Published · Last verified · Maintained by TamingDNS

🪟 Microsoft 365 / Outlook SMTP Error Code Directory

Microsoft 365 bounce emails are packed with internal component names like RESOLVER and STOREDRV alongside standard SMTP codes, which makes them look far more intimidating than they are. This directory translates every Exchange Online rejection into plain English, with a fix for each one.

Provider
Microsoft 365 / Exchange Online / Outlook.com
Key Identifiers
RESOLVER · STOREDRV · protection.outlook.com
MX Hostname Pattern
*.mail.protection.outlook.com

How to Identify a Microsoft 365 Bounce

Microsoft 365 NDRs arrive from [email protected] or postmaster@<tenant>.onmicrosoft.com. The Diagnostic-Code often includes a proprietary component name like RESOLVER (routing/addressing) or STOREDRV (mailbox store delivery). 

Diagnostic-Code: smtp; 550 5.7.13
  STOREDRV.Deliver.Exception:AccountDisabledException.MapiExceptionADUserDisabledAndHidden;
  Failed to process message due to a permanent exception with message [BeginDiagnosticData]...

The component prefix (STOREDRV, RESOLVER, QUEUE) tells you which part of Exchange Online rejected the message. See the glossary below.

Microsoft 365 Error Codes

15 codes with Microsoft 365-specific behaviour. Critical (Tier 1) codes appear first.

🟡 421 4.4.7 CRITICAL
Message Expired in Queue
Microsoft 365 uses 4.4.7 when your message cannot be delivered within 24 hours. NDR typically arrives with subject "Delivery delayed".
Full explanation & fix →
🔴 501 5.1.8 CRITICAL
Bad Sender Address
Microsoft 365 returns this when the sender domain cannot be found in DNS. Ensure your domain has valid DNS records.
Full explanation & fix →
🔴 535 5.7.8 CRITICAL
Authentication Credentials Invalid
Microsoft 365 may require Modern Authentication (OAuth 2.0) for SMTP. If Basic Auth is disabled, configure your client for OAuth.
Full explanation & fix →
🔴 550 5.1.1 CRITICAL
Mailbox Does Not Exist
Microsoft 365 returns: "Recipient not found by SMTP address lookup." Check the address in the GAL if sending to an internal mailbox.
Full explanation & fix →
🔴 550 5.2.1 CRITICAL
Mailbox Disabled
Microsoft 365 uses 5.2.1 when an Exchange Online mailbox has been disabled or the account has been deactivated.
Full explanation & fix →
🔴 550 5.4.1 CRITICAL
Recipient Address Rejected
Microsoft 365 commonly returns 5.4.1 as "Recipient address rejected: Access denied" for policy-blocked senders. Use the Microsoft delist portal.
Full explanation & fix →
🔴 550 5.7.1 CRITICAL
Message Rejected by Policy
Microsoft 365 returns 5.7.1 when the sender IP or domain reputation is poor. Check with Microsoft SNDS.
Full explanation & fix →
🔴 550 5.7.13 CRITICAL
User Account Disabled
This is a Microsoft 365-specific code. The user's account is blocked or disabled in Azure AD. Only the receiving organisation's IT admin can resolve this.
Full explanation & fix →
🔴 550 5.7.14 CRITICAL
Trust Relationship Required
Microsoft 365 returns 5.7.14 when Basic Auth is disabled and the client hasn't migrated to Modern Auth. This is increasingly common as Microsoft rolls out Basic Auth deprecation.
Full explanation & fix →
🔴 550 5.7.26 CRITICAL
DMARC Policy Violation
Microsoft 365 enforces DMARC rejection for inbound mail to Office 365 mailboxes. From May 2025, Outlook.com/Hotmail/Live also require SPF, DKIM and DMARC for senders over 5,000 messages a day, and reject non-compliant mail with 550 5.7.515.
Full explanation & fix →
🔴 550 5.7.515 CRITICAL
Outlook Rejects Unauthenticated High-Volume Sender
Microsoft started enforcing this on 5 May 2025 for senders of more than 5,000 messages a day to Outlook.com, Hotmail and Live. Non-compliant mail is initially routed to Junk and then rejected with 550 5.7.515.
Full explanation & fix →
🔴 552 5.2.3 CRITICAL
Message Too Large for Mailbox
Microsoft 365 has a 25 MB default receive limit. This can be raised by Exchange admins up to 150 MB.
Full explanation & fix →
🔴 552 5.3.4 CRITICAL
Message Too Big for System
Microsoft 365 default system limit is 25 MB. Enterprise plans can configure up to 150 MB per organisation.
Full explanation & fix →
🟡 451 4.7.1
Temporary Auth / Policy Hold
Microsoft 365 uses 451 4.7.1 for DMARC-related temporary deferrals. Fixing alignment usually resolves it.
Full explanation & fix →
🔴 550 5.2.4
Mailing List Expansion Problem
Microsoft 365 returns 5.2.4 when a distribution group cannot be expanded, often due to a disabled owner or a group with no members.
Full explanation & fix →

Microsoft NDR Component Glossary

The component prefix in an Exchange Online NDR tells you which subsystem rejected or failed to deliver the message.

RESOLVER
Routing and address resolution layer. Errors here mean Exchange couldn't find or route to the recipient's mailbox.
STOREDRV
Store Driver: the component that writes messages to the mailbox database. Errors here mean the mailbox exists but can't accept messages (disabled, locked, full).
QUEUE
Mail queue: appears in 4.4.7 (expired) and other delivery-delay NDRs. Indicates the message spent too long waiting to be delivered.
FilteringService
Exchange Online Protection (EOP) anti-spam and policy engine. Errors here mean your message was blocked by Microsoft's inbound filtering rules.

Microsoft Sender Tools

Microsoft provides two free tools for senders who are being blocked by Exchange Online:

Delist Portal
If your IP is blocked by Microsoft 365 (5.4.1 or 5.7.1), submit it here for manual review and removal.
sender.office.com →
SNDS (Smart Network Data Services)
Shows the complaint rate and block status for IPs sending to Microsoft 365 mailboxes. Free to register.
SNDS portal →

Frequently Asked Questions

Common questions about Microsoft 365 SMTP errors and Exchange Online NDRs.

NDR stands for Non-Delivery Report, Microsoft's name for the bounce email you receive when Exchange Online cannot deliver your message. NDRs always include a status code like 5.7.26, and often include a component name like STOREDRV or RESOLVER that tells you which part of Exchange rejected the message. That component name is the fastest way to narrow down the cause.

Error 5.4.1 is Microsoft's way of saying your sending IP has a poor reputation in their system. It is the most common blocklist-style rejection from Exchange Online, and it catches a lot of legitimate senders who are on cloud or shared infrastructure. Use the Delist Portal to request removal, and check your IP's standing in SNDS to understand what Microsoft sees about your traffic.

Microsoft is phasing out the old username-and-password method of SMTP authentication (called Basic Auth) in favour of OAuth 2.0, which is what they call Modern Authentication. If you get a 5.7.14 error, it means the email client or app you are using is still trying to log in the old way on an account where Microsoft has turned that off. The fix is to update your client or application to use OAuth 2.0. Older SMTP libraries often need a code change to support this.

A 5.7.13 error means Microsoft's system has flagged the recipient's account as blocked, but it does not always mean the person was intentionally disabled. It can happen after a forced password reset, a suspicious login alert, or even a brief licensing hiccup that temporarily removed the Exchange Online licence. The only person who can fix this is the recipient's IT admin, who needs to re-enable the account in Azure AD or Entra ID.

Other Provider Directories

Google / Gmail
View directory →
Yahoo / AOL
View directory →
Apple iCloud
View directory →
Comcast / Xfinity
View directory →
Proofpoint
View directory →
Mimecast
View directory →
🔍

Got a Microsoft 365 bounce to decode?

Paste your full NDR email or SMTP error line for an instant plain-English diagnosis.

Open the Bounce Decoder →