Microsoft 550 5.7.15 Bulk Sender Diagnostic
Outlook started rejecting bulk-sender mail that fails DMARC verification on 5 May 2025. Diagnose your domain against Microsoft's high-volume sender requirements and get the exact DNS records to publish.
Why are my messages bouncing with 550 5.7.15?
On 5 May 2025, Microsoft announced and immediately began enforcing new requirements for any sender pushing 5,000 or more messages per day to Outlook.com, Hotmail, or Live.com. Non-compliant senders get rejected at SMTP with the diagnostic:
550 5.7.15 access denied, sending domain DOMAIN does not pass DMARC verification
The fix is rarely about message content — it is almost always about three DNS records: SPF, DKIM, and DMARC. This tool checks all three plus the supporting transport-security records that Microsoft itself publishes for outlook.com. The most common SPF root cause is the 10-lookup PermError — the SPF Flattener resolves it in one pass.
Microsoft's bulk-sender requirements
The full list from Microsoft's Tech Community announcement and the High-Volume Sender Requirements page:
| Control | Status | What Microsoft does on failure |
|---|---|---|
| SPF aligned | Required | 550 5.7.15 reject at SMTP |
| DKIM signed & aligned | Required | 550 5.7.15 reject at SMTP |
| DMARC at p=none or stricter | Required | 550 5.7.15 reject at SMTP |
| One-click unsubscribe (RFC 8058) | Required for marketing | Soft-fold to Junk for now |
| Low spam complaint rate | Required | Throttling, then full block |
| TLS for SMTP delivery | Required | Connection refused |
What this tool covers
DNS-borne controls only: SPF, DMARC, MTA-STS, TLS-RPT, DNSSEC. DKIM cannot be verified from DNS alone because the selector is not discoverable — use the DKIM Checker with your specific selector to confirm the key. One-click unsubscribe lives in the message headers, not DNS; use the Email Header Analyzer on a sample message.
Volume threshold — am I in scope?
The 5,000/day threshold is per sending domain, per receiving tenant. Transactional sends count. Marketing sends count. Internal team emails count if the recipient is on Outlook. If the volume is borderline, treat yourself as in-scope — the moment a single product launch pushes you over, the rejections start without warning.
Common 550 5.7.15 root causes (in order)
- SPF flat-out missing. Most common. Publish a record listing every sender (use the SPF Generator).
- SPF lookup overflow. 10-DNS-lookup limit exceeded means the record evaluates to PermError — which Microsoft reads as fail. Use the SPF Flattener.
- SPF misalignment. SPF passes for the bounce address but the From header is a different organisational domain. DMARC alignment fails and Microsoft rejects.
- DKIM missing on a new sender. An ESP added last week was not enrolled with DKIM. Check your DMARC aggregate reports.
- DMARC missing. Less common in 2026 but it happens. Microsoft will not even evaluate alignment without the policy.
Outside this tool's scope
Bulk-sender reputation, spam-complaint thresholds, and IP warmup are operational and not visible in DNS. If your domain passes everything above and you are still hitting rejections, your sending IP reputation is likely the cause — check it via the Blacklist Check.
Read the complete Microsoft guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free