Bobcares.com provides Outsourced Hosting Support to Web hosts and other hosting providers.

And as part of our services, we resolve technical support queries posted by hosting users.

A common email bounce error we see in support requests is:

This is an SMTP server at mx.sender.com

Your message could not be delivered to the following address: <recipient@domain2.com>

from <sender@domain1.com>
to <recipient@domain2.com>
Connected to recipient-mx.com:yy.yy.yy.yy but sender was rejected. STARTTLS proto=TLSv1.2; cipher=DHE-RSA-AES256-SHA.
Remote host said: 550 5.1.0 xx.xx.xx.xx is not allowed to send from <domain1.com> per it's SPF Record. Please inspect your SPF settings, and try again.

This means that the mail failed an anti-spam check called SPF, and it was rejected by the recipient’s server.

What is the error “550 5.1.0 [ IP ] is not allowed to send from”?

Many mail servers use an anti-spam defense called SPF (Sender Policy Framework).

Using SPF, mail servers will check if an incoming mail is sent from an “authorized” mail server. For this it uses a DNS record called SPF.

SPF records are set by default by many hosting providers, and contains the website’s IP address (A record) and the domain’s mail server IPs (MX records).

For eg. here’s a typical SPF record:

$ dig +short txt bobcares.com 
"v=spf1 a mx ip4:20.235.161.202 -all"

This means that mail servers will check if a mail coming from <any-name>@bobcares.com originated from any of these:

• 20.235.161.202
• IP in A record
• IP in MX record

If the mail originated from some other IP, it is considered a forged mail, and discarded.

SPF errors might also be shown as:

SMTP error from remote server for RCPT TO command, host: recipient-mx.com (yy.yy.yy.yy) reason: 550 : SPF: xx.xx.xx.xx is not allowed to send mail from sender@domain1.com

sender@domain1.com: SMTP error from remote server for RCPT TO command, host: recipient-mx.com (yy.yy.yy.yy) reason: 550 xx.xx.xx.xx is not allowed to send mail from domain1.com

What are the causes of “[ IP ] is not allowed” error

SPF checks rely on the proper configuration and functioning of DNS.

We’ve seen a wide range of causes for SPF fail that includes name server errors, domain expiration, DNS errors and more.

However, most support issues are caused by these 3 errors:

1. Wrong entry in MX or A records

SPF records can be a bit confusing.

We’ve seen VPS users and Shared hosting users set wrong entries, usually when they have recently switched servers.

Users forget to update the IP in SPF records, which causes mails from the new servers to be rejected.

Solution : We fix this issue by setting the right IP in SPF, and by including A and MX records in the list.

2. Missing SPF record for external MX

Many businesses use Google Apps and similar services to host their mail.

But if Google mail servers are not included in the SPF record, the mail will fail.

Solution : This issue is fixed by Including the external mail service IP or their domain name in the SPF record, like so:

v=spf1 a mx include:_spf.google.com -all

3. Name server downtime or syncing issues

Almost all hosting providers use multiple servers to serve DNS records.

DNS entries updated in one server automatically syncs to all others.

But there are cases where new SPF entries has failed to sync or the DNS servers were unreachable. This causes the SPF record lookup to fail, and the mail to bounce.

Solution : Name servers can fail due to many reasons such as network errors, config issues, authentication issues, etc. We analyze the events in server log, fix the exact cause, and fix the issue.

Conclusion

“550 xxxx is not allowed to send mail from” is en email bounce error caused when the sender’s IP address do not match the IPs in SPF records. Here we’ve discussed 3 causes for this error, and how we fix them.