Email errors are quite confusing.

“550 5.4.1 Relay Access Denied” is one such error website owners see in Office 365 servers.

Here, you know that something is not proper as you see “Access Denied” in the error.

But where the problem lies?

At Bobcares, we often resolve such email errors as part of our Technical Support Services for web hosting companies.

Today, let’s take a quick look at the reasons for Office 365 relay access denied errors and how we fix them.

What is “relay access denied” error in Office 365?

Users, sometimes get this error when they send emails from contact forms or email clients in Exchange servers.

550 5.4.1 Relay Access Denied

 

This error means that the sender is not allowed to relay emails via the server.

An open relay is an insecure mail server that allows anyone to send emails without authentication. This can cause spamming and resource abuse. Most of the mail servers don’t allow them to be used as open relays.

So, when a user attempts to send emails using a mail server that is not an open relay, it will reject the emails with the error 550 5.4.1 Relay Access Denied

 

Office365 “relay access denied” error – Causes and Fixes

In our experience handling Office 365 relay access denied errors, let’s see the major causes and how we fix them.

1. Incorrect SMTP authentication details

A quick look at the support tickets that we handled shows that 95% of ‘Relay Access Denied’ errors are caused by incorrect SMTP settings.

Relay access denied error occurs when Office 365 server is unable to authenticate the mail user.

When you send an email using an email client or contact form, you have to provide the login credentials to authenticate.

Mail server uses these details to validate the connection. If any of these details are wrong, Office 365 will refuse to send emails through it.

 

How we fix?

Our Support Engineers check the following SMTP configuration settings of the sender domain and confirm that everything is correctly configured.

Email account name : Your email account
Email password : Email password
Incoming server : Incoming mail server
Outgoing server : Outgoing mail server
SMTP port : Outgoing mail server port
Encryption : SSL or TLS

 

We also confirm that the option “My Outgoing server requires authentication” is enabled in the mail client settings.

This ensures that all the emails will be sent from the account only after authenticating with the mail server.

2. Port blocks

By default, SMTP port is 25. However, most of the network providers or ISPs block this port to reduce spamming.

If the user configures the email account to use port 25, but this port is blocked, then user’s emails will be bounced with the error Relay access denied.

 

How we fix?

We’ll make the user to check the connectivity on port 25 to the Exchange server(smtp.office365.com) using the command.

telnet smtp.office365.com 25

If there is any connectivity issues at the network level, this needs to be fixed by the ISP end.

Also, we allow appropriate rules for allowing SMTP connectivity for valid users.

 

3. IP address restriction

Receive Connectors(Inbound connectors) in mail servers are used to configure how the mail server listens for SMTP connections.

In Office 365 servers, these receive connectors only allow internal users to relay emails.

To relay emails externally, the IP address of an application server or device should be allowed in receive connectors.

Else, emails will be rejected with the error Relay access denied.

We’ve seen cases where a change in the network or ISP changes the user’s IP address.

In that case, your connector couldn’t  identify and relay your messages to external recipients.

Result is, Relay access denied errors.

 

How we fix?

In-order to relay emails externally, we’ll add the user’s IP address in the Allowed list of Receive connectors.

This can be done from Exchange Admin center > Mail flow > Connectors.

Proper permissions are also set for the newly added Receive connectors so that they can send emails to external recipients.

 

4. Incorrect SPF record setting

We see email providers use a security feature called SPF(Sender Policy Framework) to check the email authenticity of the sender.

It decides the servers that can send emails on behalf of a domain.

When emails don’t originate from the servers mentioned in the SPF record of the domain, mail server assumes it as fraud and rejects them.

 

How we fix?

Our Support Engineers ensure that the following SPF record is added for the sender domain.

v=spf1 include:spf.protection.outlook.com ~all

 

We’ll then obtain the user’s public IP address that is used to send SMTP traffic to Exchange Online.

Also, we’ll cross check if the user’s IP address is added to this SPF record. It should look like:

v=spf1 ip4:xx.xx.xx.xx include:spf.protection.outlook.com ~all

 

Now, the recipient domain can identify Exchange server as one of the approved senders.

 

5. Inactive or mis-configured recipient email account

We’ve seen 2 cases where a recipient server can’t confirm a user as valid.

• The user database of recipient’s mail server gets corrupt, and the user can’t be identified as valid.
• Recipient has set wrong MX record IP address, and mails are attempted to be delivered to wrong server.

 

How we fix?

This issue can’t be fixed at the sender’s mail server end.

However, we look for the details in the mail server logs and contact the recipient MX administrators for a quick solution.

 

Conclusion

“Office 365 relay access denied” error occurs when users send emails to external domains via Office 365. Today, we’ve seen the 5 possible reasons for this error and how our Support Engineers fix them.