< back to blog

Fixing "550; 5.7.15 Access denied" from Microsoft

April 30, 2025
DMARC Protocol
Mail Providers

Introduction

Starting 5 May 2025, Microsoft Outlook is implementing stricter email authentication requirements for high-volume senders (those sending over 5,000 emails per day). This change is part of Microsoft's ongoing efforts to strengthen the email ecosystem and protect users from spam, phishing, and spoofing attempts.

If you're receiving a "550; 5.7.15 Access denied, sending domain [SendingDomain] does not meet the required authentication level" error when sending emails to Outlook.com addresses (including hotmail.com, live.com, and outlook.com domains), your domain and sending service doesn't meet the new authentication requirements.

Key Takeaways

  • New Authentication Requirements: Microsoft Outlook now requires proper SPF, DKIM, and DMARC setup for domains sending more than 5,000 emails per day.
  • Alignment Required: Your emails must pass both SPF and DKIM and one of them must be aligned, even if you have a p=none DMARC policy.
  • Error Messages: Non-compliant emails will be rejected with the error code "550; 5.7.15 Access denied, sending domain [SendingDomain] does not meet the required authentication level".
  • Enforcement Timeline: These changes begin rolling out on 5 May 2025.
  • Who's Affected: High-volume senders (5,000+ emails daily) to Outlook consumer addresses.
  • Required Action: Verify and update your SPF, DKIM, and DMARC records immediately to ensure email delivery.

The biggest takeaway is: even if you have a p=none DMARC policy, Microsoft are enforcing DMARC compliance regardless.

Check out Microsoft's post on this, we assume this is a typo:

"The rejected messages will be designated as "550; 5.7.15 Access denied, sending domain [SendingDomain] does meet the required authentication level."  This change will state taking effect on May 5th as originally stated."

Understanding the 550; 5.7.15 Error

The error "550; 5.7.15 Access denied, sending domain [SendingDomain] does not meet the required authentication level" indicates that your domain lacks one or more of the required authentication protocols:

  1. SPF (Sender Policy Framework) - Must pass for the sending domain
  2. DKIM (DomainKeys Identified Mail) - Must pass to validate email integrity
  3. DMARC (Domain-based Message Authentication, Reporting, and Conformance) - Must have at least p=none policy and align with either SPF or DKIM

One critical point to understand: Microsoft's requirements focus on DMARC alignment. This means your domain must either have SPF alignment OR DKIM alignment (or both) even if you have a p=none DMARC policy.

Many email services might pass SPF authentication but not SPF alignment for DMARC purposes. In these cases, properly configured DKIM becomes essential to meet Microsoft's requirements. This nuance is why using a specialised DMARC analytics service like VerifyDMARC is so important.

Why Is This Happening?

Microsoft's new policy targets high-volume senders first because they have a broader impact on inbox safety. By enforcing these requirements, Microsoft aims to:

  • Reduce email spoofing and phishing attacks
  • Increase trust in the email ecosystem
  • Improve deliverability for legitimate senders
  • Protect users from malicious content

Diagnostic Steps

To resolve the 550; 5.7.15 error and ensure your emails reach Outlook recipients, follow these steps:

1. Set Up DMARC Monitoring with VerifyDMARC

Sign up for VerifyDMARC to properly monitor and analyse your domain's authentication status. Our service provides comprehensive insights into how your emails are authenticating across different sending sources. While free checkers may verify if records exist, only a full DMARC analytical service like VerifyDMARC can show you if your emails are actually complying with Microsoft's requirements.

We offer a 30-day trial, no credit card required. Sign up here.

2. Implement DKIM Signing

Configure and enable DKIM signing for your mail services. Refer to you mail service's individual guides on how to do this or take a look at our guide for Microsoft 365.

3. Add a DMARC Record

At minimum, set up a basic DMARC record:

Hostname: _dmarc.yourdomain.com
Record Type: TXT
Value: v=DMARC1; p=none;

Understanding DMARC Alignment

This is where many organisations encounter issues with Microsoft's new requirements. DMARC requires alignment between the visible "From" domain and at least one authentication method (SPF or DKIM):

  • SPF Alignment: The domain in the "Return-Path" (envelope sender) must match the "From" domain
  • DKIM Alignment: The domain in the DKIM signature (d=) must match the "From" domain

Many legitimate email services might pass SPF authentication but fail SPF alignment because they use their own return paths. These services do not need to be in your domain's SPF record, but the 'Auth Result' in VerifyDMARC should show an underlying SPF pass, even if it is not aligned.

Not all mail can pass SPF alignment checks even if the return path is aligned, therefore DKIM alignment is essential. VerifyDMARC shows you exactly which services are authenticating correctly and where alignment issues exist.

Bare Minimum DMARC Record

If you need to quickly implement DMARC without any enforcement action or reporting, add this TXT record to your domain DNS manager:

Hostname: _dmarc.yourdomain.com
Record Type: TXT
Value: v=DMARC1; p=none;

For proper visibility and monitoring, however, we recommend setting up reporting as well.

Additional Best Practices

Microsoft also recommends these email hygiene practices:

  • Use valid "From" and "Reply-To" addresses that can receive replies
  • Include functional unsubscribe links for marketing/bulk emails
  • Maintain list hygiene by removing invalid addresses regularly
  • Use transparent mailing practices with accurate subject lines

How VerifyDMARC Helps

VerifyDMARC simplifies compliance with Microsoft's new requirements by:

  1. Comprehensive Authentication Monitoring: We don't just check if records exist—we show you if your emails are actually passing authentication and alignment tests across all your email sources
  2. Identifying Alignment Issues: Clearly see whether your emails pass SPF alignment, DKIM alignment, or both
  3. Streamlined Multi-Domain Management: Perfect for MSPs and IT teams managing multiple domains
  4. Actionable Reports: Convert complex DMARC data into clear, actionable insights

Our platform is specifically designed to help businesses and MSPs manage multiple domains with ease, ensuring you stay compliant with Microsoft's requirements and other email providers who are implementing similar policies.

Summary

Microsoft's error code "550; 5.7.15 Access denied" signals non-compliance with their new authentication requirements. The key to resolving this issue isn't just having SPF, DKIM, and DMARC records—it's ensuring proper alignment between your visible "From" domain and at least one authentication method.

This policy change underscores the increasing importance of email authentication across the industry. As an MSP or IT team, staying ahead of these requirements is crucial for maintaining reliable email delivery.

For those looking to navigate these changes efficiently, VerifyDMARC offers a streamlined solution to manage and monitor your email authentication. Our plans start from just $1 per month, with options for businesses of all sizes.

Sign up for our free 30-day trial today to quickly set up DMARC and get your emails delivering to inboxes again.

START FREE TRIAL
Protect your E-commerce Business & Customers with DMARC

Protect your E-commerce Business & Customers with DMARC

Learn how to stop email spoofing and improve delivery of order confirmations with DMARC. Implementation guide for Shopify, WooCommerce and Marketo.

Security
VerifyDMARC
New Insight Reports for Efficient Multi-Domain Management

New Insight Reports for Efficient Multi-Domain Management

We're excited to announce two new Insight reports designed to streamline multi-domain management: Sender Compliance Report and SPF Record Checker.

Product Updates
VerifyDMARC
TLS Failure Alerts: Monitoring for MTA-STS and DANE

TLS Failure Alerts: Monitoring for MTA-STS and DANE

New VerifyDMARC feature adds alerts for TLS failure reports for your domains, helping minimise inbound email disruption due to configuration issues.

Product Updates
TLS Reporting