550-5.7.1 unauthenticated email

What the Gmail 550-5.7.1 error means

The 550-5.7.1 error is an SMTP-level rejection returned by Gmail's receiving servers. The full message typically reads:

550-5.7.1 Unauthenticated email from <domain> is not accepted due to domain's DMARC policy.

It means Gmail received your email but refused to deliver it because the message failed authentication checks. The rejection happens during the SMTP session — the message never reaches the recipient's inbox or spam folder.

Since February 2024, Google tightened sender requirements for all senders. Domains sending to Gmail must have SPF and DKIM configured, and bulk senders must also have a DMARC record. Failing these checks can result in 550-5.7.1 rejections.

Missing SPF records

SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorised to send email for your domain. Gmail checks the SPF record to verify that the sending server is permitted.

Without a valid SPF record, Gmail cannot verify server authorisation. This increases the likelihood of 550-5.7.1 rejections and spam placement.

A correct SPF record starts with v=spf1 and lists your authorised senders using include: mechanisms for third-party providers (for example Google Workspace, SendGrid, Mailchimp). It ends with -all (hardfail) or ~all (softfail).

Your domain must have exactly one SPF TXT record. Multiple SPF records cause SPF PermError, which can also trigger 550-5.7.1 rejections.

DKIM signature failures

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. Gmail uses this signature to verify that the message came from an authorised server and has not been tampered with.

DKIM failures that trigger 550-5.7.1 errors include:

Missing selector. The DNS record at <selector>._domainkey.<domain> does not exist. This is common after migrating email providers without updating DNS.

Invalid or revoked key. The DKIM record exists but contains an empty p= field (revoked) or a key that does not match the private key used for signing.

Selector lookup failure. Gmail cannot resolve the DKIM selector DNS record due to a misconfiguration or propagation delay.

Unlike SPF, DKIM signatures survive email forwarding because the signature is attached to the message itself. This makes DKIM a more resilient authentication layer for DMARC alignment.

DMARC alignment problems

DMARC (Domain-based Message Authentication, Reporting & Conformance) enforces alignment between the authenticated domain and the visible From: header domain. If neither SPF nor DKIM passes with alignment to the From: domain, DMARC fails.

The 550-5.7.1 rejection specifically mentions DMARC policy when Gmail rejects based on a p=reject or strict DMARC configuration.

Common DMARC alignment problems that cause 550-5.7.1 errors:

SPF passes at the envelope level but the MAIL FROM domain does not align with the visible From: header domain.

DKIM signs with a d= domain that does not match the From: domain.

A third-party sending service (CRM, marketing platform, support tool) sends email using your From: domain but is not configured to sign with DKIM or use an aligned MAIL FROM domain.

Google sender requirements

Since February 2024, Google enforces the following requirements for senders delivering email to Gmail accounts:

SPF and DKIM must both be configured. Senders must publish a valid SPF record and sign messages with DKIM.

Bulk senders (more than 5,000 messages per day) must also have a DMARC record. The policy can start at p=none, but a record must be present.

One-click unsubscribe. Bulk senders must include a List-Unsubscribe header with a one-click unsubscribe link and honour requests within two days.

Low spam complaint rate. Spam complaint rates must stay below 0.3% in Google Postmaster Tools. Above this threshold, Gmail increases filtering.

TLS encryption. Email in transit must use TLS. Gmail prefers encrypted connections and may down-rank senders that do not support STARTTLS.

Sender reputation. New domains and new IPs have no established reputation. Warming up gradually helps build trust with Gmail's filters.

How to troubleshoot unauthenticated email errors

Follow these steps to diagnose and fix 550-5.7.1 Gmail rejections:

Check SPF. Use MXFend's SPF Checker to verify that your SPF record exists, is valid, and does not contain multiple records.

Check DKIM. Use MXFend's DKIM Checker to verify that the DKIM selector referenced in your outgoing emails exists in DNS and is correctly configured.

Check DMARC. Use MXFend's DMARC Checker to verify that a DMARC record is published and that SPF and DKIM pass with alignment.

Check blacklist status. Use MXFend's Blacklist Checker to confirm your sending IP is not listed on major DNSBLs.

Check SMTP TLS. Verify that your mail server supports STARTTLS and uses a valid TLS certificate.

Run Email Security Score. MXFend's Email Security Score audits SPF, DKIM, DMARC, MX, blacklists, SMTP TLS, BIMI, MTA-STS, and TLS-RPT in a single report.

Use Google Postmaster Tools. Postmaster Tools shows your domain and IP reputation as seen by Gmail, spam rates, and DMARC compliance data.