The SMTP 550 error you're encountering is a common SPF (Sender Policy Framework) validation failure. Let's break down the components:
550 [ipaddress] is not allowed to send mail from [domain name]
This indicates the sending IP address isn't authorized in the domain's SPF record to send emails on behalf of that domain.
Different organizations implement different levels of email security. While some might:
- Accept emails with soft SPF failures
- Have less strict spam filtering rules
- Whitelist certain domains/IPs
Your company's mail server appears to enforce strict SPF validation.
To verify the SPF record of the sender's domain, use dig/nslookup:
dig TXT domain.com
nslookup -type=TXT domain.com
Example output for a correct SPF record:
domain.com. 3600 IN TXT "v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all"
The sender might have:
- Missing SPF record entirely
- SPF record that doesn't include their sending IPs
- Too many DNS lookups (exceeds the limit of 10)
- Syntax errors in their SPF record
For comprehensive SPF checking, use these tools:
# Command line check (Linux/macOS)
dig +short TXT domain.com | grep spf
# Python script to validate SPF
import dns.resolver
def check_spf(domain):
try:
answers = dns.resolver.resolve(domain, 'TXT')
for rdata in answers:
if 'v=spf1' in str(rdata):
return str(rdata)
return "No SPF record found"
except Exception as e:
return f"Error: {str(e)}"
For the sender:
- Update their SPF record to include all legitimate sending IPs
- Use include mechanisms for third-party email services
- Test the new SPF record before deployment
For your organization:
- Check if your spam filter has specific SPF enforcement settings
- Consider creating a whitelist for trusted senders (temporary solution)
- Review your DMARC policy if you're using one
For email senders:
- Implement proper SPF, DKIM, and DMARC records
- Use dedicated IPs for email sending when possible
- Regularly audit email authentication configurations
For email receivers:
- Document your email security policies
- Provide clear feedback mechanisms for senders
- Consider implementing a postmaster address for delivery issues
When your recipient receives an SMTP 550 error stating [ipaddress] is not allowed to send mail from [domain], this indicates a strict SPF (Sender Policy Framework) validation failure. The sending server's IP isn't authorized in the domain's SPF record.
Different organizations implement SPF checks with varying strictness levels:
- Your company might use
-all(hard fail) in SPF evaluation - Other recipients may use
~all(soft fail) or skip SPF checks entirely
Check the domain's SPF record using dig:
dig TXT domain.com +short | grep "v=spf1"Example of a complete SPF record:
"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 include:_spf.google.com ~all"Python script to validate SPF records:
import dns.resolver
def check_spf(domain):
try:
answers = dns.resolver.resolve(domain, 'TXT')
for rdata in answers:
if 'v=spf1' in str(rdata):
return str(rdata)
except Exception as e:
return f"Error: {e}"
return "No SPF record found"
print(check_spf("example.com"))- Missing IP addresses of all authorized mail servers
- Incorrect CIDR notation in IP ranges
- Too many DNS lookups (exceeding the 10-query limit)
- Using deprecated mechanisms like
ptr
For Microsoft 365/O365 environments, ensure your SPF record includes:
v=spf1 include:spf.protection.outlook.com -allFor Google Workspace:
v=spf1 include:_spf.google.com ~allUse this PowerShell command to test SPF for a specific IP:
Resolve-DnsName -Type TXT domain.com | Where-Object {$_.Strings -like "v=spf1*"} | Select-Object -ExpandProperty Strings