SMTP error codes tell you exactly why an email failed to deliver. In cold email operations, the difference between a 421 and a 554 determines whether you wait and retry or pull a domain from rotation immediately. Most cold email operators see error codes in their sequencer dashboard and don't know what action to take. The wrong response (retrying a permanent failure, or ignoring a temporary one) accelerates domain burns and wastes sending capacity.
We process 7.5M+ emails daily across 833K+ inboxes on the MailDeck platform for 1,631+ outbound teams. The error patterns we see across this volume are consistent: most delivery failures in cold email trace back to three root causes: unverified email addresses, misconfigured DNS authentication, and sending too fast from new inboxes. Based on Q2 2026 platform data.
This guide covers every SMTP error code you'll encounter in cold email, what each one means for your infrastructure, and the specific action to take.
How SMTP Error Codes Work
When you send an email, your sending server communicates with the receiving server using SMTP (Simple Mail Transfer Protocol, RFC 5321). The receiving server responds with a three-digit code that tells your server what happened.
The first digit tells you the category:
| First digit | Category | What it means for cold email |
|---|---|---|
| 2xx | Success | Email accepted for delivery. No action needed. |
| 4xx | Temporary failure | Something went wrong, but it might work later. Your sequencer should retry. |
| 5xx | Permanent failure | The email will never be delivered. Stop sending to this address and investigate. |
The second and third digits provide specifics. Enhanced status codes (like 5.1.1 or 5.7.1) add even more detail.
The critical rule for cold email: never retry a 5xx error. Repeatedly sending to addresses that return permanent errors damages your domain reputation faster than almost anything else. Receiving servers interpret repeated 5xx retries as spam behavior.
The 4xx Errors: Temporary Failures (Retry)
4xx errors mean the receiving server is telling you "not right now." These are soft bounces. Your sequencer should retry automatically. But in cold email, persistent 4xx errors often signal a deeper infrastructure problem.
421: Service Not Available
What it means: The receiving server is temporarily unable to process your email. The server might be overloaded, undergoing maintenance, or rate-limiting your connection.
Cold email context: This is the most common 4xx error in cold email. It usually means you're sending too fast. Microsoft 365 and Google servers throttle senders who push too many emails in a short window. If you're sending 10 emails per inbox per day and all 10 go out in the first hour, expect 421 errors.
Action: Increase the interval between sends. MailDeck recommends a minimum 61-minute interval between sends per inbox. Spread sends across the working day. If 421 errors persist for more than 24 hours, check whether your IP or domain is being actively throttled.
450: Mailbox Temporarily Unavailable
What it means: The recipient's mailbox exists but can't receive email right now. Common reasons: mailbox is full, server is under maintenance, or greylisting is active.
Cold email context: Greylisting is the most common cause for cold emailers. Some corporate mail servers deliberately reject the first delivery attempt from unknown senders and only accept on the second try. This is a spam prevention technique.
Action: Let your sequencer retry. Most sequencers handle this automatically. If 450 errors spike suddenly across many recipients on the same domain, that corporate mail server may have tightened filtering. Note the domain and monitor.
451: Local Processing Error
What it means: The receiving server encountered an internal error while processing your email.
Cold email context: Usually not your fault. This is a server-side issue at the recipient's end.
Action: Retry later. If 451 errors are widespread across many different recipient domains, check your own sending server for configuration issues.
452: Insufficient System Storage
What it means: The receiving server doesn't have enough storage to accept your message.
Cold email context: Rare in cold email. More common when sending to small companies running their own mail servers.
Action: Retry later. No action needed on your end.
The 5xx Errors: Permanent Failures (Stop and Fix)
5xx errors mean the email will never be delivered unless you fix the underlying problem. These are hard bounces. Every 5xx bounce damages your sender reputation.
The 5xx class also includes protocol-level and authentication errors (500-503, 535) that prevent the SMTP transaction from completing at all. These errors mean your email never reached the content-filtering stage.
500: Syntax Error, Command Unrecognized
What it means: The receiving server could not parse the SMTP command your sending server transmitted. The command is malformed, contains invalid characters, or exceeds the maximum line length of 512 characters (RFC 5321, Section 4.5.3.1.4).
Cold email context: Rare in cold email when using established sequencers (Instantly, Smartlead). Most common when using custom SMTP integrations or when a firewall/security appliance between your server and the recipient modifies SMTP traffic in transit.
Action: Check that your sender name and "From" address contain only valid ASCII characters. Remove special symbols, curly quotes, or emoji from display names. If using a custom SMTP setup, verify the client library is current and test the connection manually with openssl s_client or telnet.
501: Syntax Error in Parameters or Arguments
What it means: The server recognized the SMTP command (MAIL FROM, RCPT TO) but the parameters are malformed. The difference from 500: the command keyword is valid, but the data accompanying it is not (RFC 5321, Section 4.2.3).
Cold email context: This surfaces when your prospect list contains malformed email addresses: missing "@" symbol, spaces in the domain, local parts exceeding 64 characters, or broken merge/personalization tags that produce invalid addresses in the RCPT TO field.
Action: Validate your prospect list format before importing into your sequencer. Run addresses through EmailShield to catch syntax-level issues. Check your EHLO hostname resolves to a valid FQDN. If using variable fields in sender addresses, test with sample data before launching campaigns.
502: Command Not Implemented
What it means: The server understood the command syntactically but does not support it. The server is saying: "I know what you're asking, but I won't do it." (RFC 5321, Section 4.2.3)
Cold email context: Usually occurs when there is a mismatch between what your sending tool expects and what the SMTP relay supports. Common triggers: the server has disabled STARTTLS but your tool forces it, or the server does not support the AUTH mechanism your tool is attempting.
Action: Verify your SMTP settings match the server's capabilities. Confirm the correct encryption method (SSL/TLS vs STARTTLS) and port. For Microsoft 365: Port 587, STARTTLS. For Google Workspace: Port 587 (TLS) or Port 465 (SSL). If using a third-party SMTP relay, consult their documentation for supported authentication methods and extensions.
503: Bad Sequence of Commands
What it means: The SMTP commands were sent in the wrong order. SMTP requires a strict sequence: EHLO → MAIL FROM → RCPT TO → DATA. If the client skips a step or proceeds after a rejected command, the server returns 503 (RFC 5321, Section 3.3).
Cold email context: Most commonly caused by authentication configuration issues. If the SMTP server requires AUTH before MAIL FROM and your sending tool skips authentication, every subsequent command fails with 503. Also occurs when a previous command in the session was rejected (e.g., MAIL FROM failed due to a policy block) but the client proceeded to RCPT TO anyway.
Action: Verify your sending tool is configured to authenticate before sending. Check that SMTP credentials are entered and that AUTH is not being skipped. If 503 errors appear after a session interruption, the SMTP session state is corrupted and the connection needs to restart. Review your sequencer's SMTP logs for the exact command sequence.
535: Authentication Credentials Invalid
What it means: The SMTP server rejected your login. Your username, password, or authentication method is wrong or not accepted. This is defined in RFC 4954, Section 6 as enhanced status code 5.7.8.
Cold email context: This is the most common setup error in cold email infrastructure. When connecting inboxes to sending platforms (Instantly, Smartlead, Pipl.ai), 535 is the error you see when credentials are wrong. We see this frequently during onboarding across our 833K+ inboxes.
The top causes and fixes by provider:
| Provider | Common cause | Fix |
|---|---|---|
| Google Workspace | Regular password used instead of App Password | Generate App Password: Google Account → Security → 2-Step Verification → App Passwords. Use the 16-character generated password in your sending tool. SMTP: smtp.gmail.com, Port 587 (TLS). |
| Microsoft 365 | Authenticated SMTP not enabled on the mailbox | Enable it: M365 Admin Center → Active Users → select user → Mail → Manage email apps → check "Authenticated SMTP". SMTP: smtp.office365.com, Port 587 (STARTTLS). |
| Microsoft 365 | Azure Security Defaults blocking legacy auth | Disable Security Defaults or create a Conditional Access policy exception for SMTP AUTH. Check Azure AD Sign-In logs to identify which policy is blocking. |
| Any provider | Typo or trailing whitespace in credentials | Copy-paste carefully. The username must be the full email address. Remove any trailing spaces. |
| Any provider | Password changed but not updated in sending tool | Update credentials in every platform where the inbox is connected. |
Action: Always test SMTP credentials independently before adding an inbox to campaign rotation. If your sending tool supports OAuth2, prefer it over password-based authentication. For bulk onboarding, MailDeck provisions and configures SMTP authentication during the 48-hour setup process, eliminating 535 errors before the first send.
550: Mailbox Unavailable
What it means: The recipient's email address doesn't exist, or the receiving server is permanently rejecting your email based on policy.
Cold email context: This is the highest-impact error code in cold email. It breaks into several sub-categories:
| Enhanced code | Meaning | Cold email action |
|---|---|---|
| 550 5.1.1 | Address does not exist | Remove from list immediately. Your list data is bad. |
| 550 5.1.2 | Domain does not exist or has no MX record | Remove from list. The entire domain is invalid. |
| 550 5.7.1 | Message rejected for policy reasons | Check blacklists (MXToolbox, Spamhaus). Review your DNS authentication. This often means your domain reputation is damaged. |
| 550 5.7.25 | SPF/DKIM authentication failed | Fix your SPF and DKIM records immediately. See our DNS setup guide. |
| 550 5.7.26 | DMARC authentication failed | Fix your DMARC record. Ensure SPF and DKIM are aligned. |
How this connects to our DNS audit data: We audited 1,000+ domains onboarded to MailDeck and found 67% had at least one critical authentication error. Multiple SPF records (23% of domains), missing DMARC (19%), and DKIM not enabled (11%) are the most common causes of 550 5.7.x errors. These errors are entirely preventable with correct DNS configuration.
Threshold: If your bounce rate from 550 errors exceeds 7% on any domain, pull that domain from rotation. Investigate whether the problem is list quality (bad addresses) or infrastructure (DNS misconfiguration).
551: User Not Local
What it means: The recipient's email has been moved or forwarded to a different address.
Cold email context: Uncommon. The person probably changed companies or email providers.
Action: Remove from list. The address is stale.
552: Mailbox Full (Permanent)
What it means: The recipient's mailbox is permanently full and can't accept new messages.
Cold email context: Different from the temporary 452 error. This means the mailbox has hit a hard storage limit and the owner hasn't cleared it.
Action: Remove from list for now. You can re-add after 90 days if the address is otherwise valuable.
553: Mailbox Name Not Allowed
What it means: The email address format is invalid, or the receiving server is rejecting based on address policy.
Cold email context: Usually means the email address is malformed. Check for typos, invalid characters, or encoding issues in your list data.
Action: Check the address format. Fix or remove.
554: Transaction Failed
What it means: The receiving server has permanently rejected your email. This is the most serious error code in cold email.
Cold email context: 554 means the receiving server has actively decided your email is unwanted. This happens when:
| Cause | How to identify | Cold email action |
|---|---|---|
| Your domain/IP is blacklisted | Check MXToolbox, Spamhaus | Pull the domain. Request delisting. Use reserve domain. |
| Message flagged as spam | Content triggers (links, images, HTML, spammy keywords) | Rewrite copy. Remove links and images. Use plain text only. |
| DMARC policy rejection | Receiving server enforces strict DMARC | Fix your DMARC, SPF, and DKIM alignment. |
| Sending volume too high from new domain | Domain is under 30 days old with high volume | Reduce volume. Continue warm-up protocol. |
When to pull a domain based on 554 errors: If you see 554 errors from multiple different recipient servers, your domain reputation is damaged. Pull it from rotation immediately. Replace with a warmed reserve. Investigate the cause before reactivating.
Error Code Decision Tree for Cold Email
When you see a bounce in your sequencer, use this framework:
Step 1: Is it 4xx or 5xx?
4xx: Let sequencer retry. Monitor for persistence.
5xx: Stop sending to that address. Investigate.
Step 2: Is it affecting one address or many?
One address: Probably a list data problem. Remove the address.
Many addresses on the same recipient domain: Probably a filtering/blacklist issue. Check your reputation.
Many addresses across different recipient domains: Your sending domain or IP has a problem. Check DNS, blacklists, and sending volume.
Step 3: Map to action.
| Error pattern | Root cause | Action |
|---|---|---|
| High 550 5.1.1 rate | Bad list data | Verify all addresses through EmailShield before sending. |
| 550 5.7.1 from multiple recipients | Domain blacklisted or reputation damaged | Pull domain. Check MXToolbox for blacklists. Review DNS authentication. |
| 550 5.7.25 or 5.7.26 | SPF/DKIM/DMARC misconfigured | Fix DNS records. Use dig TXT yourdomain.com to check. See our DNS guide. |
| Persistent 421 errors | Sending too fast or IP throttled | Increase send intervals (minimum 61 minutes between sends per inbox). Reduce daily volume per inbox. |
| 554 from multiple recipient servers | Sending domain reputation is damaged | Pull domain immediately. Replace with warmed reserve. Investigate copy and list quality. |
| 535 on inbox connection | Wrong credentials or AUTH not enabled | Verify username/password. Google: use App Password. Microsoft 365: enable Authenticated SMTP in Admin Center. |
| 503 after session start | AUTH not configured or session state corrupted | Ensure sending tool authenticates before MAIL FROM. Restart SMTP connection. |
| 500 or 501 errors | Malformed commands or invalid address syntax | Check sender display name for special characters. Validate prospect list format. |
| Sudden spike in any 5xx errors | Infrastructure change or list contamination | Pause all sends from affected domain. Audit recent list imports and campaign changes. |
How DNS Errors Cause SMTP Failures
Most 550 5.7.x and 554 errors in cold email trace back to DNS authentication problems. Here's how our top 10 DNS errors map to SMTP failures:
| DNS error | Frequency (from 1,000+ domain audit) | SMTP errors it causes |
|---|---|---|
| Multiple SPF records | 23% | 550 5.7.1, 550 5.7.25 (SPF permerror) |
| No DMARC record | 19% | 554 (policy rejection at strict receivers) |
| SPF ending with +all | 14% | No direct SMTP error, but drastically reduces trust score |
| Exceeding 10 DNS lookups | 12% | 550 5.7.1 (SPF permerror, silent failure) |
| DKIM not enabled | 11% | 550 5.7.25, 554 (DKIM verification fails) |
67% of domains we onboard have at least one of these errors. Every one of them is fixable within minutes. MailDeck automates SPF, DKIM, and DMARC configuration for all provisioned domains during our 48-hour onboarding, specifically because manual DNS setup fails so often.
For step-by-step DNS configuration instructions, see our complete SPF, DKIM, DMARC guide.
Monitoring SMTP Errors at Scale
At MailDeck, we track error codes across 7.5M+ daily sends. Here's the monitoring framework we recommend for teams running 500+ inboxes:
Daily Checks
| What to check | Where to check | Action threshold |
|---|---|---|
| Overall bounce rate per domain | Your sequencer dashboard | Above 7%: pull the domain |
| Spam complaint rate | Google Postmaster Tools, Microsoft SNDS | Above 0.3%: pull the domain |
| 550 5.1.1 rate (invalid addresses) | Your sequencer bounce reports | Above 3%: audit your list verification process |
| 554 errors count | Your sequencer bounce reports | Any spike from baseline: investigate immediately |
| 421 errors persistence | Your sequencer retry logs | Persistent for 24+ hours: check IP throttling |
Tools for SMTP Error Monitoring
| Tool | What it checks | Cost |
|---|---|---|
| MXToolbox | Blacklists, DNS health, SMTP diagnostics | Free tier available |
| Google Postmaster Tools | Domain reputation, spam rate, authentication rates | Free |
| Microsoft SNDS | IP reputation, complaint rate | Free |
| mail-tester.com | Full deliverability test per domain | Free (limited) |
| Your sequencer (Instantly, Smartlead, etc.) | Bounce rates, error codes, open/reply rates per domain | Included in subscription |
Prevention: How to Avoid SMTP Errors Before They Happen
1. Verify Every Email Address Before Sending
This single step eliminates the majority of 550 5.1.1 errors. Use EmailShield to verify every address. Remove all risky addresses. At scale, even a 2% bad address rate compounds across thousands of sends and pushes your bounce rate above the 7% danger threshold.
2. Configure DNS Correctly on Every Domain
SPF, DKIM, and DMARC errors cause 550 5.7.x and 554 failures. Three rules:
Exactly one SPF record per domain. DKIM enabled and verified in your email provider admin panel. DMARC progressing from p=none to p=quarantine to p=reject.
Quick check:
```bash
dig TXT yourdomain.com +short | grep "v=spf1"
dig TXT _dmarc.yourdomain.com +short
dig CNAME selector1._domainkey.yourdomain.com +short
```
3. Warm Up Every New Inbox
New inboxes with no sending history trigger 421 rate limits and 554 spam rejections from receiving servers. Warm-up duration by inbox type:
| Inbox type | Minimum warmup | Recommended |
|---|---|---|
| Outlook Premium | 3-5 days | 10-14 days |
| Outlook Normal | 5-7 days | 10-14 days |
| Google Workspace | 15 days | 20-25 days |
| Private SMTP | 3-4 weeks | 6+ weeks |
Zero cold emails during warm-up. Use trusted warm-up pools only: Smartlead Premium, Instantly, or PlusVibe.
4. Respect Sending Limits
Sending too fast triggers 421 throttling. Sending too many per inbox triggers 554 spam rejections. Safe limits by inbox type:
| Inbox type | Max cold sends/day | Min interval between sends |
|---|---|---|
| Google Workspace | 18-22 | Spread across working hours |
| Outlook Premium | 8-10 | 61 minutes minimum |
| Outlook Normal | 3-5 | 61 minutes minimum |
| Private SMTP | 11-14 | Spread across working hours |
5. Keep Copy Clean
Content-triggered 554 rejections come from: links in email body (number one spam trigger, especially for Outlook), HTML formatting, images, or tracking pixels, spammy keywords (free, guarantee, urgent, limited time), and identical copy across many inboxes (no spintax).
Keep cold emails to 25-50 words, plain text, no links, no images, no tracking. Use spintax to vary copy across inboxes. For detailed copy rules, see our inbox calculator guide.
FAQ
What does SMTP error 550 mean in cold email?
SMTP 550 means the recipient's server permanently rejected your email. In cold email, the most common causes are: the email address doesn't exist (bad list data), your sending domain is blacklisted, or your SPF/DKIM authentication failed. Remove the address from your list immediately. If 550 errors are widespread, check your DNS authentication and blacklist status.
What does SMTP error 421 mean for cold email deliverability?
SMTP 421 means the receiving server temporarily can't accept your email. In cold email, this usually means you're sending too fast or the receiving server is rate-limiting your connection. Reduce sending speed and increase the interval between sends (minimum 61 minutes per inbox on Outlook). Let your sequencer retry automatically.
What SMTP errors should make me pull a cold email domain?
Pull a domain immediately if you see consistent 554 errors (message rejected as spam), 550 5.7.1 errors (rejected for policy/reputation), or any error mentioning blacklisting. Also pull if your overall bounce rate crosses 7%. Replace with a warmed reserve domain and investigate before reactivating. For domain rotation strategy, see our scaling guide.
How do I reduce SMTP bounce errors in cold email?
Three steps: verify every email address before sending (eliminates 550 5.1.1 errors), configure SPF/DKIM/DMARC correctly on every domain (eliminates 550 5.7.x errors), and warm up every new inbox before cold sending (prevents 421 throttling and 554 rejections). Our audit of 1,000+ domains found 67% had DNS authentication errors causing silent delivery failures.
What is the difference between 4xx and 5xx SMTP errors?
4xx errors are temporary failures. The receiving server is saying "try again later." Your sequencer retries automatically. 5xx errors are permanent failures. The email will never be delivered unless you fix the problem. Never retry a 5xx error. Remove the address or fix DNS/reputation issues first. Repeatedly retrying 5xx errors damages your sender reputation.
What does SMTP error 535 mean when connecting inboxes?
SMTP 535 (enhanced code 5.7.8) means the mail server rejected your authentication credentials. This is the single most common error when connecting inboxes to cold email platforms. For Google Workspace accounts with 2FA enabled, you must generate an App Password (Google Account → Security → App Passwords) and use that instead of your regular password. For Microsoft 365, Authenticated SMTP must be enabled per mailbox in the Admin Center. Azure Security Defaults can also block SMTP AUTH entirely. Always test credentials before adding an inbox to active campaigns.
How do SMTP error codes relate to domain reputation?
Every hard bounce (5xx error) damages your domain's sender reputation with receiving servers. At scale, a bounce rate above 7% signals to Google and Microsoft that you're sending to unverified lists, which triggers additional filtering across all your sends from that domain. Monitor bounce rates daily and pull any domain crossing 7%. For monitoring thresholds on all five key metrics, see our scaling guide.
Methodology
This article is based on:
- 833K+ managed inboxes across Microsoft 365, Google Workspace, and SMTP on the MailDeck platform
- 7.5M+ emails processed daily across the platform
- 1,631+ active outbound teams
- DNS audit data from 1,000+ domains (67% error rate at onboarding)
- SMTP error pattern analysis from January 2025 through April 2026
- Bounce rate and error code data aggregated across all three infrastructure types
- All error code descriptions reference RFC 5321 (SMTP protocol), RFC 3463 (enhanced status codes), RFC 4954 (SMTP authentication), and current behavior observed at Google, Microsoft, and Yahoo receiving servers.
Last updated: April 2026
Written by Nikita Stoletov, CTO at MailDeck. Built and managed infrastructure delivering over 50M emails monthly across 3,000+ domains with 98% inbox placement. Expertise in SMTP architecture, domain network design, IP warm-up automation, and deliverability optimization for high-volume operations. Author page · LinkedIn
Ready to Scale Your Email Infrastructure?
Join top outbound teams using MailDeck for enterprise-grade deliverability.
Get Started