How can you interpret extended SMTP responses (e.g., 5.7.1)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You're staring at a bounce message that says something like 550 5.7.1 and wondering what on earth it means. The three-digit number is the basic SMTP code, but the X.Y.Z part after it is the extended status code. That second part is where the real story lives.
Here's how to read it. Each position tells you something specific:
- First digit (class): Is this permanent or temporary? A 5 means permanent. Don't retry. Fix the problem first. A 4 means temporary. The receiving server is saying "not right now" rather than "never." Your ESP should retry those automatically.
- Second digit (subject): What category of problem is this? A 7 means security or policy. A 1 means addressing or routing. A 2 means mailbox-specific (like a full inbox). Different numbers point you to different corners of the problem.
- Third digit (detail): The specific sub-issue within that category. So 5.7.1 = permanent failure, security or policy, delivery not authorized. The receiving server is saying your message was refused because you're not cleared to send there.
Taking 5.7.1 as the example: this almost always means one of a few things. Your domain's SPF record didn't pass. Your DKIM signature failed or is missing. Your domain is on a blocklist. Or the receiving server's policy flat-out blocks messages from your sending IP.
The fix depends on which it is. Start by checking your authentication records. If SPF and DKIM look fine, the next step is checking whether your domain or IP has been listed somewhere it shouldn't be. You can do that with our free Blocklist Checker in about 30 seconds.
If the error message from the receiving server includes more text after the code, read it. Servers like Gmail and Outlook often include a plain-English explanation right there in the bounce. That's your fastest clue.
One thing worth knowing: 5.7.X codes are broadly about security and policy, but the third digit matters a lot. 5.7.1 is "not authorized to send." 5.7.26 is a DMARC failure. 5.7.25 usually points to reverse DNS problems. They all start with the same two digits, but the third one tells you exactly where to dig.
If you're getting a 5.7.1 and can't figure out why, it's worth running your headers through our free Email Header Analyzer to see exactly where authentication broke down.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.