BETA

Bounce Decoder: 550 5.7.14

SPF, DKIM, DMARC, FCrDNS, Blacklists & Inbox Prediction

🔧 Related Tools

ANALYSIS TOOLS
🔒 Full Checker Complete email deliverability scan: SPF, DKIM, DMARC, MX, blacklists & more. 📨 SPF Check and visualise your SPF record including the full DNS lookup tree. 🔑 DKIM Scan all known DKIM selectors and validate key strength for your domain. 📧 Email Headers Analyse raw email headers to trace delivery path and authentication results. 📬 Bounce Decoder Decode NDR bounce messages and SMTP error codes to diagnose delivery failures. 🦁 BIMI Verify your BIMI logo record and VMC certificate status. 🔐 DNSSEC Validate the DNSSEC chain of trust: DS, DNSKEY, and RRSIG records. 🔒 MTA-STS Check your MTA-STS DNS record and TLS policy file for enforced encryption. 📋 TLS-RPT Validate your TLS-RPT reporting address for email transport encryption reports. 🌍 WHOIS Look up domain registration details via RDAP.
DIAGNOSTIC TOOLS
🚫 Blacklist / RBL Check IPs and domains against major email blacklists and RBLs. 🌐 DNS Propagation Check DNS record propagation across multiple global resolvers simultaneously.
BUILDER TOOLS
✅ DMARC Builder Build a DMARC TXT record with the right policy, RUA/RUF and subdomain options. 🛠 SPF Builder Generate a validated SPF record by selecting your email senders. 📝 Route 53 Splitter Split long DKIM or SPF TXT records for AWS Route 53's 255-character limit.

550 5.7.14 — Trust Relationship Required

The 550 5.7.14 error means Microsoft 365 requires the sender to authenticate first via browser login. Learn what causes it and how to configure sending correctly.

🔴
Permanent Failure (Hard Bounce)
SMTP Code
550
Enhanced Code
5.7.14
Category
Trust Relationship Required
Frequency
Very Common

🔢 Enhanced Status Code Breakdown: 5.7.14

Component Value Meaning
Class 5 Permanent failure
Subject 7 Security or policy
Detail 14 Trust Relationship Required

Per RFC 3463 Enhanced Mail System Status Codes. Class (X) = severity, Subject (Y) = category, Detail (Z) = specific condition.

💬 What This Error Means

Microsoft 365 is requiring you to authenticate via a web login before sending email. This typically appears when a client is using Basic Authentication and the tenant has disabled it in favour of Modern Authentication (OAuth 2.0).

Common Causes

  • Microsoft 365 tenant has disabled Basic Authentication
  • Email client is not configured to use OAuth 2.0 / Modern Authentication
  • App or service using SMTP AUTH without the required permissions
  • Account requires multi-factor authentication that has not been completed

How to Fix This

  • Configure your email client or app to use OAuth 2.0 / Modern Authentication
  • For apps that cannot use OAuth, enable SMTP AUTH for the specific account in Microsoft 365 Admin
  • If MFA is required, complete the authentication challenge
  • Contact your Microsoft 365 administrator to check auth policies

🏢 Provider-Specific Variations

Microsoft 365 / Outlook

Microsoft 365 returns 5.7.14 when Basic Auth is disabled and the client hasn't migrated to Modern Auth. This is increasingly common as Microsoft rolls out Basic Auth deprecation.

📖 Microsoft 365 / Outlook documentation →

📋 Real-World Example Messages

These are real bounce message formats you might receive. Paste yours into the Bounce Decoder for instant analysis. 

550 5.7.14 Access denied. The user needs to sign in first.
550 5.7.14 <https://aka.ms/mfasetup>

🔗 Related Error Codes

535 5.7.8
Authentication Credentials Invalid
534 5.7.9
Authentication Mechanism Too Weak

📚 Official Documentation

Microsoft 365 SMTP Auth configuration Microsoft Basic Auth deprecation

🔧 This Bounce Is Related to Email Authentication

Fixing this type of bounce requires correctly configured SPF, DKIM, and DMARC records. Our free Domain Checker analyses all three in one scan and tells you exactly what to fix.

Run a Free Domain Authentication Check →
🔍

Got a bounce message to decode?

Paste your full NDR email, SMTP error line, or mail log fragment to get an instant plain-English diagnosis.

Open the Bounce Decoder →