“DMARC unauthenticated mail is prohibited”

“DMARC unauthenticated mail is prohibited” is a DMARC email rejection error code 550 #5.7.1 that might pop up when sending emails via a specific domain. This article shares detailed information about this error code, the reasons that lead to it, and ways to troubleshoot it.

About DMARC Error Code 550 #5.7.1

DMARC Error code 550 5.7.1 is a non-delivery report (NDR) message that informs the sender that the receiver’s DMARC policy has rejected an email sent from your domain.

The NDR also includes a specific reason phrase reading “DMARC unauthenticated mail is prohibited” – indicating that your email provider was unable to deliver your message to the intended recipient.

This error could be caused by many factors, namely your email program (email reader or mail client),an error in the DMARC record, the method used to send an email, misconfigured mail server, and several others related to your use of email in general.

“DMARC Unauthenticated Mail Is Prohibited”: The Reasons & Their Troubleshooting

Let’s do a quick run-through of some common reasons for the “DMARC unauthenticated mail is prohibited” issue:

Reason 1: You are sending emails via an unauthorized server 

The DMARC policy states that the email address provider and the email address server should be the same. If they are not, this is considered a policy violation, and your emails will be rejected by most DMARC-protected recipients thereby returning the “DMARC unauthenticated mail is prohibited” message.

When you send an email via an unauthorized server, the message is rejected and therefore unauthenticated by DMARC as it fails to pass SPF and DKIM checks.

For example, if your email claims to be from [youremail]@gmail.com but does not come from Gmail SMTP Server and instead comes from another server (let’s assume from OVH Cloud servers),that email will most probably be considered unauthenticated per DMARC policy.

The reason for this is that the address provider (Gmail) and the email address server (OVH Cloud) are different entities. If DMARC finds that your domain does not own your email address provider (such as Gmail),then it will reject your emails as they fail its checks.

How to troubleshoot?

You can troubleshoot this problem by making sure that both your email address provider and the server where your account is hosted are under one umbrella.

In other words: if you’re using Gmail as your provider and hosting from another provider like Amazon Web Services or Microsoft Azure; or if you’re using Yahoo Mail as a provider but hosting off of Google Apps for work; or if you’re hosting from GoDaddy but providing email addresses via Office 365—these scenarios all fall under an unauthorized server scenario and will cause this error code to appear in the DMARC report.

Reason 2: You are using free domains to relay emails

DMARC policies require that the domain names used in the From: field, the Sender: header, and the Reply-To: header be legitimate domain names. If any of these fields are set to a free mail account such as Gmail or Yahoo, then the “DMARC unauthenticated mail is prohibited” error will occur.

It’s because many email providers like Gmail and Yahoo have strict DMARC rules regarding using their domain names to relay mail. And therefore, they will prohibit your mail if the envelope sender address does not match the domain name of your outbound mail server.

How to troubleshoot?

To troubleshoot the error above, we recommend that you change the header from and reply-to email addresses to a paid service. By setting up your domain for your mailbox, your email will look like [@mycompanyname.com] instead of [@gmail.com]. This will ensure that your emails are not accidentally considered unauthentic per DMARC policy.

You can fix this by first going to your email client’s settings and changing the email address in these fields to your email.

Then, you will need to go through your DNS settings and add a TXT record with a value of:

v=DMARC1; p=reject; sp=reject; rua=mailto:email@example.com; ruf=mailto:email@example.com; fo=0; adkim=s; aspf=rvk

– where [email@example.com] is the email address that you changed earlier in your client’s settings, and where adkim and aspf are any values (such as v for verification or p for policy). 

Reason 3: The SPF configuration is not updated to include all senders

If you’re failing to include all your sending sources in your record, chances are servers will return the “DMARC unauthenticated mail is prohibited” error message for your emails. SPF is a standard used to determine if an email has come from the actual source it claims to have originated from.

In this case, DMARC will check the SPF records for the hostname listed in the From field of an email against those published in DNS by the domain owner.

If there is no match or if there are multiple matches, then DMARC will reject that email as being spoofed and potentially fraudulent.

This means that if you’re using Outlook and you want to send emails from your domain (say, [yourdomainxyz.com]),you need to configure Outlook so that it includes all subdomains of [yourdomainxyz.com] as valid sources in its SPF record.

This way, when DMARC checks those against its records for your domain’s SPF policy, it won’t find any discrepancies and will accept your message as validly originating from yourself—and not someone else trying to pretend they’re you.

How to troubleshoot?

To troubleshoot this issue, you need to go back to your SPF record and make sure it matches the email host domain name. If you have multiple domains, make sure all of them are included in your SPF record.

For instance, if your email is hosted on Outlook then you have to merge the Outlook’s SPF syntax (spf.protection.outlook.com) in your SPF record to solve the problem:

The following is an example of an Outlook SPF record:

v=spf1 include:spf.protection.outlook.com -all

Reason 4: The sender’s domain is not correctly configured

This error is caused by the recipient’s email server being unable to validate the sender’s SPF record, DKIM signature, or DMARC policy. This can happen for several reasons, including if:

• the sender’s domain is not correctly configured for SPF or DKIM
• the recipient’s mail server does not allow for SPF pass-through (which means that it rejects messages from senders that don’t pass SPF validation)
• the sender has not or improperly set up DMARC records.

Either of these cases can cause the receiving server to return a “DMARC unauthenticated mail is prohibited” error.

How to troubleshoot?

There are several ways to troubleshoot this issue:

1. Verify the SPF and DKIM settings in your domain’s DNS records. 

2. If you have verified that your DNS records are correct, then verify that your mail server is configured to send emails using the Authentication-Results header field.

3. If you don’t already have SPF and DKIM records in place, we recommend setting them up 

Reason 5: You might have been blocked by the recipient’s DMARC anti-spam filters.

Another reason behind the “DMARC unauthenticated mail is prohibited” error is the recipient’s email service has blocked your email for violating its DMARC policy.

Sending too many emails (also called mass mailing) in a short period from one source IP address to the recipient is one of the practices that mostly encourage the recipient’s domain to publish a DMARC policy that prohibits emails from that sender.

How to troubleshoot?

Contact the recipient directly and ask them what their current DMARC policy is set up as (they should be able to provide that information). Then ask them if they would be willing to reconfigure their policy so that it accepts emails from your domain, thereby avoiding being flagged as spam as well as evading the “DMARC unauthenticated mail is prohibited” error.