Email deliverability · error decoded

550 Permanent Failure

A 550 permanent failure means the receiving mail server rejected your message on purpose and will reject the same, unchanged message again if you resend it. The number that follows 550 (the enhanced status code, such as 5.1.1 or 5.7.1) tells you why: a recipient address that does not exist, a full or disabled mailbox, or a policy block from failed authentication or a reputation problem. Overloop verifies addresses and tracks bounce codes automatically, so you know which bucket you are in before a campaign burns your sending domain. This guide decodes the common 550 variants, their causes, and the exact fix for each one.

6 error variants decoded 2 root-cause buckets RFC 3463 reference
Topics: DeliverabilityCold Email

A 550 is different from a temporary 4xx bounce like 421 or 450. There is no "try later" here: the receiving server rejected the message on purpose, and resending the exact same email to the exact same address usually just produces another hard bounce. The good news is that 550s are readable once you know where to look. The 550 code itself only tells you the category. The real answer sits in two parts of the bounce: the enhanced status code (5.x.y, for example 5.1.1 versus 5.7.1) and the server's plain-text explanation ("user unknown," "relay denied," "blocked," "policy").

Below is a table of the variants you will actually see in a bounce log, followed by a fix playbook for each cause. If you already have the exact code, jump straight to fix 5.1.1 or fix 5.7.1, the two buckets that cover most outbound sending.

Read the bounce in this order: (1) the enhanced status code, 5.x.y, near "Diagnostic-Code" or "Status", (2) the receiver's exact text, (3) who has to fix it: you the sender, or the recipient's mail admin. 5.1.x almost always means your data is wrong. 5.7.x almost always means your sending identity triggered a policy.

What are the common 550 permanent failure variants?

Most 550 bounces fall into a handful of buckets. Match the exact wording in your bounce to the row below to find the cause fast.

Variant you'll seeEnhanced codeWhat it means
550 5.1.1 User unknown / No such user5.1.1Invalid recipient. The mailbox does not exist at that domain. RFC 3463 text: 550 5.1.1 Bad destination mailbox address. Gmail's own wording is 550 5.1.1 The email account that you tried to reach does not exist.
550 5.1.2 Bad destination system address5.1.2The domain cannot be routed. Often a typo or a parked domain with no mail server. RFC 3463 text: 550 5.1.2 Bad destination system address.
550 5.2.1 Mailbox disabled / Account inactive5.2.1The mailbox exists but was disabled or suspended by the recipient's admin. RFC 3463 text: 550 5.2.1 Mailbox disabled, not accepting messages.
550 5.2.2 Mailbox full / Quota exceeded5.2.2The recipient's inbox is over quota. Sometimes appears as 552 instead. RFC 3463 text: 550 5.2.2 Mailbox full.
550 5.7.1 Message rejected / Relay denied5.7.1Blocked by policy, spam filters, or a failed SPF/DKIM/DMARC check. RFC 3463 text: 550 5.7.1 Delivery not authorized, message refused.
550 5.7.1 Blocked / Listed / IP reputation5.7.1Your sending IP or domain is flagged on a blocklist or has a reputation problem. Outlook.com and Microsoft 365 often phrase it as 550 5.7.1 Unfortunately, messages from [IP] weren't sent. Please contact your Internet service provider.

In outbound sending, the two buckets that matter most are 5.1.1 (list quality) and 5.7.1 (sender trust). That's why teams pair strict pre-send verification, which reduces unknown-user bounces, with authentication checks and reputation monitoring, which reduce policy blocks. Overloop's built-in email verification and bounce tracking show you which bucket you're in before a campaign burns your domain.

How do you read the bounce message and find the real cause?

A "550 permanent failure" becomes obvious once you isolate two fields: the enhanced status code (5.x.y) and the receiver's free-text explanation. The 550 is the SMTP reply code. The 5.x.y is the reason class, and it points straight to the fix. SMTP enhanced status codes are defined in RFC 3463, but the practical mapping below is what outbound teams actually use.

Use this quick extraction process on any bounce log, whether it came from Google Workspace, Microsoft 365, Postfix, SendGrid, Amazon SES, or Mailgun:

  1. Find the enhanced status code. Look for a pattern like 5.1.1, 5.2.1, or 5.7.1, usually next to "Diagnostic-Code:" or "Status:".
  2. Copy the receiver's exact text. Phrases like "user unknown", "mailbox disabled", "blocked", "SPF fail", "DMARC policy" carry the real clue.
  3. Identify who has to change something. 5.1.x usually means the address is wrong on your end. 5.7.x usually means your sending identity or infrastructure triggered a policy.
  4. Match the code to a playbook. Fix list quality for 5.1.1, fix authentication and reputation for 5.7.1, and wait on mailbox capacity for 5.2.x.

If your bounce report includes the original message headers, check the Authentication-Results header for "spf=pass/fail", "dkim=pass/fail", and "dmarc=pass/fail". That single line usually explains a 5.7.1 faster than guessing.

Fast rule of thumb: the receiver text often names the gatekeeper. Gmail bounces reference "Google" filtering; Microsoft 365 bounces mention "Office 365" or "EOP" (Exchange Online Protection). Any mention of an IP, a domain, or a header check means you're looking at a sender trust issue, not a data issue.

How do you fix 550 5.1.1 (recipient address doesn't exist)?

A 5.1.1 code means the receiver cannot map the local part of the address (everything before the @) to a real mailbox. This is the cleanest 550 to fix because it is almost always a data problem, not a deliverability one.

  1. Copy the exact address from the bounce. Do not trust your CRM field. In Gmail and Microsoft 365 bounces, the failed address usually appears next to "Final-Recipient" or "Original-Recipient". One wrong character is enough to trigger 5.1.1.
  2. Fix obvious formatting errors. Remove trailing punctuation, double dots, stray spaces, and pasted display names like "Jane Doe <jane@company.com>". Confirm you did not send to a placeholder such as "info@" or a literal "{email}" token.
  3. Check for a wrong alias pattern. Many companies use first.last, firstinitiallast, or first only. If your list source guessed the pattern, validate it against a second source, such as a LinkedIn profile or a company press release, before you trust it.
  4. Confirm the domain can receive mail. A misspelled or parked domain can still produce 5.1.1-style wording. Look up MX records with a DNS tool such as MXToolbox. No MX record, or one pointing nowhere, means it's a domain issue, not a mailbox issue.
  5. Verify the mailbox before you resend. Run the address through an email verification service that checks syntax, domain, and SMTP-level validity. If verification returns "invalid" or "unknown," do not retry it from the same campaign.
  6. Stop the repeat at the source. Block sends to unverified addresses, suppress every contact that hard-bounced with 5.1.1, and require a second data source for any guessed address. Overloop's built-in email verification catches this before launch, not after the bounce.
Don't do this: don't keep retrying the same address; repeated 5.1.1 bounces raise your hard bounce rate with every major mailbox provider. And don't ask a recipient to "whitelist you" when the mailbox doesn't exist. Get the correct address through LinkedIn or the company switchboard, then verify it before you send.

How do you fix 550 5.7.1 (blocked by policy, spam, or authentication)?

When the mailbox exists but the receiver still refuses your message, 550 5.7.1 usually means the receiving server does not trust your sender identity. You fix this by aligning authentication (SPF, DKIM, DMARC) and removing infrastructure red flags such as missing reverse DNS or a bad HELO/EHLO name.

  1. Confirm what failed in the headers. Open the bounce or the original message headers and find Authentication-Results. Look for "spf=fail/softfail", "dkim=fail", or "dmarc=fail". Google Workspace and Microsoft 365 message trace tools typically surface the same signals.
  2. Fix SPF. Publish one SPF TXT record for the domain in RFC 7208 format, including every legitimate sender (Google Workspace, Microsoft 365, SendGrid, Amazon SES, Mailgun, and so on). Remove duplicate SPF records and keep your DNS lookups under the SPF limit of 10.
  3. Fix DKIM. Enable DKIM signing in your sending system and publish the DKIM public key in DNS for the selector it uses. Send a test email and confirm "dkim=pass" in Authentication-Results.
  4. Fix DMARC alignment. Publish a DMARC TXT record at _dmarc.yourdomain per RFC 7489, so at least one of SPF or DKIM aligns with the visible From domain. Start with p=none to monitor, then move to quarantine or reject once DMARC reports show consistent passes.

Receivers often fold infrastructure checks into 5.7.1 even when your content looks fine. The usual suspects: a missing PTR record (your sending IP should reverse-resolve to a hostname that resolves back to the same IP), a bad HELO/EHLO name such as "localhost", domain or IP reputation damage from high bounce rates or sudden volume spikes, and forwarding rules on the recipient side that break SPF alignment.

How do you fix a 550 caused by a blocklist or reputation hit?

When your list is clean and 550s keep coming, you're usually dealing with reputation: the receiving system doesn't trust your sending domain or IP. Many of these bounces still show 550 5.7.1, but the text hints at "blocked," "reputation," "listed," or names a specific filter. Treat a blocklist as a symptom. Rush to delist while you keep sending the same traffic, and you often get relisted within days.

  1. Pause risky sends for 24 to 72 hours. Stop cold sequences and new list uploads; keep only essential 1:1 mail. This prevents more negative signals while you diagnose.
  2. Confirm what's listed and where. Check your sending IP and domain against a tool such as MXToolbox Blacklist Check. If you send through a shared IP pool, delisting "your" IP may not even be possible.
  3. Cut your list harder than feels reasonable. Suppress every hard bounce, every role address you don't need (info@, sales@), and any "unknown" verifier result. Segment out catch-all domains.
  4. Send to the best-engaged segment first. Start with recipients who replied recently or read your mail regularly. Keep cold outreach off until metrics stabilize.
  5. Throttle volume and smooth spikes. Reputation systems react badly to step changes. Increase daily volume gradually and keep send times consistent.
  6. Fix the root cause before you request delisting. If the bounce text references authentication, correct SPF, DKIM, DMARC, rDNS, and HELO/EHLO first. A clean delist request doesn't compensate for a broken sending identity.
  7. Request delisting last, and document what changed. Include the remediation steps and dates. For Spamhaus specifically, follow the official process at Spamhaus Lookup.

Watch your bounce logs as you ramp back up. A falling 5.7.1 rate and fewer "listed" messages mean the receiver's trust score is recovering. If blocks persist after cleanup, look at content patterns (links, tracking domains) and infrastructure (shared IP reputation, a misconfigured relay).

How do you fix a 550 error on Gmail, Outlook, or Yahoo?

The fixes above apply everywhere, but each major mailbox provider shows its own bounce wording and gives you a different tool to check reputation and authentication. Match your exact provider below before you resend.

Gmail and Google Workspace

Gmail's standard text for a nonexistent address is 550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces. A policy or spam block on Gmail typically reads 550 5.7.1 Our system has detected that this message is likely unsolicited mail. Check domain and IP reputation, spam rate, and authentication status in Google Postmaster Tools. If you send 5,000 or more messages a day to Gmail addresses, also confirm you meet Google's bulk sender requirements: valid SPF, DKIM, and DMARC, plus a spam rate under 0.3% in Postmaster Tools.

Outlook and Microsoft 365

Microsoft's nonexistent-mailbox bounce usually reads 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup. Reputation and policy blocks on Outlook.com and Microsoft 365 commonly show 550 5.7.1 Unfortunately, messages from [IP] weren't sent. Please contact your Internet service provider. Look up your sending IP's complaint and reputation data in Smart Network Data Services (SNDS), and use the Exchange admin center's message trace if you also manage the receiving mailbox. If the block persists after you fix authentication, Microsoft's sender support form is where you request a review.

Yahoo and AOL

Yahoo and AOL, which share the same mail infrastructure, commonly reject with 554 5.7.9 Message not accepted for policy reasons, which points to their deliverability portal, or with 550 5.1.1 <address> Address rejected for a mailbox that does not exist. Check authentication guidance and sender reputation status at Yahoo's sender hub. Yahoo and AOL blocks are more often reputation-driven than a single bad address, so register for their Complaint Feedback Loop once you send any real volume.

How do you prevent 550 errors before you send?

Cold outreach breaks when you scale volume faster than you scale trust. The goal is simple: keep daily output high while keeping permanent failures, both 5.1.1 hard bounces and 5.7.1 policy blocks, low.

As of 2026, Google's bulk sender guidelines, in force since February 2024, require senders of 5,000+ daily messages to a Gmail address to keep spam complaints under 0.3% as measured in Google Postmaster Tools, on top of valid SPF, DKIM, and DMARC. Crossing that threshold is one of the more common, entirely preventable causes of a fresh wave of 5.7.1 bounces.

A simple stoplight rule: if hard bounces (5.1.x) rise, pause new list uploads and re-verify. If 5.7.1 rises, slow sending and re-check SPF, DKIM, and DMARC alignment. Overloop's bounce tracking flags which sequence, inbox, or recipient domain is producing the permanent failures before the problem spreads.

Stop 550s before they start

Overloop verifies every address before it enters a sequence and tracks bounce codes by inbox and domain, so you catch a 5.1.1 or 5.7.1 spike before it burns your sending reputation.

Try Overloop free →See features

Catch 550s before they burn your domain

Overloop verifies every email before it enters a sequence and flags 5.1.1 and 5.7.1 spikes by inbox, sequence, and recipient domain, so you fix the cause before reputation damage spreads.

Try Overloop free
Nicolas Finet
CEO, Sortlist + Overloop
CEO Sortlist + Overloop. Built outbound systems for 500+ B2B companies across Europe. Author of 100+ guides on cold email, GDPR, and AI sales tools.

Frequently asked questions

What does a 550 permanent failure mean?

A 550 permanent failure means the receiving mail server rejected your message on purpose and will reject the same unchanged message again. The enhanced status code that follows, such as 5.1.1 or 5.7.1, tells you the specific cause: a nonexistent address, a disabled or full mailbox, or a policy block from failed authentication or reputation.

Should I resend after a 550 permanent failure?

Resend only if you changed something that matches the code. For 550 5.1.1, resend only after you corrected and verified the address. For 550 5.7.1, resend only after fixing SPF, DKIM, DMARC, rDNS, or content. Blind retries inflate your hard bounce rate.

What is the difference between 550 and 552?

550 is the general permanent failure code. Many servers use 552 specifically for mailbox full or message size issues, usually paired with the enhanced code 5.2.2. Treat it as recipient-side and either retry later or reduce message size if the text mentions limits.

Is 550 always a bad email address?

No. 550 is a rejection class, not a single cause. The enhanced status code and message text tell you whether it's a nonexistent mailbox (5.1.1) or a policy block (5.7.1). Read those two fields before assuming the address is wrong.

How long does it take to fix a 550 error?

Address fixes are immediate once you correct and verify the address. Authentication DNS changes for SPF, DKIM, or DMARC often propagate within minutes, though some resolvers cache for up to 24 to 48 hours depending on TTL. Reputation recovery takes longer, expect days to weeks after high bounce rates or spam complaints.

Who has to fix a 550 error, me or the recipient?

If the code is 5.1.1, you fix your data. If it's 5.2.1 or 5.2.2, the recipient's mail admin fixes the mailbox state or quota. If it's 5.7.1, you almost always fix your sending authentication, infrastructure, or sending behavior.