deliverability

SMTP Error Codes Explained: 4xx and 5xx Bounces

A reference guide to SMTP reply codes and RFC 3463 enhanced status codes, covering the 2xx, 4xx, and 5xx classes, common bounces (421, 450, 451, 550, 552, 554), and how to act on each.

Updated Jul 4, 20268 min read

Every time a mail server accepts, delays, or refuses a message, it answers with a three-digit SMTP reply code and, increasingly, a dotted enhanced status code. The first digit tells you almost everything you need to know: 2xx means the message moved forward, 4xx means try again later, and 5xx means stop and fix something. Learning to read these codes turns a wall of bounce text into a clear instruction about what to do next.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

How SMTP reply codes are structured

SMTP is a request-and-response protocol defined in RFC 5321. Your sending server issues commands (MAIL FROM, RCPT TO, DATA) and the receiving server replies to each one with a numeric code and a short text message. The three digits are not arbitrary. The leading digit sets the class of the response.

First digitClassMeaning
2xxPositive completionThe command succeeded.
3xxPositive intermediateThe server accepted the command and expects more input.
4xxTransient negativeTemporary failure; the same message may succeed if retried later.
5xxPermanent negativeHard failure; retrying the message as-is will not work.

The single most important distinction is 4xx versus 5xx. A 4xx code is a deferral: a well-behaved sending server queues the message and retries on a backoff schedule, often for up to 72 hours. A 5xx code is a rejection: the message is dead, and continuing to hammer the recipient with retries wastes resources and can hurt your sender reputation.

Enhanced status codes (RFC 3463)

The basic three-digit codes are coarse. A 550 could mean the mailbox does not exist, or that a policy blocked the message, and you cannot always tell which from the number alone. RFC 3463 solves this with enhanced status codes: a second, more precise code in the form class.subject.detail.

  • Class is one digit and mirrors the reply code: 2 (success), 4 (persistent transient failure), or 5 (permanent failure).
  • Subject identifies the source of the problem. Common values are 1 (addressing), 2 (mailbox status), 3 (mail system), 4 (network or routing), 5 (mail delivery protocol), 6 (message content), and 7 (security or policy).
  • Detail pins down the exact condition inside that subject.

So 5.1.1 reads as permanent, addressing problem, bad destination mailbox address. 4.2.2 reads as transient, mailbox status, mailbox full. 5.7.1 reads as permanent, security or policy, delivery not authorized. When both codes are present, the enhanced status code is the one that tells you precisely what happened. To see how these appear alongside authentication results, our guide on how to read email headers walks through a real bounce line by line.

Common 4xx transient codes and how to act

A 4xx response is not a failure you need to fix immediately; it is a signal to wait. Legitimate senders see these constantly, and the sending server handles most of them automatically.

CodeEnhancedTypical meaningWhat to do
4214.7.0 or 4.4.5Service not available, connection throttled, or too many connections.Let the queue retry; slow your send rate to that host.
4504.2.1 or 4.7.1Mailbox temporarily unavailable, or greylisting in effect.Retry after a delay; the first retry usually succeeds.
4514.3.0 or 4.7.1Local error in processing, or a temporary policy deferral.Retry; if it persists, check reputation and rate.
4524.2.2Insufficient system storage or mailbox over quota.Retry later; the recipient may clear space.

Greylisting is the most common cause of a 450 or 451 on a first attempt. The receiving server deliberately rejects an unfamiliar sender with a temporary error, expecting a legitimate mail server to retry a few minutes later. Spam scripts that fire once and give up never come back, so the technique filters a lot of junk at the cost of a short delay. If your mail is arriving late rather than not at all, read what is greylisting to understand the retry timing.

Repeated 4xx responses that never clear behave like a soft bounce and eventually become undeliverable. The line between a temporary deferral and a genuine problem matters for list hygiene, which is why the difference between a hard bounce and a soft bounce is worth knowing before you decide whether to remove an address.

Common 5xx permanent codes and how to act

A 5xx response means the receiving server has decided the message cannot be delivered in its current form. Do not retry blindly. Read the enhanced code, fix the root cause, and only then send again.

CodeEnhancedTypical meaningWhat to do
5505.1.1No such user; the mailbox does not exist.Remove the address from your list.
5505.7.1Rejected by policy (relaying denied, blocklist, or content).Fix the policy trigger before resending.
5505.7.26Message failed authentication at the recipient.Fix SPF, DKIM, and DMARC alignment.
5515.1.6Recipient not local; no forwarding address.Update the address.
5525.2.2 or 5.3.4Mailbox full (permanent) or message exceeds the size limit.Shrink the message or contact the recipient.
5535.1.3Mailbox name syntactically invalid.Correct the address format.
5545.7.1Transaction failed; often a spam block or generic policy rejection.Investigate reputation and content.

Two codes deserve special attention because they are the ones authentication problems produce.

A 550 5.7.1 with a DMARC reference means the receiver enforced your published policy and the message was not aligned. The fix is to make sure every sending source passes SPF or DKIM with alignment. Our guide on 550-5.7.1 email rejected per DMARC policy covers the diagnosis step by step. When the failure is specifically SPF, you will often see 550-5.7.23 SPF validation failed instead.

Gmail is stricter than most. If you send in bulk to Gmail without any passing authentication, you will get 550-5.7.26 unauthenticated sender. Since February 2024, Google and Yahoo require bulk senders (roughly 5,000 messages per day or more to Gmail) to authenticate with SPF and DKIM, publish a DMARC record, keep spam complaint rates below 0.3 percent (and ideally under 0.1 percent), and offer one-click unsubscribe. A 5.7.26 bounce is the enforcement of that rule.

A 554 is the catch-all rejection. It frequently means the receiving server consulted a blocklist such as the Spamhaus SBL or XBL and refused the connection, or that a content or reputation filter tripped. Because the text varies so much between providers, the enhanced code and the human-readable message are your best clues. If you suspect a listing, check whether your sending IP or domain appears on a public blocklist using how to check if a domain is blacklisted.

Reading the whole bounce, not just the number

A non-delivery report (NDR) usually contains more than the code. Look for three things:

  1. The enhanced status code, which tells you the precise category.
  2. The reporting server, so you know whether the rejection came from the destination or an intermediate relay.
  3. The remote text, which providers use to explain the specific policy, sometimes with a help URL.

The same 550 can be a dead mailbox or a policy block, and only the enhanced code and text distinguish them. Treat the number as the headline and the rest of the bounce as the article.

Turning codes into an action plan

  • 2xx: delivered to the next hop. Nothing to do, though reaching the inbox is a separate question from acceptance.
  • 4xx: let your mail server retry. Investigate only if the same recipients defer for many hours, which points to rate limiting, reputation, or greylisting.
  • 5xx addressing (5.1.x): remove the address; it is a hard bounce.
  • 5xx policy or security (5.7.x): fix authentication, content, or reputation before resending.
  • 5xx mailbox or storage (5.2.x): the recipient must act, but treat it as undeliverable for now.

Because most permanent 5xx failures involving 5.7.x codes trace back to broken or misaligned SPF, DKIM, or DMARC, the durable fix is to get your authentication correct once. Our overview of how to check email deliverability ties the codes to the underlying records.

Frequently asked questions

What is the difference between a 4xx and a 5xx SMTP error?

A 4xx code is a transient failure, meaning the receiving server could not accept the message right now but the same message may succeed on a later retry. A 5xx code is a permanent failure, meaning the message will not be delivered until you change something about it, the recipient, or your sending setup.

Does a 550 error always mean the email address is invalid?

No. A 550 with the enhanced code 5.1.1 means the mailbox does not exist, but a 550 5.7.1 means the message was refused by a policy such as DMARC enforcement or a blocklist. Always read the enhanced status code and the accompanying text to tell them apart.

How long will a mail server keep retrying a 4xx error?

Most sending servers retry on an increasing backoff schedule and give up after about 48 to 72 hours, at which point they return a delayed delivery failure. Greylisting deferrals usually clear on the first retry within a few minutes.

What does a 550 5.7.26 error mean?

It means the receiving provider, typically Gmail, rejected the message because it was not authenticated with SPF or DKIM. It is the enforcement of the bulk sender requirements that took effect in 2024, and the fix is to authenticate your sending domain properly.

Bounce codes are symptoms, and the most common cause of 5.7.x rejections is an SPF, DKIM, or DMARC record that is missing, misconfigured, or misaligned. Run a free scan of your domain with SPFWise to see exactly which authentication checks pass and which are triggering your bounces.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

SMTP Error Codes Explained: 4xx and 5xx Bounces