Email non-delivery reports in Office 365

When there's a problem delivering an email message that you sent, Office 365 sends an email to let you know. The email you receive is a delivery status notification, also known as a bounce message. The most common type is called a non-delivery report (NDR) and they tell you that a message wasn't delivered. Non-delivery can be caused by something as simple as a typo in an email address. NDRs include a code that indicates why your email wasn't delivered, solutions to help you get your email delivered, a link to more help on the web, and technical details for administrators. Find out More about what's included in my NDR email.

Find my NDR code and get help delivering my email

The following table contains the NDR codes (also called enhanced status codes) for the most common bounce messages and NDRs that you might encounter in Office 365.

NDR code

Description

Possible cause

Additional information

4.4.7

Message expired

The message in the queue has expired. The sending server tried to relay or deliver the message, but the action was not completed before the message expiration time occurred. This message can also indicate that a message header limit has been reached on a remote server, or some other protocol time-out occurred while communicating with the remote server.

This message usually indicates an issue on the receiving server. Check the validity of the recipient address, and determine if the receiving server is configured correctly to receive messages.

You might have to reduce the number of recipients in the message header for the host about which you are receiving this error. If you send the message again, it is placed in the queue again. If the receiving server is available, the message is delivered.

For more information, see Fix email delivery issues for error code 4.4.7 in Office 365.

4.7.26

Access denied, a message sent over IPv6 [2a01:111:f200:2004::240] must pass either SPF or DKIM validation, this message is not signed

The sending message sent over IPv6 must pass either SPF or DKIM.

For more details, see Support for anonymous inbound email messages over IPv6.

4.7.500-699

Access denied, please try again later

Suspicious activity has been detected on the IP in question, and it has been temporarily restricted while it is being further evaluated.

If this activity is valid, this restriction will be lifted shortly.

4.7.850-899

Access denied, please try again later

Suspicious activity has been detected on the IP in question, and it has been temporarily restricted while it is being further evaluated.

If this activity is valid, this restriction will be lifted shortly.

5.1.0

Sender denied

A common cause of this NDR is when you use Microsoft Outlook to save an email message as a file, and then someone opened the message offline and replied to it. The message property only preserves the legacyExchangeDN attribute when Outlook delivers the message, and therefore the lookup could fail.

Either the recipient address is incorrectly formatted, or the recipient could not be correctly resolved. The first step in resolving this error is to check the recipient address, and send the message again.

For more information, see Fix email delivery issues for error code 5.1.0 in Office 365.

5.1.1

Bad destination mailbox address

This failure might be caused by the following conditions:

  • The recipient's email address was entered incorrectly by the sender.

  • No recipient's exists in the destination email system.

  • The recipient's mailbox has been moved and the Outlook recipient cache on the sender's computer has not updated.

  • An invalid legacy domain name (DN) exists for the recipient's mailbox Active Directory Domain Service.

This error typically occurs when the sender of the message incorrectly enters the email address of the recipient. The sender should check the recipient's email address and send again. This error can also occur if the recipient email address was correct in the past but has changed or has been removed from the destination email system.

If the sender of the message is in the same organization as the recipient, and the recipient's mailbox still exists, determine whether the recipient's mailbox has been relocated to a new email server. If this is the case, Outlook might not have updated the recipient cache correctly. Instruct the sender to remove the recipient's address from sender's Outlook recipient cache and then create a new message. Resending the original message will result in the same failure.

For more information, see Fix email delivery issues for error code 5.1.1 through 5.1.20 in Office 365.

5.4.1

Relay Access Denied

The mail server that's generating the error doesn't accept mail for the recipient's domain. This error is generally caused by mail server or DNS misconfiguration.

For more information, see Fix email delivery issues for error code 5.4.1 in Office 365.

5.4.6

Routing loop detected

A configuration error has caused an email loop. By default, after 20 iterations of an email loop, Exchange interrupts the loop and generates an NDR to the sender of the message.

This error occurs when the delivery of a message generates another message in response. That message then generates a third message, and the process is repeated, creating a loop. To help protect against exhausting system resources, Exchange interrupts the mail loop after 20 iterations. Mail loops are typically created because of a configuration error on the sending mail server, the receiving mail server, or both. Check the sender's and the recipient's mailbox rules configuration to determine whether automatic message forwarding is enabled.

For more information, see Fix email delivery issues for error code 5.4.6 through 5.4.20 in Office 365.

5.6.11

Invalid characters

Your email program added invalid characters (bare line feed characters) into a message you sent.

For more information, see Fix email delivery issues for error code 5.6.11 in Office 365.

5.7.1

Delivery not authorized

The sender of the message is not allowed to send messages to the recipient.

This error occurs when the sender tries to send a message to a recipient but the sender is not authorized to do this. This frequently occurs when a sender tries to send messages to a distribution group that has been configured to accept messages only from members of that distribution group or other authorized senders. The sender must request permission to send messages to the recipient.

This error can also occur if an Exchange transport rule rejects a message because the message matched conditions that are configured on the transport rule.

For more information, see Fix email delivery issues for error code 5.7.1 in Office 365.

5.7.1

Unable to relay

The sending email system is not allowed to send a message to an email system where that email system is not the final destination of the message.

This error occurs when the sending email system tries to send an anonymous message to a receiving email system, and the receiving email system does not accept messages for the domain or domains specified in one or more of the recipients. The following are the most common reasons for this error:

  • A third party tries to use a receiving email system to send spam, and the receiving email system rejects the attempt. By the nature of spam, the sender's email address might have been forged, and the resulting NDR could have been sent to the unsuspecting sender's email address. It is difficult to avoid this situation.

  • An MX record for a domain points to a receiving email system where that domain is not accepted. The administrator responsible for the specific domain name must correct the MX record or configure the receiving email system to accept messages sent to that domain, or both.

  • A sending email system or client that should use the receiving email system to relay messages does not have the correct permissions to do this.

For more information, see Fix email delivery issues for error code 5.7.1 in Office 365.

5.7.1

Client was not authenticated

The sending email system did not authenticate with the receiving email system. The receiving email system requires authentication before message submission.

This error occurs when the receiving server must be authenticated before message submission, and the sending email system has not authenticated with the receiving email system. The sending email system administrator must configure the sending email system to authenticate with the receiving email system for delivery to be successful.

For more information, see Fix email delivery issues for error code 5.7.1 in Office 365.

5.7.12

Sender was not authenticated by organization

The sender’s message is rejected because the recipient address is set up to reject messages sent from outside of its organization. Only an email admin for the recipient’s organization can change this.

For more information, see Fix email delivery issues for error code 5.7.12 in Office 365.

5.7.124

Sender not in allowed-senders list

The sender doesn't have permission to send to the distribution group because the sender is not in the group’s allowed-senders list. Depending how the group is set up, even the group's owner may need to be added to the allowed sender list in order to send messages to the group.

For more information, see Fix email delivery issues for error code 5.7.124 in Office 365.

5.7.133

Sender not authenticated for group

The recipient address is a group distribution list that is set up to reject messages sent from outside of its organization. Only an email admin for the recipient’s organization or the group owner can change this.

For more information, see Fix email delivery issues for error code 5.7.133 in Office 365.

5.7.134

Sender was not authenticated for mailbox

The recipient address is a mailbox that is set up to reject messages sent from outside of its organization. Only an email admin for the recipient’s organization can change this.

For more information, see Fix email delivery issues for error code 5.7.134 in Office 365.

5.7.13 or 135

Sender was not authenticated for public folder

The recipient address is a public folder that is set up to reject messages sent from outside of its organization. Only an email admin for the recipient’s organization can change this.

For more information, see Fix email delivery issues for error code 5.7.13 or 5.7.135 in Office 365.

5.7.136

Sender was not authenticated

The recipient address is a mail user that is set up to reject messages sent from outside of its organization. Only an email admin for the recipient’s organization can change this.

For more information, see Fix email delivery issues for error code 5.7.136 in Office 365.

5.7.25

Access denied, the sending IPv6 address [2a01:111:f200:2004::240] must have a reverse DNS record

The sending IPv6 address must have a reverse DNS record in order to send email over IPv6.

For more details, see Support for anonymous inbound email messages over IPv6.

5.7.501

Access denied, spam abuse detected

The sending account has been banned due to detected spam activity.

For details, see Fix email delivery issues for error code 451 5.7.500-699 (ASxxx) in Office 365.

Verify that any account issues have been resolved, and reset its credentials. To restore this account’s ability to send mail, contact support through your regular channel.

5.7.502

Access denied, banned sender

The sending account has been banned due to detected spam activity.

Verify that any account issues have been resolved, and reset its credentials. To restore this account’s ability to send mail, please contact support through your regular channel.

5.7.503

Access denied, banned sender

The sending account has been banned due to detected spam activity.

Verify that any account issues have been resolved, and reset its credentials. To restore this account’s ability to send mail, please contact support through your regular channel.

5.7.504

[email@contoso.com]: Recipient address rejected: Access denied

The recipient address that you are attempting to contact is not valid.

Verify the recipient’s email address, and try again.

5.7.505

Access denied, banned recipient

The recipient that you are attempting to contact is not valid.

If you feel this is in error, contact support.

5.7.506

Access Denied, Bad HELO

Your server is attempting to introduce itself (HELO according to RFC 821) as the server it is trying to connect to, rather than its own fully qualified domain name.

This is not allowed, and it is characteristic of typical spambot behavior.

5.7.507

Access denied, rejected by recipient

The IP that you are attempting to send from has been blocked by the recipient’s organization.

Contact the recipient in order to resolve this issue.

5.7.508

Access denied, [$SenderIPAddress] has exceeded permitted limits within $range range

The sender's IPv6 range has attempted to send too many messages in too short a time period.

Not applicable

5.7.509

Access denied, sending domain [$SenderDomain] does not pass DMARC verification

The sender's domain in the 5322.From address does not pass DMARC.

Not applicable

5.7.510

Access denied, [contoso.com] does not accept email over IPv6

The sender is attempting to transmit a message to the recipient over IPv6, but the recipient does not accept email messages over IPv6.

Not applicable

5.7.511

Access denied, banned sender

The account you are attempting to send from has been banned.

For more information, see Removing a user, domain, or IP address from a block list after sending spam email.

5.7.512

Access denied, message must be RFC 5322 section 3.6.2 compliant

Message was sent without a valid "From" email address.

Office 365 only. Each message must contain a valid email address in the "From" header field. Proper formatting of this address includes angle brackets around the email address, for example, <security@contoso.com>. Without this address Office 365 will reject the message.

5.7.513

Service unavailable, Client host [$ConnectingIP] blocked by $recipientDomain using Customer Block list (AS16012607)

The recipient domain has added your sending IP address to its custom block list.

The domain that received the email has blocked your sender's IP address. If you think your IP address has been added to the recipient domain’s custom block list in error, you need to contact them directly and ask them to remove it from the block list.

5.7.606-649

Access denied, banned sending IP [IP1.IP2.IP3.IP4]

The IP that you are attempting to send from has been banned.

Verify that you are following the best practices for email deliverability, and ensure your IPs’ reputations have not been degraded as a result of compromise or malicious traffic. If you believe you are receiving this message in error, you can use the self-service portal to request to be removed from this list. For more information, see Use the delist portal to remove yourself from the Office 365 blocked senders list.

5.7.700-749

Access denied, tenant has exceeded threshold

The majority of traffic from this tenant has been detected as suspicious and has resulted in a ban on sending ability for the tenant.

Ensure that any compromises or open relays have been resolved, and then contact support through your regular channel.

What's included in an NDR?

Exchange NDRs are designed to be easy to read and understand by email users and administrators. There are a couple of different formats for NDRs. The newest style NDR contains a problem description in everyday language, along with steps to fix it. The following figure shows the format for this type of NDR.

Newest format for delivery status notfication (DSN) in Office 365

Information provided in the newest style NDRs is designed to help the typical email user solve their problem immediately. When that isn't possible, the NDR provides details for administrators and also a link to more help on the web. The following fields appear in the newest Office 365 NDRs.

Field

Description

Office 365 logo   

This indicates that Office 365 generated the NDR. The logo doesn’t mean that Office 365 was responsible for the error. This tells which messaging endpoints or services are involved in the email transaction, which is not always clear in older style NDRs.

Cause   

This section provides the reason that the message wasn't delivered.

Fix-it owner indicator   

This section provides an at-a-glance view of the issue and who needs to fix it. The image shows the three basic parties in an Office 365 email transaction—the sender, Office 365, and the recipient. The area marked in red is where the problem usually must be fixed.

How to fix it   

This section is designed for the end-user or the email sender who receives the NDR. It explains how to fix the issue.

More info for email admins    

This section provides a detailed explanation of the problem and solution along with technical details and a link to a web-based article that has detailed reference information.

Message hops   

This section contains times and system references for the message, which allows an admin to follow the message’s hops or server-to-server path. With this info, an admin might quickly spot problems between message hops.

For NDRs that don't have the latest format, the information might be separated into two sections: User information, and Diagnostic information for administrators. The following figure shows the format for one type of Exchange Online NDR.

NDR showing User and Administrator Diagnostic Info

User information

The user information section appears first in some NDRs, and the main purpose is to provide a summary about what went wrong. The text is designed to help the message sender determine why the message was rejected and, if possible, how to resend the message successfully. The email address of each recipient is listed, and the reason for the failure is included in the space below the recipient's email address. The name of the mail server that rejected the message may also be included in this section.

Diagnostic information for administrators

The Diagnostic information for administrators section provides deeper technical information to help administrators troubleshoot the message delivery problem. It contains detailed information about the specific error that occurred during delivery of the message, the server that generated the NDR, and the server that rejected the message. This section uses the following format:

Diagnostic information for administrators

Generating server: 
<server name>
<rejected recipient>
<remote server>
<enhanced status code>
<SMTP response> Original message headers <message header fields>

Field

Description

Generating server   

This field indicates the name of the SMTP mail server that created the NDR. If no remote server is listed below the sender's email address, the generating server is also the server that rejected the original email message. When the remote mail server acknowledges and accepts the message, but later rejects the message, for example, because of content restrictions, the remote server generates the NDR. If the remote mail server never acknowledges and never accepts the message, the sending server in Exchange Online generates the NDR.

<Rejected recipient>   

This value is the email address of the recipient. If delivery failed to more than one recipient, the email address for each recipient is listed. The following information is also included for each failed recipient:

Field

Description

<Remote server>   

This value is the name of the mail server that rejected the message. If the original message is successfully acknowledged by the receiving server, but is later rejected, the remote server value isn't populated.

<Enhanced status code>   

This value is assigned by the mail server that rejected the original message and indicates why the message was rejected. These codes are defined in RFC 3463, and use the format abc x.y.z, where the placeholder values are integers. For example, a 5.x.x code indicates a permanent error, and a 4.x.x code indicates a temporary error. Although the enhanced status code is often generated by an external mail server, Exchange Online uses the enhanced status code value to determine the text to display in the user information section.

<SMTP response>   

This value is returned by the mail server that rejected the original message. This text provides an explanation for the enhanced status code value. The text is always presented in US-ASCII format.

Original message headers   

This section contains the message header fields of the rejected message. These header fields can provide useful diagnostic information, such as the path that the message took before it was rejected, or whether the To field value matches the rejected recipient value.

How to interpret an Exchange NDR

Here's an example. Suppose you receive an Exchange NDR that contains the following information:

Delivery has failed to these recipients or groups:

ronald@contoso.com
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery. The following organization rejected your message: mail.contoso.com.

Diagnostic information for administrators:

Generating server: alpineskihouse.com

ronald@contoso.com
mail.contoso.com #<exchange.contoso.com #5.7.1 smtp;530 5.7.1 Client was not authenticated> #SMTP#


Original message headers:
...

From the user information section, you can determine that the recipient is Ronald Slattery, and that the message was rejected by the mail server mail.contoso.com, which isn't an Exchange Online or Exchange Online Protection mail server.

From the Diagnostic information for administrators section, you can see that alpineskihouse.com attempted to connect to the server mail.contoso.com to deliver the message to the recipient ronald@contoso.com. However, mail.contoso.com responded with the error 530 5.7.1 Client was not authenticated. Even though bigfish.com generated the NDR, mail.contoso.com actually rejected the message, so the administrators at contoso.com are responsible for understanding and fixing the problem. This particular error indicates that the server mail.contoso.com is configured not to accept anonymous email from the Internet.

Although the Original message headers are omitted from this example due to their length and complexity, you can typically extract useful information from the following header fields:

  • To:   This field may be helpful if the email address was mistyped.

  • Received:   These fields can tell you what the path was for the message, and the last hop that generated the delivery status notification if it isn’t easy to tell from the Generating server value in the NDR.

  • Received-SPF:   If this value is anything other than pass, check the Sender Policy Framework (SPF) DNS record for your domain. For more information, see Add or edit custom DNS records in Office 365.

Still need help with NDRs or other status notifications?

Get help from the Office 365 community forums Admins: Sign in and create a service request Admins: Call Support
Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×