disliked the content or authentication results after scanning.
If it was rejected at RCPT TO, it would more likely be IP reputation, RBL, or recipient policy.

Decision: If rejected at end of DATA, prioritize authentication alignment and content checks; still check reputation, but start with what the remote scanned.

Task 2: Inspect a queued message safely (Postfix)

cr0x@server:~$ sudo postcat -q 9C2E91A2C4 | sed -n '1,120p'
*** ENVELOPE RECORDS ***
message_size: 48231            1980             1               0               0
message_arrival_time: Sat Jan  4 10:11:20 2026
create_time: Sat Jan  4 10:11:20 2026
named_attribute: log_ident=mx1
sender: noreply@brand.example
*** MESSAGE CONTENTS ***
Received: from app1.internal (app1.internal [10.0.2.15])
        by mx1.brand.example (Postfix) with ESMTPSA id 9C2E91A2C4
        for <user@recipient.example>; Sat, 04 Jan 2026 10:11:20 +0000 (UTC)
From: "Brand Support" <noreply@brand.example>
To: <user@recipient.example>
Subject: Password reset
Date: Sat, 04 Jan 2026 10:11:20 +0000
Message-ID: <20260104101120.12345@app1.internal>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8

Meaning: This confirms the visible From domain, the submission path (ESMTPSA from an internal app),
and whether headers look “normal.” A Message-ID on an internal domain can be a minor trust signal issue for some filters.

Decision: If Message-ID or other headers look odd, fix the app/MTA header policy (Message-ID domain, Date, MIME). Then re-test before changing DNS.

Task 3: Verify which IP you actually send from (outbound NAT surprises are real)

cr0x@server:~$ ip route get 8.8.8.8 | sed -n '1p'
8.8.8.8 via 192.0.2.1 dev eth0 src 192.0.2.10 uid 1000

Meaning: The source IP is 192.0.2.10 for typical outbound traffic. If you expected a different IP, you have a routing/NAT issue.

Decision: If the sending IP changed recently, treat reputation as suspect and check rDNS and blocklists for the new IP.

Task 4: Check forward DNS for your mail hostname (A/AAAA)

cr0x@server:~$ dig +short A mx1.brand.example
192.0.2.10

Meaning: The hostname resolves. Many receivers penalize HELO names that don’t resolve.

Decision: If empty, fix DNS. If it resolves to the wrong IP, fix it before anything else.

Task 5: Check reverse DNS (PTR) for the sending IP

cr0x@server:~$ dig +short -x 192.0.2.10
mx1.brand.example.

Meaning: PTR exists and looks intentional.

Decision: If PTR is missing or generic (cloud-provider-default), request rDNS change from your provider. Many policy blocks quietly hinge on this.

Task 6: Check HELO/EHLO identity your Postfix presents

cr0x@server:~$ postconf -n | egrep 'myhostname|mydomain|smtp_helo_name'
mydomain = brand.example
myhostname = mx1.brand.example
smtp_helo_name = $myhostname

Meaning: You’re presenting a stable FQDN. Good.

Decision: If smtp_helo_name is set to something unqualified (like “mail”) or internal, fix it and restart Postfix.

Task 7: Validate SPF record and detect DNS lookup explosion

cr0x@server:~$ dig +short TXT brand.example | sed -n '1,3p'
"v=spf1 ip4:192.0.2.10 include:spf.mailvendor.example -all"

Meaning: SPF is present. But this doesn’t tell you whether includes exceed the 10-DNS-lookup limit.

Decision: If you have multiple includes, you must evaluate the lookup count. If you exceed it, SPF may “permerror,” which can trigger policy blocks.

Task 8: Evaluate SPF from the outside using a local tool (auth results simulation)

cr0x@server:~$ python3 - <<'PY'
import sys, dns.resolver
domain="brand.example"
answers=dns.resolver.resolve(domain,'TXT')
for r in answers:
    for s in r.strings:
        t=s.decode()
        if t.startswith("v=spf1"):
            print(t)
PY
v=spf1 ip4:192.0.2.10 include:spf.mailvendor.example -all

Meaning: Confirms the SPF string you’re publishing. This is still not full SPF evaluation, but it catches “multiple SPF records” and obvious formatting issues quickly.

Decision: If you see more than one v=spf1 record, fix immediately. Receivers may treat it as SPF permerror.

Task 9: Check DMARC record and policy posture

cr0x@server:~$ dig +short TXT _dmarc.brand.example
"v=DMARC1; p=reject; rua=mailto:dmarc@brand.example; ruf=mailto:dmarc-forensics@brand.example; adkim=s; aspf=s"

Meaning: You have strict alignment (adkim=s, aspf=s) and a reject policy.
Great for anti-phishing. Also unforgiving if your systems aren’t perfectly aligned.

Decision: If you’re getting policy blocks to major providers right after enabling strict DMARC, confirm all legitimate senders DKIM-sign with aligned d= or SPF aligns with the From domain.

Task 10: Verify DKIM public key exists for the selector you believe you use

cr0x@server:~$ dig +short TXT s2024._domainkey.brand.example | head -n 2
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt..."

Meaning: The selector exists. Missing selector is a very common “we rotated keys and forgot DNS” outage.

Decision: If missing, publish it, wait for propagation, then re-test. If present, verify your MTA is actually using that selector.

Task 11: Confirm DKIM signing configuration (OpenDKIM + Postfix example)

cr0x@server:~$ sudo egrep -n 'Domain|Selector|KeyFile|Socket' /etc/opendkim.conf | head
14:Domain                 brand.example
15:Selector               s2024
16:KeyFile                /etc/opendkim/keys/brand.example/s2024.private
23:Socket                 inet:8891@localhost

Meaning: Shows what DKIM domain and selector you’re configured to use.

Decision: If Domain/Selector don’t match DNS, fix config. If KeyFile path is wrong or permissions broken, DKIM signing silently fails and receivers decide you’re shady.

Task 12: Check Authentication-Results on a delivered message (ground truth)

cr0x@server:~$ grep -i "Authentication-Results" -n /var/mail/test-inbox | tail -n 3
120:Authentication-Results: mx.google.example; spf=pass (google.example: domain of noreply@brand.example designates 192.0.2.10 as permitted sender) smtp.mailfrom=noreply@brand.example; dkim=pass header.i=@brand.example header.s=s2024; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=brand.example

Meaning: This is the receiver’s verdict. If it says SPF pass, DKIM pass, DMARC pass, you can stop guessing and move on to reputation/content/rate limits.

Decision: If SPF/DKIM/DMARC fail here, fix alignment before anything else. Passing locally is irrelevant; the receiver’s evaluation is what matters.

Task 13: Check if your IP is listed on common DNSBLs (quick signal, not gospel)

cr0x@server:~$ ip=192.0.2.10; rev=$(echo $ip | awk -F. '{print $4"."$3"."$2"."$1}'); for bl in zen.spamhaus.org bl.spamcop.net b.barracudacentral.org; do echo -n "$bl: "; dig +short ${rev}.${bl} A; done
zen.spamhaus.org:
bl.spamcop.net:
b.barracudacentral.org:

Meaning: Empty output suggests “not listed” on these. If you get an IP back, you’re listed.

Decision: If listed on a DNSBL used by your recipient, you either fix the cause (compromise/open relay) and request delisting, or you change outbound IPs (and then warm up carefully).

Task 14: Validate TLS posture from the outside (STARTTLS, cert chain)

cr0x@server:~$ openssl s_client -starttls smtp -connect mx1.brand.example:25 -servername mx1.brand.example /dev/null | openssl x509 -noout -subject -issuer -dates
subject=CN = mx1.brand.example
issuer=CN = R3, O = Let's Encrypt, C = US
notBefore=Dec 15 00:00:00 2025 GMT
notAfter=Mar 14 00:00:00 2026 GMT

Meaning: Cert is valid and not expired.

Decision: If expired or mismatched, fix certs. Some orgs implement “policy” blocks for non-TLS or broken TLS, especially for B2B mail.

Task 15: Ensure you are not an open relay (yes, still)

cr0x@server:~$ swaks --server mx1.brand.example --to victim@external.example --from attacker@external.example --data "Subject: test

hello"
=== Trying mx1.brand.example:25...
=== Connected to mx1.brand.example.
<-  220 mx1.brand.example ESMTP Postfix
 -> EHLO server
<-  250-mx1.brand.example
 -> MAIL FROM:<attacker@external.example>
<-  554 5.7.1 Relay access denied

Meaning: Relay denied for unauthenticated external sender. Good.

Decision: If it accepts relaying, stop everything. You are about to become famous in the worst way and 550 policy blocks will be the least of your problems.

Task 16: Check outbound queue growth and retry behavior

cr0x@server:~$ mailq | tail -n 5
-- 2 Kbytes in 1 Request.

Meaning: Low queue is good. During an incident you might see hundreds/thousands queued with repeated deferrals.

Decision: If queue is growing, rate-limit or pause the offending stream (marketing blast, compromised account) to avoid making reputation worse while you fix identity.

Where policy blocks come from: the real failure modes

1) Authentication passes… but not aligned

This is the most maddening variant because your logs proudly show “SPF=pass” and “DKIM=pass” somewhere,
yet DMARC fails and the receiver treats you as spoofed. Alignment is the difference between
“a domain authenticated” and “the visible From domain authenticated.”

Typical causes:

  • Your app sends From: brand.example but the envelope sender is bounce@mailer.vendor.example and only that passes SPF.
  • DKIM signs with d=vendor.example not d=brand.example.
  • DMARC set to strict alignment while legitimate subdomains send mail that doesn’t match exactly.

2) Reputation death spiral (volume and bounces)

Reputation is feedback-driven. If you suddenly send to a list with many invalid addresses, you generate hard bounces.
If your content looks like phishing, recipients ignore or report it. If you keep sending while blocked, you amplify the signal:
“this sender doesn’t learn.”

Recovery is possible, but it’s slow and boring. That’s good: it means attackers can’t instantly “reset” either.

3) Infrastructure identity mismatch (rDNS, HELO, dynamic IP)

Many receivers treat mail from IPs with no PTR record, or a PTR that screams “generic cloud instance,” as suspicious.
Not always a hard block, but when combined with other weak signals, it becomes the deciding vote.

If you’re sending from a consumer ISP range, expect consistent 5.7.1 style rejections from serious corporate mail systems.

4) Content-based policy blocks (yes, your harmless email can look evil)

Filters are ruthless about patterns that correlate with abuse:
malformed MIME boundaries, HTML-only mail with tiny text and giant links, shortened URLs, mismatched visible link text,
attachments with macro formats, and “brand new domain + urgent language + login link.”

Your “policy” error can be the remote system refusing to accept your message because it scores above a threshold.
You don’t get the score. You get the wall.

5) Forwarding and mailing lists breaking SPF (and sometimes DKIM)

SPF fails when mail is forwarded because the forwarding server’s IP is not authorized in your SPF record.
DKIM can survive forwarding, but breaks if the forwarder rewrites the message body or certain headers.
DMARC then fails because both mechanisms are fragile under modification.

If your audience includes universities, distribution lists, ticketing systems, and security gateways,
this can be a meaningful slice of “random” 5.7.1 rejects.

6) Provider-specific throttling and policy gates

Big providers and corporate gateways implement their own gates: per-IP rate limits, per-domain caps, burst controls, and “new sender” suspicion.
Sometimes they respond with 4xx deferrals. Sometimes they respond with 5xx policy blocks that are effectively “go away until reputation improves.”

This is where operators waste days arguing with the protocol. It’s not a protocol problem. It’s an anti-abuse system doing its job.

One quote that keeps teams honest

Paraphrased idea from Richard Cook (safety and reliability): “success comes from continual adjustments; failure happens when those adjustments can’t keep up.”

Three corporate mini-stories from the trenches

Mini-story #1: The incident caused by a wrong assumption (the NAT that stole mail)

A mid-sized SaaS company ran Postfix on a pair of VMs. They had SPF, DKIM, DMARC—all green in their own tests.
Yet a chunk of transactional email to a major mailbox provider started failing with 550 5.7.1 policy blocks.
The team assumed “DKIM broke,” because that’s the usual culprit after a deploy.

They rotated DKIM keys. They tweaked DMARC alignment. They added yet another include to SPF.
The outage continued. The queue got angry. Support got louder.

The real issue was more mundane: their network team had moved the mail VMs behind a different egress NAT during a firewall maintenance project.
Outbound mail was now leaving from an IP not present in SPF and with no rDNS configured.
Their internal tests hit a test mailbox provider that was more forgiving; the big provider was not.

Once they identified the true egress IP (by checking routing and comparing with the recipient’s logs),
the fix was straightforward: update SPF for the new IP, set proper PTR, and stabilize HELO.
The lesson stuck: in email, “what IP do we send from?” is not a philosophical question. It’s the top line of the autopsy.

Mini-story #2: The optimization that backfired (queue tuning meets reputation)

An enterprise team decided their outbound throughput was “too slow.” Marketing wanted bigger launches, faster.
Someone tuned Postfix concurrency and connection rates upward. The graphs looked great. Latency dropped.
Their MTA behaved like it drank three espressos and found a new life purpose.

Then 550 5.7.1 blocks started appearing intermittently, mostly on the largest providers and a few strict corporate gateways.
The team assumed “provider outage” because retries sometimes worked, and because it’s comforting to blame someone else.

The providers weren’t down. The providers were doing abuse control.
The new concurrency pattern looked like a compromised sender: bursts, high parallelism, rapid delivery attempts to many recipients.
A few typos in list uploads created hard bounces, amplifying the negative signal.

They rolled back concurrency, implemented per-domain rate limiting, and introduced a “warm-up mode” for large sends.
Deliverability stabilized. The optimization didn’t just backfire; it taught the team that throughput is not the primary KPI for email.
The KPI is “messages accepted and not flagged as garbage.”

Mini-story #3: The boring but correct practice that saved the day (DMARC reports as early smoke)

A finance company had a habit that looked like overkill: they reviewed DMARC aggregate reports weekly.
Not with an expensive committee—just a rotating on-call task and a short internal note.
Most weeks it was dull: pass rates, a few unknown sources, nothing dramatic.

One week, they noticed a new source sending mail claiming to be their domain, failing alignment, coming from a random hosting provider.
It wasn’t their infrastructure. It wasn’t an authorized vendor. It was either spoofing or a compromised third party.
No customer had complained yet. No blocklists had hit them yet. But the smoke was visible.

They tightened SPF, verified DKIM selectors for all vendors, and contacted the hosting provider with evidence.
They also preemptively ensured their legitimate mail streams were perfectly aligned and signed, so they wouldn’t get caught in the blast radius.

When phishing campaigns ramped up and mailbox providers became stricter for that brand, their legitimate traffic kept flowing.
The practice wasn’t glamorous, but it changed the incident curve from “sudden outage” to “quiet mitigation.”

Joke #2: Email deliverability is the only field where doing everything right still feels like being judged by a cat.

Common mistakes: symptom → root cause → specific fix

1) Symptom: 550 5.7.1 appears only for one big provider

Root cause: Provider-specific reputation scoring, throttling, or content heuristics; sometimes missing rDNS/TLS that smaller providers ignore.

Fix: Verify Authentication-Results from that provider, confirm egress IP, fix rDNS/HELO/TLS, then reduce send rate and clean bounces. Expect recovery time.

2) Symptom: SPF “pass” but DMARC fails

Root cause: SPF passes for a different domain (envelope sender) than the visible From domain; DMARC alignment fails.

Fix: Ensure the envelope sender domain aligns with From (or configure DKIM with d=brand.example and align DMARC). Avoid strict alignment until you are sure all sources comply.

3) Symptom: Everything works until you rotate DKIM keys

Root cause: New selector not published in DNS, DNS propagation lag, or incorrect key file permissions causing silent signing failure.

Fix: Publish selector first, wait for TTL, validate with dig, then switch signing. Monitor logs for DKIM signing errors.

4) Symptom: Sudden spike in bounces and then policy blocks

Root cause: List hygiene failure, compromised account sending to harvested addresses, or a bad import causing invalid recipients.

Fix: Stop the stream, quarantine the sender/app, clean lists, implement outbound rate limits and bounce processing. Then slowly resume.

5) Symptom: Policy blocks started after moving to a new cloud region

Root cause: New IP range has cold/poor reputation; missing rDNS; mismatch between HELO and PTR; some providers distrust certain ranges.

Fix: Configure PTR and forward DNS properly, warm up the IP gradually, and consider using a reputable relay service during warm-up for critical mail.

6) Symptom: Only forwarded recipients fail (universities, mailing lists, ticketing systems)

Root cause: SPF breaks on forwarding; DKIM breaks if body modified; DMARC fails and receivers enforce policy.

Fix: Prefer DKIM alignment; ensure DKIM survives common modifications (simple canonicalization may be fragile). Consider ARC support if you operate a forwarding service; for senders, keep DKIM robust.

7) Symptom: “Relay access denied” internal users claim it’s 5.7.1 policy

Root cause: Submission misconfig (clients not authenticating, wrong port, wrong relay restrictions) not a remote policy block.

Fix: Fix submission service on 587 with auth, verify smtpd_recipient_restrictions, and ensure clients use STARTTLS + auth.

8) Symptom: Reject happens at end of DATA for HTML-heavy mail

Root cause: Content scoring: URL reputation, malformed MIME, tracking domains, mismatched From/display name patterns, missing text/plain part.

Fix: Validate MIME, include multipart/alternative with text/plain, remove risky URL patterns, fix broken HTML, avoid shorteners, and align tracking domains with your brand.

Checklists / step-by-step plan

Step-by-step: Stabilize the incident (first 2 hours)

  1. Stop making it worse. Pause bulk streams and suspicious senders. Keep password resets and receipts flowing if you can isolate them.
  2. Pick one failing recipient domain and one message sample. Don’t debug ten at once.
  3. Capture the bounce transcript and the queue ID, plus the remote response and stage (RCPT vs DATA).
  4. Confirm egress IP and check PTR + HELO + A record consistency.
  5. Validate SPF/DKIM/DMARC from the receiver’s perspective using Authentication-Results from a test delivery or seeded mailbox.
  6. Check obvious reputation flags: DNSBL presence and whether the IP is new/cold.
  7. Make one change at a time, document it, and retest. DNS changes count as “slow changes.”

Step-by-step: Fix identity and alignment (same day)

  1. SPF: single record, correct authorized IPs, avoid excessive includes, set -all only when confident.
  2. DKIM: sign all outbound mail streams with aligned d= for the visible From domain. Rotate keys with overlap.
  3. DMARC: start with p=none during rollout if you have unknown senders; move to quarantine and reject when pass rates are stable.
  4. Envelope sender: ensure bounce domain is under your control and aligns when SPF is your primary path.
  5. Headers: fix Message-ID domain, Date, MIME structure, and ensure you don’t produce malformed content.

Step-by-step: Recover reputation (days to weeks)

  1. Reduce volume and smooth bursts. Providers distrust spiky senders.
  2. Clean lists and suppress bounces. High hard-bounce rates are self-inflicted harm.
  3. Segment mail streams. Transactional mail should not share reputation with marketing experiments.
  4. Warm up new IPs slowly. Start with engaged recipients and gradually increase volume.
  5. Monitor complaints and engagement signals where available (feedback loops, user reports).
  6. Don’t “fix” reputation by hopping IPs weekly. That reads like evasion. Some systems remember.

Operational checklist: What to keep in place permanently

  • Documented mail flow diagram: apps → submission → MTA → relay (if any) → internet egress IPs.
  • Version-controlled DNS zone fragments or infrastructure-as-code for SPF/DKIM/DMARC.
  • Key rotation runbook: publish selector, validate DNS, switch signing, keep old selector during overlap window.
  • Outbound rate limiting per domain/provider and sensible concurrency defaults.
  • Separate IPs/domains for transactional vs marketing when the business depends on receipts getting through.
  • Alerting on bounce spikes, queue growth, and sudden authentication failures.

FAQ

1) Is “550 5.7.1” always an SPF/DKIM/DMARC problem?

No. It’s often correlated with authentication failures, but it can be reputation, rDNS/HELO mismatch, TLS policy, or content filtering.
The SMTP stage matters: rejected at RCPT often points to IP/reputation; rejected at end of DATA often points to content/auth evaluation after scanning.

2) We pass SPF, DKIM, and DMARC, but still get 550 5.7.1. Now what?

Assume reputation or content. Confirm you’re sending from the IP you think you are, check PTR/HELO consistency,
review bounce/complaint rates, and look for content triggers (URLs, attachments, malformed MIME, aggressive tracking).
Also verify you’re not bursting traffic in a way that triggers policy gates.

3) Can I fix it by changing my IP?

Sometimes, but treat it as a last resort for critical mail—especially if the current IP is listed due to a real compromise you’ve already fixed.
A new IP is “cold” and can be blocked too. If you rotate IPs repeatedly, you look like an abuser and your future becomes exciting in the wrong way.

4) What’s the difference between SPF fail and SPF permerror?

Fail means the IP isn’t authorized by the domain’s SPF policy. Permerror means the record is broken (often too many DNS lookups or multiple SPF records).
Permerror is especially painful because it’s self-inflicted and can trigger DMARC failure even for legitimate mail.

5) Why does forwarding break things?

SPF is evaluated against the connecting IP. When a forwarder sends your mail onward, the connecting IP becomes the forwarder, not you—so SPF often fails.
DKIM can survive forwarding, but breaks if the forwarder modifies the body or signed headers. DMARC fails if neither aligned SPF nor aligned DKIM passes.

6) Should we set DMARC to p=reject to stop spoofing?

Eventually, yes. But do it like an SRE, not like a gambler. Inventory all legitimate senders first, get DKIM signing consistent,
start with p=none to observe, then move to quarantine and finally reject.
Otherwise you’ll block your own business mail and call it “security.”

7) How do we keep transactional mail flowing when marketing gets us blocked?

Separate streams: different IPs, different subdomains, and ideally different infrastructure.
Transactional mail needs stable reputation and conservative behavior. Marketing needs experimentation, which is fine—just don’t let it burn the emergency exits.

8) Can content alone cause a “policy block” even with perfect authentication?

Yes. Authentication answers “who are you,” not “are you welcome.” If your message looks like malware delivery, credential phishing, or spammy affiliate traffic,
some receivers will block at end of DATA. Fix MIME correctness, remove suspicious URLs, and avoid risky attachment types.

9) What’s the quickest “sanity check” to run during an incident?

Pull one bounce transcript, confirm egress IP and PTR, and get an Authentication-Results header from a seeded mailbox.
That triangulates identity vs reputation vs content faster than any Slack debate.

Conclusion: next steps that actually reduce 550s

“550 5.7.1 policy block” is not a single bug. It’s a verdict from the other side of the internet, usually backed by a pile of signals you don’t fully see.
Your job is to make your identity unambiguous, your infrastructure consistent, and your sending behavior boring.
Boring is good. Boring gets delivered.

Practical next steps:

  1. Build a repeatable evidence bundle: bounce transcript, queue ID, stage, egress IP, and current DNS records.
  2. Make alignment non-negotiable: DKIM with aligned d= for your From domain, SPF that actually matches the sending IP, DMARC that reflects reality.
  3. Harden SMTP identity: rDNS, HELO, forward DNS, and valid TLS certificates.
  4. Control behavior: rate limit, segment streams, and stop bursts from turning into reputation incidents.
  5. Institutionalize the boring practice: monitor authentication results and bounce spikes before they become an outage.

If you do those five things, 550 5.7.1 won’t disappear forever—email is still email—but it becomes an occasional irritant instead of a recurring production incident.

← Previous
GPU shortages: how gamers became collateral damage
Next →
Docker Time Zone Drift in Containers: Fix It Without Rebuilding Images
Similar articles
Email deliverability: Messages land in spam — the real fixes (SPF/DKIM/DMARC done right) Email: Outbound reputation tanked — what to stop doing immediately (and fixes) SPF/DKIM Pass but Still Spam: The Hidden Signals to Fix Email Not Sending from WordPress/App: SMTP Relay Setup That Actually Delivers rDNS/PTR Missing: The Boring DNS Fix That Saves Email Deliverability Email: DKIM fails — why the signature breaks (and how to fix it fast)

Related articles

Email deliverability: Messages land in spam — the real fixes (SPF/DKIM/DMARC done right) January 16, 2026 Email: Outbound reputation tanked — what to stop doing immediately (and fixes) December 21, 2025 SPF/DKIM Pass but Still Spam: The Hidden Signals to Fix October 28, 2025 Email Not Sending from WordPress/App: SMTP Relay Setup That Actually Delivers October 26, 2025 rDNS/PTR Missing: The Boring DNS Fix That Saves Email Deliverability October 13, 2025 Email: DKIM fails — why the signature breaks (and how to fix it fast) October 9, 2025 Email: Too Many Recipients — Stop Abuse and Fix Legitimate Bulk Sends February 2, 2026 Email “message deferred”: decode why mail is stuck (and fix it) February 2, 2026 DKIM Selector Mismatch: The 2-Minute Fix January 28, 2026 Postfix Rate Limiting: Prevent Abuse Without Blocking Real Users January 27, 2026

Leave a comment