How to fix Outlook bounces 550 5.7.515 and 550 5.7.23
These bounce messages mean the receiving Outlook server rejected your mail because your sending domain did not pass authentication. Fixing your domain DNS records resolves it. Jump to your situation below or work through the methods in order.
By Neeraj Singh ~8 min Updated Jun 2026 86% found this helpful
Error message
550 5.7.515 Access denied, sending domain does not meet the required authentication level. / 550 5.7.23 the message was rejected because of SPF.
Summary
Outlook bounce codes 550 5.7.515 and 550 5.7.23 are sender authentication rejections: Microsoft's receiving servers refused your message because your sending domain failed SPF, DKIM or DMARC. 5.7.515 means the domain does not meet Microsoft's required authentication level (its enforced standard for senders), and 5.7.23 specifically means the message failed an SPF check. These are hard rejections, not junk-foldering, and they are fixed on the sending domain's DNS, not in Outlook. The fix is to publish and align a correct SPF record listing every service that sends for your domain, enable DKIM signing, and publish a DMARC record with SPF or DKIM aligned to your From address. Because this is domain-level configuration, your domain or email administrator makes the change, after which the messages are accepted.
What this error means
Microsoft now enforces email authentication for senders. When your message arrives, its servers check that your domain proves it sent the mail, via SPF (authorised servers), DKIM (a cryptographic signature) and DMARC (alignment of those with your From address). If that proof fails, it rejects the message outright.
5.7.515 is the broad failure, your domain does not meet the required authentication level, while 5.7.23 pins it to an SPF problem. Neither is fixed in Outlook because the issue is your domain's DNS records. Publishing correct, aligned SPF, DKIM and DMARC records is what makes Microsoft accept the mail.
Common causes
The sending domain has no valid SPF record, or it is incomplete.
A sending service is not listed in the SPF record.
DKIM signing is missing or misconfigured.
No DMARC record, or SPF and DKIM do not align with the From domain.
The SPF record exceeds the 10 DNS lookup limit.
Expert insight
“550 5.7.515 and 5.7.23 are not Outlook bugs, they are Microsoft refusing mail because your domain has not proven who it is. The good news is it is entirely fixable, and entirely on your DNS. I make sure the SPF record lists every service that sends for the domain, turn on DKIM signing, and publish a DMARC record that aligns with the From address. Once those three line up, the bounces stop. It is a domain admin job, not something you fix inside the mail app.”
Manager, Tech Support & Operations · 19+ years fixing Windows and system errors
✓ How to fix it
Method 1
Publish and align a correct SPF record
1In your domain DNS, publish an SPF TXT record that lists every server and service that sends mail for your domain.
2Keep it within the 10 DNS lookup limit.
35.7.23 in particular points at an SPF problem.
Method 2
Enable DKIM signing
1Set up DKIM so outgoing mail is cryptographically signed, and publish the public key in your DNS.
2Make sure the signing domain aligns with your From address.
3Microsoft requires DKIM to pass for many senders.
Method 3
Publish a DMARC record
1Publish a DMARC TXT record (start with p=none for monitoring) so SPF or DKIM align with your visible From domain.
2This is what 5.7.515 checks for.
3Advance to p=quarantine or p=reject once aligned.
Method 4
Authorise third-party senders
1If a marketing or CRM platform sends on your behalf, add its sending sources to your SPF record and configure DKIM for it.
2Unauthorised third-party senders are a common trigger.
3Verify with an SPF and DMARC checker.
Method 5
Verify with an authentication checker
1Use a public SPF, DKIM and DMARC checker, or send a test to a validation tool, to confirm all three pass and align.
2Fix any reported gaps.
3Then resend the original message.
550 5.7.515 and 5.7.23 are sender authentication rejections fixed on your domain DNS, not in Outlook. Publish a complete, aligned SPF record (5.7.23 is an SPF failure), enable DKIM signing, and publish a DMARC record aligned to your From domain (5.7.515 checks this). Authorise any third-party senders and verify with a checker before resending.
Frequently asked questions
What do Outlook bounces 550 5.7.515 and 550 5.7.23 mean?
They are sender authentication rejections. 5.7.515 means your sending domain does not meet Microsoft's required authentication level, and 5.7.23 means the message failed an SPF check. Both are hard rejections.
How do I fix them?
Fix your domain DNS, not Outlook: publish a complete, aligned SPF record, enable DKIM signing, and publish a DMARC record that aligns SPF or DKIM with your From domain, then resend.
Why is 5.7.23 different from 5.7.515?
5.7.23 specifically means an SPF failure, while 5.7.515 is the broader Access denied, your domain does not meet the required authentication level. Both are resolved by correct, aligned SPF, DKIM and DMARC.
Is this fixed in Outlook settings?
No. These are domain-level authentication failures, so the fix is in your domain's DNS records, made by your domain or email administrator, not in the Outlook app.
A third-party service sends my mail, what do I do?
Add that service's sending sources to your SPF record and configure DKIM for it, so its messages authenticate for your domain. Unauthorised senders are a common cause.
How do I confirm it is fixed?
Use a public SPF, DKIM and DMARC checker, or a validation tool, to confirm all three pass and align with your From domain, then resend the message that bounced.
Still not working?
If SPF, DKIM and DMARC all appear correct but mail still bounces with 5.7.515, the failure is often DKIM alignment broken by header encoding or a forwarding hop; checking the raw message headers for the authentication results pinpoints which check failed. You can also submit your error to us for a tailored fix.
