When messages are sent or received between two email servers or Mail Transfer Agents (MTAs), the communication uses a series of numeric SMTP codes. These codes are always in pairs, which means both servers transmit the codes until either the conversation is successful, or fails.

There are two main code types for dropped or failed SMTP conversations. The first number in a code, indicates whether the MTA accepted the command, or if it was rejected. The remaining two numbers in a code provide information on the reason for the failure. The code types are:

  • 4xx: The server encountered a temporary failure. If the command is repeated without being changed, it may be successful depending on the reason for the initial failure. Mail servers use temporary failures to hold connections from untrusted sources, while additional security checks are performed.
  • 5xx: The server has encountered a permanent error and the message delivery has failed.
If you receive any of the errors listed below when sending a message to a Mimecast customer, contact the recipient’s Mimecast Administrator. Mimecast can only deal with designated customer contacts.

4xx Error Codes

A correctly configured mail server should retry sending a message if a 4xx error code is received. These connections are logged in the Message Center: Rejected and Deferred Messages list.

CodeReason Given to Sending MTADescriptionRecommended Resolution
421Sender address blockedThe sender’s IP address has been blocked by a Blocked Senders Policy.Removed the entry from the policy.
421Unable to process connection at this timeThe Mimecast server is under maximum load.The message is processed when the Mimecast server is less busy.
451Internal resource temporarily unavailableThe sending mail server is subjected to Greylisting. This requires the server retries the connection, between one minute and 12 hours. Alternatively the sender’s IP address has a poor reputation.These reputation checks can be bypassed with an Auto Allow or Permitted Senders policy. If it’s legitimate traffic create a Greylisting Bypass policy.
451Message ended earlyThe message was incorrectly terminated. This can be caused by:

  • Files that previously contained a virus, but haven’t been cleaned by an anti-virus product, leaving traces in the message.
  • Firewall issues on the sender’s side.
  • Incorrectly configured content rules on a security device.
Investigate the Intrusion Detection software or other SMTP protocol analyzers. If running a Cisco Firewall, ensure the Mailguard or SMTP Fixup module is disabled.
451Open relay not allowedBoth the sender AND recipient domains specified in the transmission are external to Mimecast, and aren’t allowed to relay through the Mimecast service and / or the connecting IP address isn’t recognized as authorized.Mimecast customers should contact Mimecast Support for add the Authorized Outbound address, or to take other remedial action.
451Account outbounds disabledThe customer account outbound emails are disabled in the Administration Console.Contact Mimecast Support if the account’s outbound traffic should be allowed.
451Account inbounds disabledThe customer account inbound emails are disabled in the Administration Console.Contact Mimecast Support if the account’s inbound traffic should be allowed.
451Account service temporarily unavailableThere are too many concurrent inbound connections for the account. The default is 20.The IP address is automatically removed from the block list after five minutes. Continued invalid connections result in the IP being readded to the block list. Ensure you don’t route outbound or journal messages to Mimecast from an IP address that hasn’t been authorized to do so.
451Recipient Temporarily UnavailableThe Sender’s IP address has been placed on the block list due to too many invalid connections.The sender’s mail server must retry the connection. The mail server performing the connection says the recipient address validation isn’t responding.
451Unable to process email at this timeAn AV scanner or store server is temporarily unavailable due to updates being deployed.The message is processed once the updates are deployed.
451Unable to process email at this timeGeneric error if the reason is unknownContact Mimecast Support.
451IP Temporarily BlacklistedYou’ve reached your mail server’s limit.Wait and try again. The mail server won’t accept any messages until you’re under the limit.
451Hostname is not authorizedOmni Directional hostnames is enabled.Disable Omni Directional hostnames.
452Too many recipientsThe sending server issues more than 100 RCPT TO entries. By default, Mimecast only accepts 100 RCPT TO entries per message body (DATA). The error triggers the sending mail server to provide the DATA for the first 100 recipients before it provides the next batch of RCPT TO entries.None. Most mail servers respect the transient error and treat it as a “truncation request”. If your mail server, firewall, or on-site solution doesn’t respect the error, you must ensure that no more than 100 recipients are submitted.

Solutions like SMTP Fix Up / MailGuard and ESMTP inspection on Cisco Pix and ASA Firewalls are known not to respect the transient error. We advise you disable this functionality.

5xx Error Codes

Error 5xx codes are permanent failures. These connections are rejected in protocol, and the connection is logged in the Rejection Viewer. As the message is rejected in protocol, it isn’t retrievable from the Administration Console, and must be resent once the issue is addressed.

CodeReason Given to Sending MTADescriptionRecommended Resolution
501Invalid addressThe email address isn’t a valid SMTP address.The sender must resend the message to a valid internal email address.
503User unknownThe server has encountered a bad sequence of commands, or it requires an authentication.In case of a “bad sequence”, the server has pulled off its commands in a wrong order, usually because of a broken connection. If authentication is needed, enter your username and password.
535Incorrect authentication dataMessages submitted to SMTP port 587 require authentication. This error indicates the authentication details provided were incorrect.Check your authentication details match an internal email address in Mimecast, with a corresponding Mimecast cloud password. Alternatively, consider sending the message on SMTP port 25.
550Submitter failed to authenticate
550Administrative prohibition – envelope blockedThe sender’s email address or domain has triggered a Blocked Senders Policy, or there’s a SPF hard rejection.Delete or modify the Block Sender Policy to exclude the sender address.
550Anti-Spoofing policy – Inbound not allowedThe message has triggered an Anti-Spoofing Policy.Create an Anti-Spoofing Policy to take no action for the sender’s address or IP address.
550Rejected by header based Anti-Spoofing policy
550Envelope blocked – User EntryA personal block policy is in place for the email address / domain.Remove the email address / domain from the managed senders list.
550Envelope blocked – User Domain Entry
550Rejected by header based manually Blocked Senders – block for manual block
550Rejected by header based Blocked Senders – Block policy for Header FromA Block Sender Policy has been applied to reject emails based on the Header From or Envelope From address.Delete or change the Block Sender policy.
550Envelope Rejected – Block policy for Envelope from address
550<details of RBL>The sender’s IP address is listed in an RBL. The text displayed is specific to the RBL which lists the senders IP address.Bypass the RBL with an Auto Allow or Permitted Senders policy. Additionally request removal of the associated IP address from the RBL.
550Local CT IP Reputation – (reject)Ongoing reputation checks have resulted in the message being rejected due to poor IP reputation. This could be subsequent to a 4xx error.Create an Auto Allow or Permitted Senders policy.

You can request a review of your source IP ranges by completing our online form.
550Invalid RecipientKnown recipient, LDAP or SMTP call forwarding recipient validation checks haven’t returned a valid internal user.The sender must resend the message to a valid internal recipient address.
550Exceeding outbound thread limitThere are too many concurrent outbound connections for the account.Send the messages in smaller chunks of recipients.
550Message bounced due to Content Examination PolicyThe message has triggered a Content Examination policy.Create a Content Examination Bypass Policy, or adjust the Content Examination policy as required.
550SPF Sender Invalid – envelope rejectedThe inbound message has been rejected because the originated IP address isn’t listed in the published SPF records for the sending domain.Ensure all the IP address for your mail servers are listed in your SPF records. Alternatively, create a DNS Authentication Policy with the “Inbound SPF” or “Reject on Hard Fail” option disabled. Messages that fail our SPF checks are subjected to spam and RBL checks, instead of being rejected.
550DKIM Sender Invalid – envelope rejectedThe DKIM key for the outbound message is broken, and doesn’t match the DNS record of the registered sender.Check your organization’s DNS record is populated with the right public key as part of the DNS Authentication Outbound Signing definition. The private key of the keypair must be populated in the DNS Authentication policy, along with the domain and selector of that record.
550DMARC Sender Invalid – envelope rejectedThe inbound message has been rejected because the originated IP address isn’t listed in the published DMARC records for the sending domain.Ensure all the IP address for your mail servers are listed in your DMARC records.
550Journal message past expirationAttempts are being made to journal mail that is past the set expiry threshold. The failure will be replaced by a retry response because the message is marked for retry if rejected, causing the journal queue to grow.Check to confirm there are no significant time discrepancies on the mail server. Discontinue journaling old messages past the expiry threshold.
553This route requires encryption (TLS)This email has been sent using SMTP, but TLS is required by policy.Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven’t expired. If using a proxy server, ensure it isn’t intercepting the traffic and modifying encryption parameters.
553This route requires TLS version 1.2 or greaterA TLS connection has been attempted using a TLS version that is lower than TLS 1.2.Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the mail server attempting to connect is using the appropriate version of TLS.
553This route requires high strength ciphersA secure connection was attempted using ciphers that do not meet the configured cipher strength.Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven’t expired. If using a proxy server, ensure it isn’t intercepting the traffic and modifying encryption parameters.
554Email rejected due to security policies (E.g. MCSpamSignature.x.x)A signature was detected that could either be a virus, or a spam score over the maximum threshold. The spam score isn’t available in the Administration Console.

If you aren’t a Mimecast customer but have emails rejected with this error code, contact the recipient to adjust their configuration and permit your address. If unsuccessful, your IT department can submit a request to review these email rejections via our Sender Feedback form.
Anti-virus checks cannot be bypassed. Contact the sender to see if they can stop these messages from being blocked. Anti-spam checks can be bypassed using a Configuring Permitted Senders or Auto Allow policy. Rejected emails can be viewed in your Outbound Activity and searching for the required email address.
554Mail loop detectedThe message has too many “received headers” as it has been forwarded across multiple hops. Once 25 hops has been reached, the email is rejected.Investigate the email addresses in the communication pairs, to see what forwarders are configured on the mail servers.
554Maximum email size exceededThe email size either exceeds an Email Size Limits policy, or is larger than Mimecast service limit. The default is 100 MB for the Legacy MTA, and 200 MB for “the Latest MTA”.Resend the message ensuring it’s smaller than the limitation set.

The transmission and content encoding can add significantly to the total message size (e.g. a message with a 70 MB attachment, can have an overall size larger than 100 MB).
554Host network not allowedThe message has triggered a Geographical Restrictions Policy.Delete or amend the policy.
554Configuration is invalid for this certificateValidation on the your umbrella accounts domain name does not conform to your DNS.Check you DNS has the required umbrella accounts listed as comma separated values.
These SMTP codes and reasons are communicated to the sending MTA. For a permanent failure, these details must be included in the Non-Delivery Report (NDR) generated by that mail server.

10 personas indicaron que les resultó útil