When messages are sent or received between two email servers or Mail Transfer Agents (MTAs), the communication uses a series of numeric SMTP codes. These codes are always in pairs, which means both servers transmit the codes until either the conversation is successful, or fails.
There are two main code types for dropped or failed SMTP conversations. The first number in a code, indicates whether the MTA accepted the command, or if it was rejected. The remaining two numbers in a code provide information on the reason for the failure. The code types are:
- 4xx: The server encountered a temporary failure. If the command is repeated without being changed, it may be successful depending on the reason for the initial failure. Mail servers use temporary failures to hold connections from untrusted sources, while additional security checks are performed.
- 5xx: The server has encountered a permanent error and the message delivery has failed.
4xx Error Codes
A correctly configured mail server should retry sending a message if a 4xx error code is received. These connections are logged in the Message Center: Rejected and Deferred Messages list.
|Code||Reason Given to Sending MTA||Description||Recommended Resolution|
|421||Sender address blocked||The sender's IP address has been blocked by a Blocked Senders Policy.||Removed the entry from the policy.|
|421||Unable to process connection at this time||The Mimecast server is under maximum load.||The message is processed when the Mimecast server is less busy.|
|451||Internal resource temporarily unavailable||The sending mail server is subjected to Greylisting. This requires the server retries the connection, between one minute and 12 hours. Alternatively the sender's IP address has a poor reputation.||These reputation checks can be bypassed with an Auto Allow or Permitted Senders policy. If it's legitimate traffic create a Greylisting Bypass policy.|
|451||Message ended early||The message was incorrectly terminated. This can be caused by: ||Investigate the Intrusion Detection software or other SMTP protocol analyzers. If running a Cisco Firewall, ensure the Mailguard or SMTP Fixup module is disabled.|
|451||Open relay not allowed||Both the sender AND recipient domains specified in the transmission are external to Mimecast, and aren't allowed to relay through the Mimecast service and / or the connecting IP address isn't recognized as authorized.||Mimecast customers should contact Mimecast Support for add the Authorized Outbound address, or to take other remedial action.|
|451||Account outbounds disabled||The customer account outbound emails are disabled in the Administration Console.||Contact Mimecast Support if the account's outbound traffic should be allowed.|
|451||Account inbounds disabled||The customer account inbound emails are disabled in the Administration Console.||Contact Mimecast Support if the account's inbound traffic should be allowed.|
|451||Account service temporarily unavailable||There are too many concurrent inbound connections for the account. The default is 20.||The IP address is automatically removed from the block list after five minutes. Continued invalid connections result in the IP being readded to the block list. Ensure you don't route outbound or journal messages to Mimecast from an IP address that hasn't been authorized to do so.|
|451||Recipient Temporarily Unavailable||The Sender's IP address has been placed on the block list due to too many invalid connections.||The sender's mail server must retry the connection. The mail server performing the connection says the recipient address validation isn't responding.|
|451||Unable to process email at this time||An AV scanner or store server is temporarily unavailable due to updates being deployed.||The message is processed once the updates are deployed.|
|451||Unable to process email at this time||Generic error if the reason is unknown||Contact Mimecast Support.|
|451||IP Temporarily Blacklisted||You've reached your mail server's limit.||Wait and try again. The mail server won't accept any messages until you're under the limit.|
|451||Hostname is not authorized||Omni Directional hostnames is enabled.||Disable Omni Directional hostnames.|
|452||Too many recipients||The sending server issues more than 100 RCPT TO entries. By default, Mimecast only accepts 100 RCPT TO entries per message body (DATA). The error triggers the sending mail server to provide the DATA for the first 100 recipients before it provides the next batch of RCPT TO entries.||None. Most mail servers respect the transient error and treat it as a "truncation request". If your mail server, firewall, or on-site solution doesn't respect the error, you must ensure that no more than 100 recipients are submitted. |
Solutions like SMTP Fix Up / MailGuard and ESMTP inspection on Cisco Pix and ASA Firewalls are known not to respect the transient error. We advise you disable this functionality.
5xx Error Codes
Error 5xx codes are permanent failures. These connections are rejected in protocol, and the connection is logged in the Rejection Viewer. As the message is rejected in protocol, it isn't retrievable from the Administration Console, and must be resent once the issue is addressed.
|Code||Reason Given to Sending MTA||Description||Recommended Resolution|
|501||Invalid address||The email address isn't a valid SMTP address.||The sender must resend the message to a valid internal email address.|
The server has encountered a bad sequence of commands, or it requires an authentication.
|In case of a “bad sequence”, the server has pulled off its commands in a wrong order, usually because of a broken connection. If authentication is needed, enter your username and password.|
|535||Incorrect authentication data||Messages submitted to SMTP port 587 require authentication. This error indicates the authentication details provided were incorrect.||Check your authentication details match an internal email address in Mimecast, with a corresponding Mimecast cloud password. Alternatively, consider sending the message on SMTP port 25.|
|550||Submitter failed to authenticate|
|550||Administrative prohibition - envelope blocked||The sender's email address or domain has triggered a Blocked Senders Policy, or there's a SPF hard rejection.||Delete or modify the Block Sender Policy to exclude the sender address.|
|550||Anti-Spoofing policy - Inbound not allowed||The message has triggered an Anti-Spoofing Policy.||Create an Anti-Spoofing Policy to take no action for the sender's address or IP address.|
|550||Rejected by header based Anti-Spoofing policy|
|550||Envelope blocked - User Entry||A personal block policy is in place for the email address / domain.||Remove the email address / domain from the Managed Sender list.|
|550||Envelope blocked - User Domain Entry|
|550||Rejected by header based manually Blocked Senders – block for manual block|
|550||Rejected by header based Blocked Senders – Block policy for Header From||A Block Sender Policy has been applied to reject emails based on the Header From or Envelope From address.||Delete or change the Block Sender policy.|
|550||Envelope Rejected – Block policy for Envelope from address|
|550||<details of RBL>||The sender's IP address is listed in an RBL. The text displayed is specific to the RBL which lists the senders IP address.||Bypass the RBL with an Auto Allow or Permitted Senders policy. Additionally request removal of the associated IP address from the RBL.|
|550||Local CT IP Reputation - (reject)||Ongoing reputation checks have resulted in the message being rejected due to poor IP reputation. This could be subsequent to a 4xx error.||Create an Auto Allow or Permitted Senders policy. |
You can request a review of your source IP ranges by completing our online form.
|550||Invalid Recipient||Known recipient, LDAP or SMTP call forwarding recipient validation checks haven't returned a valid internal user.||The sender must resend the message to a valid internal recipient address.|
|550||Exceeding outbound thread limit||There are too many concurrent outbound connections for the account.||Send the messages in smaller chunks of recipients.|
|550||Message bounced due to Content Examination Policy||The message has triggered a Content Examination policy.||Create a Content Examination Bypass Policy, or adjust the Content Examination policy as required.|
|550||SPF Sender Invalid - envelope rejected||The inbound message has been rejected because the originated IP address isn't listed in the published SPF records for the sending domain.||Ensure all the IP address for your mail servers are listed in your SPF records. Alternatively, create a DNS Authentication Policy with the "Inbound SPF" or "Reject on Hard Fail" option disabled. Messages that fail our SPF checks are subjected to spam and RBL checks, instead of being rejected.|
|550||DKIM Sender Invalid - envelope rejected||The DKIM key for the outbound message is broken, and doesn't match the DNS record of the registered sender.||Check your organization's DNS record is populated with the right public key as part of the DNS Authentication Outbound Signing definition. The private key of the keypair must be populated in the DNS Authentication policy, along with the domain and selector of that record.|
|550||DMARC Sender Invalid - envelope rejected||The inbound message has been rejected because the originated IP address isn't listed in the published DMARC records for the sending domain.||Ensure all the IP address for your mail servers are listed in your DMARC records.|
|550||Journal message past expiration||Attempts are being made to journal mail that is past the set expiry threshold. The failure will be replaced by a retry response because the message is marked for retry if rejected, causing the journal queue to grow.||Check to confirm there are no significant time discrepancies on the mail server. Discontinue journaling old messages past the expiry threshold.|
|553||This route requires encryption (TLS)||This email has been sent using SMTP, but TLS is required by policy.||Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven't expired. If using a proxy server, ensure it isn't intercepting the traffic and modifying encryption parameters.|
|553||This route requires TLS version 1.2 or greater||A TLS connection has been attempted using a TLS version that is lower than TLS 1.2.||Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the mail server attempting to connect is using the appropriate version of TLS.|
|553||This route requires high strength ciphers||A secure connection was attempted using ciphers that do not meet the configured cipher strength.||Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven't expired. If using a proxy server, ensure it isn't intercepting the traffic and modifying encryption parameters.|
|554||Email rejected due to security policies (E.g. MCSpamSignature.x.x)||A signature was detected that could either be a virus, or a spam score over the maximum threshold. The spam score isn't available in the Administration Console. |
If you aren't a Mimecast customer but have emails rejected with this error code, contact the recipient to adjust their configuration and permit your address. If unsuccessful, your IT department can submit a request to review these email rejections via our Sender Feedback form.
|Anti-virus checks cannot be bypassed. Contact the sender to see if they can stop these messages from being blocked. Anti-spam checks can be bypassed using a Configuring Permitted Senders or Auto Allow policy. Rejected emails can be viewed in your Outbound Activity and searching for the required email address.|
|554||Mail loop detected||The message has too many "received headers" as it has been forwarded across multiple hops. Once 25 hops has been reached, the email is rejected.||Investigate the email addresses in the communication pairs, to see what forwarders are configured on the mail servers.|
|554||Maximum email size exceeded||The email size either exceeds an Email Size Limits policy, or is larger than Mimecast service limit. The default is 100 MB for the Legacy MTA, and 200 MB for "the Latest MTA".||Resend the message ensuring it's smaller than the limitation set. |
The transmission and content encoding can add significantly to the total message size (e.g. a message with a 70 MB attachment, can have an overall size larger than 100 MB).
|554||Host network not allowed||The message has triggered a Geographical Restrictions Policy.||Delete or amend the policy.|
|554||Configuration is invalid for this certificate||Validation on the your umbrella accounts domain name does not conform to your DNS.||Check you DNS has the required umbrella accounts listed as comma separated values.|