Error code 5.7.1 through 5.7.999 in Exchange Online and Office 365
Here’s what to do if you get delivery status notification (DSN) error code 5.7.1 or NDR 5.7.1 in a non-delivery report (NDR). This information also applies to error codes 5.7.0 through 5.7.999 in Exchange Online and Office 365. There can be several causes for dsn error code 5.7.1, but this might happen if you send email and delivery to the address is restricted. Some causes and solutions for the address is restricted delivery error are provided later in this topic.
If you sent a message and then received NDR 5.7.1 or 5.7.0 through 5.7.999
There are several common reasons for this error. Generally, the error indicates that a security policy or restriction is preventing your message from reaching the recipient. It might be one of the following problems:
-
You don’t have permission to send to the recipient.
-
You don’t have permission to send to the distribution group or one of its subgroups.
-
You don’t have permission to send email through an email server that’s between you and the recipient.
-
Your message was routed to the wrong email server.
The following figure shows an example of the user information section and Diagnostic information for administrators section of an NDR.
Tips for fixing the problem that is causing DSN error code 5.7.1 or 5.7.0 through 5.7.999
Very seldom can you fix this problem on your own. Most of the time, either the recipient or the recipient’s email administrator has to update their email settings. However, here are a few things you can try.
If the recipient is outside of your organization - Ask the recipient to ask their email administrator to configure the recipient’s mailbox so that it accepts email from external or anonymous senders.
If you’re sending to an internal distribution group - You might not have permission to send to the group or to one of its subgroups. In this case, the NDR includes the names of the restricted groups that you don’t have permission to send to. Ask the owner of the restricted group to grant you permission to send messages to it. If you don’t already know the group’s owner, you can find it by doing the following in either Outlook Web App or Outlook.
-
Select the NDR 5.7.1 message.
-
In Outlook Web App, choose the group name located in the To line. In Outlook, double-click the group name.
-
In Outlook Web App, from the pop-up dialog box, choose Owner. In Outlook, choose Contact.
If you’re sending to a large distribution group - Groups with more than 5,000 members have the following three restrictions automatically applied:
-
You must be a member of the group in order to send mail to it.
-
Messages sent to the group require approval by a moderator.
-
Large messages can’t be sent to the group. However, you’ll receive a different NDR than 5.7.1 if that’s the issue. See Exchange Online Limits.
To resolve the issue, join the group, or ask the group’s owner or moderator to approve your message. Refer them to the If you’re the owner of a restricted distribution group section later in this topic.
If none of the previous steps apply or solve your issue, contact the recipient’s email administrator, and refer them to the If you’re an Office 365 email administrator section later in this topic.
If you’re the owner of a restricted distribution group
If someone sent a message to your distribution group and they received NDR 5.7.1, and you want to let them send to your group, try one of the steps here.
Remove the sender restriction - To grant the sender permission to send to your distribution group, you can change the group properties in one of the following ways:
-
Add the sender’s email address to the group’s list of allowed senders.
-
Add the sender’s email address to the group or ask them to join the group.
-
If the sender is restricted because they’re outside your organization, you can configure the group to accept messages from external senders.
-
If you’ve configured a transport rule to restrict certain senders or groups of senders, you can modify the rule to accept messages from the sender.
Restrictions on large groups - Groups with more than 5,000 members have the following three restrictions automatically applied:
-
Senders must be a member of the group.
-
Messages sent to the group require approval by a moderator.
-
Large messages can’t be sent to the group (but you’ll receive a different NDR from this one if that’s the issue). See Exchange Online Limits.
To resolve the issue for the sender, approve their message, or add them to the group.
Managing distribution groups - For more information about how to configure a distribution group for moderation, see Configure a moderated recipient in Exchange Online. For more information about managing groups, see Manage Distribution Groups.
If you’re an Office 365 email administrator
If the steps in the above section do not solve the issue for the sender, the solution likely requires action by the recipient’s email administrator. This can include reconfiguring settings for the recipient, distribution group, organization, or domain.
How do I fix the problem that is causing NDR 5.7.1 or 5.7.0 through 5.7.999?
If you’re an email administrator and you need to help solve a 5.7.1 NDR issue, find the section here that seems to match your problem, and follow the guidance provided.
If the sender is outside of your organization - Configure the recipient or your mail servers to accept mail from external or anonymous senders.
When external users try to send mail to mail-enabled public folders in Office 365 - When external users try to send email messages to mail-enabled public folders in Office 365, they receive an NDR that contains the following error code:
Remote Server returned '<xxxxxxxx> #5.7.1 smtp;550 5.7.1 RESOLVER.RST.AuthRequired; authentication required [Stage: CreateMessage]>'
To change the behavior so that mail-enabled public folders can accept mail from external senders, follow these steps:
-
Connect to Exchange Online by using remote PowerShell. For more info about how to do this, see Connect to Exchange Online using remote PowerShell.
-
Add permission for the Anonymous account to public folders. To do this, run the following command:
Add-PublicFolderClientPermission -identity <Public Folder> -User Anonymous -AccessRights CreateItems
Refer to Knowledge Base article 2984402.
If the sender is outside your organization and their email server IP address has been put on Microsoft’s blocklist - In these cases, the NDR the sender receives would include information in the Diagnostics for administrators section similar to this:
5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using Blocklist 1; To request removal from this list please forward this message to delist@messaging.microsoft.com
Forward the NDR message to delist@messaging.microsoft.com.
Domain isn't fully enrolled in Office 365 - Try the following steps to resolve this issue.
-
Verify your domain appears as Active in the Office 365 portal at https://portal.office.com.
-
For information about adding your domain to Office 365, see Domains in Office 365.
-
To troubleshoot domain verification issues, see Microsoft Knowledge Base article 2515404.
Incorrect MX record - Try the following steps to resolve this issue.
-
Check the sender and recipient domains for incorrect or stale MX records by running the Mailflow Troubleshooter.
-
Check with your domain registrar or DNS hosting service to verify the MX record for your domain is correct. The MX record for a domain that's enrolled in Exchange Online uses the syntax <domain>.mail.protection.outlook.com.
-
Verify MX Record and Outbound Connector Test at Office 365 > Mail Flow Configuration in the Microsoft Remote Connectivity Analyzer.
-
Verify you have only one MX record configured for your domain. Microsoft doesn’t support using more than one MX record for a domain that's enrolled in Exchange Online.
Incorrect SPF record - The Sender Policy Framework (SPF) record for your domain might be incomplete and might not include all sources of mail for your domain. For more information about verifying your SPF record, see Customize an SPF Record to Validate Outbound Email Sent from Your Domain.
Combined on-premises and cloud hybrid deployment configuration issues - If your domain is part of a hybrid deployment between Exchange and Exchange Online, check the following items.
Even though the Hybrid Configuration Wizard automatically configures the inbound and outbound connectors in the Exchange Online Protection (EOP) service, you can verify that the connector settings are correct. If the connectors used for the hybrid deployment are configured incorrectly, your Exchange administrator needs to rerun the Hybrid Configuration Wizard in the on-premises Exchange organization.
Verify the configuration of the inbound connector that's used for hybrid. For more information, see Microsoft Knowledge Base article 2827473.
Verify the configuration of the outbound connector that's used for hybrid by following these steps:
-
Open the Office 365 portal at https://portal.microsoftonline.com, and click Admin > Exchange.
-
In the Exchange admin center, click Mail Flow > Connectors. In the Outbound connectors section, select the connector that's used for hybrid, and choose Edit. Verify the following information:
-
Delivery If Route mail through smart hosts is selected, confirm the correct IP address or FQDN is specified. If MX record associated with the recipient domain is selected, confirm the MX record for the domain points to the correct mail server.
You can test your MX record and your ability to send mail from your Exchange Online organization by using the Verify MX Record and Outbound Connector Test at Office 365 > Mail Flow Configuration in the Microsoft Remote Connectivity Analyzer.
-
Scope If you need to route inbound Internet mail to your on-premises Exchange organization, Domains needs to include all email domains that are used in your on-premises organization. You can use the value asterisk (*) to also route all outbound Internet mail through the on-premises organization.
-
For more information about transport routing in hybrid deployments, see Transport Routing in Exchange 2013 Hybrid Deployments.
