Bobcares.com provides Outsourced Hosting Support to Web hosts and other hosting providers.
And as part of our services, we resolve technical support queries posted by hosting users.
A common email bounce error we see in support requests is:
This is an SMTP server at mx.sender.com Your message could not be delivered to the following address: <recipient@domain2.com> from <sender@domain1.com> to <recipient@domain2.com> Connected to recipient-mx.com:yy.yy.yy.yy but sender was rejected. STARTTLS proto=TLSv1.2; cipher=DHE-RSA-AES256-SHA. Remote host said: 550 5.1.0 xx.xx.xx.xx is not allowed to send from <domain1.com> per it's SPF Record. Please inspect your SPF settings, and try again.
This means that the mail failed an anti-spam check called SPF, and it was rejected by the recipient’s server.
What is the error “550 5.1.0 [ IP ] is not allowed to send from”?
Many mail servers use an anti-spam defense called SPF (Sender Policy Framework).
Using SPF, mail servers will check if an incoming mail is sent from an “authorized” mail server. For this it uses a DNS record called SPF.
SPF records are set by default by many hosting providers, and contains the website’s IP address (A record) and the domain’s mail server IPs (MX records).
For eg. here’s a typical SPF record:
$ dig +short txt bobcares.com "v=spf1 a mx ip4:20.235.161.202 -all"
This means that mail servers will check if a mail coming from <any-name>@bobcares.com originated from any of these:
- 20.235.161.202
- IP in A record
- IP in MX record
If the mail originated from some other IP, it is considered a forged mail, and discarded.
SPF errors might also be shown as:
SMTP error from remote server for RCPT TO command, host: recipient-mx.com (yy.yy.yy.yy) reason: 550 : SPF: xx.xx.xx.xx is not allowed to send mail from sender@domain1.com
sender@domain1.com: SMTP error from remote server for RCPT TO command, host: recipient-mx.com (yy.yy.yy.yy) reason: 550 xx.xx.xx.xx is not allowed to send mail from domain1.com
What are the causes of “[ IP ] is not allowed” error
SPF checks rely on the proper configuration and functioning of DNS.
We’ve seen a wide range of causes for SPF fail that includes name server errors, domain expiration, DNS errors and more.
However, most support issues are caused by these 3 errors:
1. Wrong entry in MX or A records
SPF records can be a bit confusing.
We’ve seen VPS users and Shared hosting users set wrong entries, usually when they have recently switched servers.
Users forget to update the IP in SPF records, which causes mails from the new servers to be rejected.
Solution : We fix this issue by setting the right IP in SPF, and by including A and MX records in the list.
2. Missing SPF record for external MX
Many businesses use Google Apps and similar services to host their mail.
But if Google mail servers are not included in the SPF record, the mail will fail.
Solution : This issue is fixed by Including the external mail service IP or their domain name in the SPF record, like so:
v=spf1 a mx include:_spf.google.com -all
3. Name server downtime or syncing issues
Almost all hosting providers use multiple servers to serve DNS records.
DNS entries updated in one server automatically syncs to all others.
But there are cases where new SPF entries has failed to sync or the DNS servers were unreachable. This causes the SPF record lookup to fail, and the mail to bounce.
Solution : Name servers can fail due to many reasons such as network errors, config issues, authentication issues, etc. We analyze the events in server log, fix the exact cause, and fix the issue.
Conclusion
“550 xxxx is not allowed to send mail from” is en email bounce error caused when the sender’s IP address do not match the IPs in SPF records. Here we’ve discussed 3 causes for this error, and how we fix them.
I think I found something useful. I have couple of email domains on my mailserver. I wanted to secure the DNS entries and was wondering how the correct syntax is for the “include:_spf.google.com” if i replace it with my domain of the mail server which is sitting on a different domain would it work? or do i need to create a “_spf” TXT record over there? is the “_spf” looking for an spf record?
Hello Dieter,
Our Expert Engineers can help you with custom SPF settings. We’ll be happy to talk to you on chat (click on the icon at right-bottom).
This is a helpful post. Thanks. Can you add a clarification, though? If one needs to add some other server in addition to what it already there? Can we add multiple IPs? multiple includes? Or must each be a new record?
To be clear, I’m not a customer, and I will keep looking for that answer, and may find it before you offer it. But as your post comes up first in a search on this error, your clarification here could help many readers. 🙂
Hello Charlie,
Thank you for your feedback. It is indeed possible to have multiple IPs in the SPF record of a domain. Let us know if you need help in setting an SPF record.