How 550 5.7.1 Shows Up at Microsoft 365
Microsoft 365 wraps the code in an NDR that usually names the filtering layer, e.g. "550 5.7.1 Service unavailable, Client host [x.x.x.x] blocked using Spamhaus" for reputation blocks, or "550 5.7.1 Message rejected as spam by Content Filtering" when Exchange Online Protection's content filter fires. Tenant administrators can also produce custom 5.7.1 text via mail flow rules, so the wording varies more at Microsoft 365 than at most providers.
In the bounce (NDR) returned to your sending mailbox, and in your sending platform's error log per contact. If many recipients share one tenant — common when you're prospecting one company — you'll see the identical rejection string for every contact at that domain at once.
Microsoft 365 recipients sit behind Exchange Online Protection (EOP), which scores every inbound connection on IP reputation (including third-party lists like Spamhaus), domain reputation, SPF/DKIM/DMARC results, and content. On top of EOP, each tenant can layer its own anti-spam policies, connection filters, and mail flow rules — so a message that lands fine at one Microsoft 365 company can be rejected by the next.
How to Fix 550 5.7.1 at Microsoft 365
- 1
Read the NDR's diagnostic text, not just the code
Microsoft's NDR names the layer that fired: a blocklist name (Spamhaus, etc.) means IP reputation; "Content Filtering" means the message body/subject scored as spam; custom wording usually means a tenant mail flow rule. Each has a different fix path — identify which one you're in before changing anything.
- 2
Verify SPF, DKIM, and DMARC pass for the sending domain
EOP weights authentication heavily. Send a test to a mailbox you control on Microsoft 365 and open Message Headers (or use a header analyzer) to confirm spf=pass, dkim=pass, and dmarc=pass with aligned domains. Any fail or softfail materially raises your spam score at every Microsoft 365 tenant.
- 3
Check the sending IP against Microsoft's view of its reputation
Register your sending IPs in Microsoft SNDS (Smart Network Data Services) to see how Microsoft scores their traffic, and check the IP on public blocklists. If the NDR named a specific blocklist, start delisting there first.
Note: If the sending IP itself is blocked by Microsoft, request removal through Microsoft's sender delist portal — delisting typically propagates within 24-48 hours.
- 4
Reduce content risk for EOP's content filter
If the NDR pointed at Content Filtering: strip link shorteners and tracking-heavy markup, drop attachments from first-touch emails, keep image-to-text ratio low, and rewrite high-pressure phrasing. EOP's content verdicts compound with reputation — clean authentication plus moderate content usually passes; weak authentication plus aggressive copy fails.
- 5
For a single important tenant, ask your contact to allowlist
If one specific prospect company is rejecting you and the conversation is warm, their IT admin can add your sending domain to the tenant's allowed senders in the Microsoft Defender portal (Tenant Allow/Block List). That's a per-tenant fix — it does nothing for the rest of your list, so treat it as a last resort for named accounts, not a strategy.
Microsoft 365 Tools for This Error
- ◇Microsoft SNDS (Smart Network Data Services)
Register your sending IP ranges to see Microsoft's reputation data for them — complaint rates, trap hits, and filter verdicts.
- ◇Microsoft sender delist portal
Request removal when your sending IP is blocked by Microsoft 365 / Outlook.com.
- ◇Microsoft 365 anti-spam message headers reference
Decodes the X-Forefront-Antispam-Report header (SCL, IPV, SFV fields) so you can see exactly why EOP scored a message.
550 5.7.1 at Microsoft 365 in the Cold Email Context
Cold email senders hit 550 5.7.1 at Microsoft 365 more than anywhere else because B2B prospect lists skew heavily toward Microsoft-hosted tenants. The pattern to watch: rejections clustered by recipient domain mean tenant-level policy (often unrecoverable for that account — move on), while rejections spread across many domains mean your IP or domain reputation is the problem. The structural fix is infrastructure that isolates reputation: ColdRelay provisions mailboxes on isolated Azure tenants with dedicated IPs and pre-configured SPF, DKIM, and DMARC, and caps volume at 4 sends per mailbox per day (2 outbound + 2 warmup) so no single identity builds the velocity profile EOP flags.
Frequently Asked Questions
Why do my emails reach Gmail inboxes but bounce at Microsoft 365 with 550 5.7.1?
Gmail and Microsoft 365 score senders independently. EOP leans harder on IP reputation and third-party blocklists, while Gmail leans on domain reputation and engagement signals. A sender with a clean domain but a cold or listed IP often passes Gmail and fails Microsoft 365 — check the sending IP in Microsoft SNDS and against the blocklist named in the NDR.
Every contact at one company bounces with the same 550 5.7.1 — is my domain burned?
Probably not. Identical rejections confined to one recipient domain almost always mean that tenant's own anti-spam policy or a mail flow rule is rejecting you — not a global reputation problem. Verify by checking deliveries to other Microsoft 365 domains. For that one account, an introduction through another channel beats fighting the filter.
How long does it take to clear a Microsoft 365 spam-policy block?
It depends on the layer. Blocklist delistings (after you've fixed the cause) typically propagate in 24-72 hours; Microsoft's own delist portal usually acts within 24-48 hours; content-filter verdicts change as soon as you change the message. Tenant-level blocks only clear when that tenant's admin changes them.
Does ColdRelay prevent 550 5.7.1 rejections at Microsoft 365?
It removes the most common causes. ColdRelay mailboxes run on isolated Azure tenants with dedicated IPs — no shared-pool reputation baggage — with SPF, DKIM, and DMARC configured from provisioning, and a 4 sends/day per-mailbox budget (2 outbound + 2 warmup) that keeps velocity below EOP's bulk-sender thresholds. Content and list quality remain on you: no infrastructure passes a spam-shaped message to a tenant that has blocked your domain.