Cold email infrastructure starting at $1/mailbox. Volume discounts down to $0.55.Calculate your cost
ColdRelay
← All SMTP Errors
SMTP Error Reference

550 5.7.1

Gmail: SPF hard-fail — sending IP not authorized by SPF record

Gmail returns 5.7.1 with 'SPF check failed' when your sending IP isn't listed in the From domain's SPF record. Hard authentication failure. Fix the SPF record before retrying.

Last updated: May 23, 2026

Overview

What 550 5.7.1 Means

What it means

Gmail's MX server performed an SPF check, and the result was a hard fail (-all match). The sending IP is not authorized by the From domain's SPF record. Per RFC 7208, this is a definitive 'this IP is not allowed to send for this domain' result. Gmail rejects with 550 5.7.1 because SPF fail combined with DMARC p=reject (or p=quarantine) means the message is policy-rejected.

Who you'll see it from

Gmail and Google Workspace. Microsoft, Yahoo, and most enterprise gateways express the same condition with their own status codes, but the underlying SPF check is identical across receivers.

Why it happens

SPF record is missing entirely (no TXT record at the domain root with 'v=spf1'); SPF record exists but doesn't include your sending IP or platform's include: directive; SPF record was rotated and the receiver cached an older version; or the message is being sent via a relay whose IP isn't in the include chain.

Resolution

How to Fix 550 5.7.1

  1. 1

    Look up your domain's SPF record

    Use the SPF Generator at coldrelay.com/tools/spf-generator (or any DNS lookup tool) to view your current SPF record. The TXT record at the domain root should start with 'v=spf1'. If there's no record, that's your problem — see step 2.

  2. 2

    Publish or fix the SPF record

    Your SPF record needs to authorize every IP and platform you send mail from. A typical record looks like: 'v=spf1 include:spf.coldrelay.com -all'. If you're sending from multiple platforms, each must be included. Add the record at your DNS provider as a TXT record at the domain root.

  3. 3

    Verify the include chain resolves to your sending IP

    SPF supports recursive includes (include:vendor.com which itself includes other domains). Run a recursive SPF check to confirm your sending IP is in the final IP set. The SPF Generator does this automatically and tells you whether your IP is authorized.

    Note: SPF has a 10-DNS-lookup limit per RFC 7208. Chains with too many includes trigger PermError, which fails closed.

  4. 4

    Wait for DNS propagation

    After publishing or updating the SPF record, DNS propagation typically takes 5-60 minutes for major receivers, up to 24 hours for stragglers. Re-test with the Email Deliverability Test (coldrelay.com/tools/email-deliverability-test) until SPF passes before resuming sends.

  5. 5

    Verify DMARC alignment for SPF

    SPF passing isn't enough if DMARC requires alignment and the SPF-authenticated domain doesn't match your From header. Common cold email pitfall: the SPF authenticates via a tracking-domain like 'sendgrid.net' but the From header is 'yourdomain.com' — SPF passes, DMARC fails, message rejected. Make sure your SPF and From align.

Authority

References

Cold email infrastructure

550 5.7.1 in the Cold Email Context

SPF hard-fail at Gmail is the most easily fixable cold email infrastructure error — it's a DNS configuration problem with a clear remediation. The pitfall is that cold email senders often run multiple sending platforms in parallel (e.g. Instantly for outreach, a Workspace mailbox for follow-up, a transactional sender for booked-call confirmations) and don't update SPF when they add a new platform. ColdRelay's domain provisioning writes SPF, DKIM, and DMARC records automatically when a sending domain is created, and the dashboard's Domains page surfaces a green/red status indicator per record per domain so missing or broken SPF is immediately visible. For multi-platform sends, the SPF Generator tool walks through merging includes correctly without exceeding the 10-lookup limit.

FAQ

Frequently Asked Questions

Can I have more than one SPF record?

No. Per RFC 7208 you must have exactly one SPF (v=spf1) TXT record at the domain root. Multiple SPF records cause PermError, which Gmail treats as fail. If you need to authorize multiple platforms, merge them into a single record using multiple include: directives.

What's the difference between ~all and -all?

Both indicate the end of authorized senders. ~all is softfail — receivers should accept but mark as suspicious. -all is hardfail — receivers should reject. For cold email infrastructure with controlled sending platforms, -all is preferred; it produces cleaner DMARC outcomes.

Why does my SPF record need to include the sending platform's domain?

SPF checks the IP that connected to deliver the mail. Your sending platform (ColdRelay, Instantly, Smartlead, etc.) sends from its own IPs, and those IPs must be authorized by your domain's SPF record. The include: directive imports the platform's own SPF, which lists their IPs.

How quickly does SPF propagate?

Most major receivers update within 5-60 minutes. Some receivers cache aggressively (up to 24 hours). After updating SPF, monitor the Email Deliverability Test until your domain passes consistently before resuming high-volume sending.

Keep reading

Related SMTP Errors and Guides

SMTP Error
550 5.7.26
Gmail: unauthenticated email — SPF, DKIM, or DMARC failed
SMTP Error
550 5.7.1
Gmail: DKIM signature verification failed
SMTP Error
550 5.7.1
Gmail: DMARC policy reject — message failed alignment
Integration
Use Instantly with ColdRelay
Integration
Use Smartlead with ColdRelay
Guide
How To Configure Spf Dkim Dmarc
Use Case
Cold Email Infrastructure For Sales Teams
Use Case
Cold Email Infrastructure For Agencies

Stop Seeing 550 5.7.1 For Cold Email

ColdRelay ships clean, dedicated infrastructure with SPF, DKIM, DMARC, and reverse DNS configured automatically — the same fixes that resolve most 550 5.7.1 bounces. Starting at $50/month.

Start for $50/month →