550 5.1.8 Access denied, bad outbound sender

A Non-Delivery Report (NDR), also referred to as a ‘bounce report’, with the status code: “550 5.1.8 Access denied, bad outbound sender” is typically generated by Microsoft if one or more of the following conditions is met:

1. Your account is compromised (or appears to be).
2. You hit a volume limit in your daily, hourly, or recipient.
3. Microsoft thinks you’re sending spam.

The bounce report is very vague and looks like this:

Delivery has failed to these recipients or groups:

recipient@domain.com
Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.

If you are the email sender and the admin, this article will help you unblock a 550 5.1.8 ACCESS DENIED error.  If you’re not the email admin please copy the URL for this article and include the link when you contact your email admin.  (ps – Google Workspace has a similar NDR 69585 Bounce Error.)

How to Fix a 550 5.1.8 Access denied, bad outbound sender Report

1. Confirm that the email account has not been hacked then proceed to Step 2
2. The Admin must log in to the Microsoft Admin 365 Defender Portal
3. Navigate to Email & Collaboration > Review > Restricted Users
4. Select the user from the list and click Unblock
5. Follow the steps to remove restrictions and wait 1 hour to send emails

How to Edit Anti-spam outbound policy (Default)

If you followed the steps above and there were not any users listed in the Defender Portal, the 550 5.1.8 report may be caused by the user surpassing the company’s volume based limits.

It’s possible to increase your email sending limits, but maxing out email volume may cause even more issues with blacklists and domain reputation.

Pro Tip: Consider setting up an alternative email address for sending cold emails.

You can follow the steps below to increase your anti-spam outbound email volume limits:

1. Log into your admin account and navigate to the Anti-Spam Policies page
2. Select the ‘Anti-spam outbound policy’ 
3. Scroll down the page and click ‘edit protection settings’
4. Increase the volume limits for external messages
5. Wait up to 24 hours before sending bulk email

Microsoft Thinks I’m Sending Spam

Microsoft 365 comes packed with features like Exchange Online Protection (EOP) which serves as the control center for email admins to create policies for malware, spa and more.  The Defender Portal must be logged into separately from your Office 365 Admin Portal.

The 550 5.1.8 ACCESS DENIED report should contain information about why the email(s) triggered the error.  Once you’ve confirmed the email account is NOT hacked and addressed the email volume, it’s time to dig deeper to adjust your EOP settings.

1. Create create custom outbound anti-spam policies in EOP
2. Click the + button and select Outbound from the dropdown
3. Name your policy > add users, groups or domains > configure protection settings
4. Set up notifications to automatically send a bcc copy of the suspicious outbound emails to the admin for review

Fortunately Microsoft has a much more robust set of docs for managing the outbound bulk emailing for your 365 account.

If you’ve completed the 3 phase review above and you’re still running into deliverability issues, make sure the email senders are following best practices for email deliverability.  Persistent deliverability issues may signal that it’s time to consider setting up a new domain for cold email.