Microsoft 365 / Outlook SMTP Error Code Directory

Microsoft 365 bounce emails are packed with internal component names like RESOLVER and STOREDRV alongside standard SMTP codes — which makes them look far more intimidating than they are. This directory translates every Exchange Online rejection into plain English, with a fix for each one.

Provider

Microsoft 365 / Exchange Online / Outlook.com

Key Identifiers

RESOLVER · STOREDRV · protection.outlook.com

MX Hostname Pattern

*.mail.protection.outlook.com

How to Identify a Microsoft 365 Bounce

Microsoft 365 NDRs arrive from [email protected] or postmaster@<tenant>.onmicrosoft.com. The Diagnostic-Code often includes a proprietary component name like RESOLVER (routing/addressing) or STOREDRV (mailbox store delivery).

Diagnostic-Code: smtp; 550 5.7.13
  STOREDRV.Deliver.Exception:AccountDisabledException.MapiExceptionADUserDisabledAndHidden;
  Failed to process message due to a permanent exception with message [BeginDiagnosticData]...

The component prefix (STOREDRV, RESOLVER, QUEUE) tells you which part of Exchange Online rejected the message. See the glossary below.

Microsoft 365 Error Codes

14 codes with Microsoft 365-specific behaviour. Critical (Tier 1) codes appear first.

🟡 421 4.4.7 CRITICAL

Message Expired in Queue

Microsoft 365 uses 4.4.7 when your message cannot be delivered within 24 hours. NDR typically arrives with subject "Delivery delayed".

Full explanation & fix →

🔴 501 5.1.8 CRITICAL

Bad Sender Address

Microsoft 365 returns this when the sender domain cannot be found in DNS. Ensure your domain has valid DNS records.

Full explanation & fix →

🔴 535 5.7.8 CRITICAL

Authentication Credentials Invalid

Microsoft 365 may require Modern Authentication (OAuth 2.0) for SMTP. If Basic Auth is disabled, configure your client for OAuth.

Full explanation & fix →

🔴 550 5.1.1 CRITICAL

Mailbox Does Not Exist

Microsoft 365 returns: "Recipient not found by SMTP address lookup." Check the address in the GAL if sending to an internal mailbox.

Full explanation & fix →

🔴 550 5.2.1 CRITICAL

Mailbox Disabled

Microsoft 365 uses 5.2.1 when an Exchange Online mailbox has been disabled or the account has been deactivated.

Full explanation & fix →

🔴 550 5.4.1 CRITICAL

Recipient Address Rejected

Microsoft 365 commonly returns 5.4.1 as "Recipient address rejected: Access denied" for policy-blocked senders. Use the Microsoft delist portal.

Full explanation & fix →

🔴 550 5.7.1 CRITICAL

Message Rejected by Policy

Microsoft 365 returns 5.7.1 when the sender IP or domain reputation is poor. Check with Microsoft SNDS.

Full explanation & fix →

🔴 550 5.7.13 CRITICAL

User Account Disabled

This is a Microsoft 365-specific code. The user's account is blocked or disabled in Azure AD. Only the receiving organisation's IT admin can resolve this.

Full explanation & fix →

🔴 550 5.7.14 CRITICAL

Trust Relationship Required

Microsoft 365 returns 5.7.14 when Basic Auth is disabled and the client hasn't migrated to Modern Auth. This is increasingly common as Microsoft rolls out Basic Auth deprecation.

Full explanation & fix →

🔴 550 5.7.26 CRITICAL

DMARC Policy Violation

Microsoft 365 enforces DMARC rejection for inbound email to Office 365 mailboxes.

Full explanation & fix →

🔴 552 5.2.3 CRITICAL

Message Too Large for Mailbox

Microsoft 365 has a 25 MB default receive limit. This can be raised by Exchange admins up to 150 MB.

Full explanation & fix →

🔴 552 5.3.4 CRITICAL

Message Too Big for System

Microsoft 365 default system limit is 25 MB. Enterprise plans can configure up to 150 MB per organisation.

Full explanation & fix →

🟡 451 4.7.1

Temporary Auth / Policy Hold

Microsoft 365 uses 451 4.7.1 for DMARC-related temporary deferrals. Fixing alignment usually resolves it.

Full explanation & fix →

🔴 550 5.2.4

Mailing List Expansion Problem

Microsoft 365 returns 5.2.4 when a distribution group cannot be expanded, often due to a disabled owner or a group with no members.

Full explanation & fix →

Microsoft NDR Component Glossary

The component prefix in an Exchange Online NDR tells you which subsystem rejected or failed to deliver the message.

RESOLVER

Routing and address resolution layer. Errors here mean Exchange couldn't find or route to the recipient's mailbox.

STOREDRV

Store Driver — the component that writes messages to the mailbox database. Errors here mean the mailbox exists but can't accept messages (disabled, locked, full).

QUEUE

Mail queue — appears in 4.4.7 (expired) and other delivery-delay NDRs. Indicates the message spent too long waiting to be delivered.

FilteringService

Exchange Online Protection (EOP) anti-spam and policy engine. Errors here mean your message was blocked by Microsoft's inbound filtering rules.

Microsoft Sender Tools

Microsoft provides two free tools for senders who are being blocked by Exchange Online:

Delist Portal

If your IP is blocked by Microsoft 365 (5.4.1 or 5.7.1), submit it here for manual review and removal.

sender.office.com →

SNDS (Smart Network Data Services)

Shows the complaint rate and block status for IPs sending to Microsoft 365 mailboxes. Free to register.

SNDS portal →

Frequently Asked Questions

Common questions about Microsoft 365 SMTP errors and Exchange Online NDRs.

What is an NDR in Microsoft 365?

NDR stands for Non-Delivery Report — Microsoft's name for the bounce email you receive when Exchange Online cannot deliver your message. NDRs always include a status code like 5.7.26, and often include a component name like STOREDRV or RESOLVER that tells you which part of Exchange rejected the message. That component name is the fastest way to narrow down the cause.

Why does Microsoft 365 return 5.4.1 for legitimate senders?

Error 5.4.1 is Microsoft's way of saying your sending IP has a poor reputation in their system. It is the most common blocklist-style rejection from Exchange Online, and it catches a lot of legitimate senders who are on cloud or shared infrastructure. Use the Delist Portal to request removal, and check your IP's standing in SNDS to understand what Microsoft sees about your traffic.

What is Modern Authentication and why is it causing 5.7.14 errors?

Microsoft is phasing out the old username-and-password method of SMTP authentication (called Basic Auth) in favour of OAuth 2.0, which is what they call Modern Authentication. If you get a 5.7.14 error, it means the email client or app you are using is still trying to log in the old way on an account where Microsoft has turned that off. The fix is to update your client or application to use OAuth 2.0 — older SMTP libraries often need a code change to support this.

Why does a 5.7.13 error say "account disabled" when the person still works here?

A 5.7.13 error means Microsoft's system has flagged the recipient's account as blocked — but it does not always mean the person was intentionally disabled. It can happen after a forced password reset, a suspicious login alert, or even a brief licensing hiccup that temporarily removed the Exchange Online licence. The only person who can fix this is the recipient's IT admin, who needs to re-enable the account in Azure AD or Entra ID.