550 5.7.511: your sending address or domain is on Microsoft's block list
A 5.7.511 bounce is Microsoft refusing mail from a banned sender: not your IP, not your message, but the address or domain itself. Here is how identities end up on that list, why ruling out compromise comes first, and the exact delisting path.
What the bounce means
A 550 5.7.511 rejection reads like this:
550 5.7.511 Access denied, banned sender[xxx@yyy.com]. To request removal from this list, forward this message to delist@messaging.microsoft.com.
Microsoft is not judging this particular message. The sender itself is on a block list: the specific address shown in the brackets, or its domain. That makes 5.7.511 sticky in a way content or IP problems are not. Retrying does nothing, rewording the message does nothing, and moving to a different sending IP does nothing, because the banned thing is the identity that travels with every send.
How an address or domain gets banned
Identity-level bans follow a sustained pattern of bad signal attributed to that identity, not a single awkward campaign. The usual roads in:
- Sustained spam complaints. Recipients at Microsoft-hosted mailboxes keep marking the mail as junk: purchased lists, stale lists, or mail people never asked for. Enough of it, consistently attributed to one address or domain, earns the ban.
- A compromised account. An attacker phished a mailbox password or abused an app connection and blasted spam or phishing under your name. From Microsoft's side that history is indistinguishable from you being a spammer; the ban lands on your identity either way.
- Spoofing history without authentication. If your domain is easy to forge because SPF, DKIM, and DMARC are missing or unenforced, someone else's abuse can accrue to your name. Locking authentication down is how you stop paying for other people's mail.
Check for compromise before you ask for removal
Delisting a sender that is still compromised gets you banned again, usually faster. Ten minutes of checking first protects the one delisting request you want to spend:
- Look at what actually went out. Sent items, message-trace or outbound logs at your provider, and any bounce floods to addresses you never mailed.
- Reset the banned account's credentials and revoke active sessions and app passwords. Check for attacker persistence: mailbox forwarding rules, delegates, and connected apps you do not recognize.
- Confirm your domain cannot be spoofed for free. A two-minute DMARC audit shows whether SPF, DKIM, and DMARC actually protect the domain or just exist.
Then use the path the bounce itself hands you: forward the non-delivery report to delist@messaging.microsoft.com. The NDR carries the details Microsoft's sender support needs to locate the listing; forwarding the original message or a fresh description loses that context.
5.7.511 or 5.7.606: identity ban or IP ban
Microsoft runs both kinds of block list, and the fix paths differ. 5.7.511 bans the identity: it follows the address or domain across any infrastructure, and delisting goes through the delist@ mailbox. 5.7.606 (and the codes up through 5.7.649) bans the sending IP: it follows the server or the ESP pool you send through, and delisting goes through Microsoft's sender support form instead. If you send through a shared provider, that distinction decides whether the problem is yours to fix or your provider's.
Frequently asked
What does 550 5.7.511 mean?
Microsoft refused the message because the sender itself, the specific address or its domain, is on Microsoft's block list. It is a permanent rejection tied to the sending identity: retrying, changing the message content, or sending from a different IP does not help while the identity stays banned.
How do I get delisted from 5.7.511?
The bounce text itself carries the path: forward the non-delivery report to delist@messaging.microsoft.com and Microsoft's sender support reviews the ban. Before you do, fix whatever earned the listing, because a delisted sender that keeps producing complaints or spam gets banned again.
Why was my address or domain banned in the first place?
Identity-level bans follow sustained bad signal attributed to that identity: recipients marking the mail as junk in volume, spam-trap hits, or a compromised account or mailbox blasting spam under your name. One-off gray-area sends rarely do it; a pattern does. That is why checking for compromise comes before asking for removal.
How is 5.7.511 different from 5.7.606?
5.7.511 bans the sending identity, the address or domain, so it follows you across IPs. 5.7.606 (and the range through 5.7.649) bans the sending IP address, so it follows the infrastructure, and its delisting goes through Microsoft's sender support form at sender.office.com rather than the delist mailbox.
Forward the bounce to your workspace's private diagnose address and trustyourinbox reads it for you: the cause in plain English, the evidence from up to eight sources, what was ruled out, and a one-click DNS fix when one exists. Then a recovery watch confirms from the receivers' own reports once your mail passes again.
Keep reading
Microsoft 5.7.606
The sibling ban at the IP level, with a different delisting path through sender.office.com.
Why email bounces or lands in spam
The full map of authentication, reputation, and content signals receivers weigh.
Run a free DMARC audit
Confirm SPF, DKIM, and DMARC are set up so a spoofer cannot spend your domain's reputation.
Free email header analyzer
Check what a receiver actually saw from your last send: authentication results, source IP, and more.
SMTP error codes explained
How to read any bounce: the reply code, the enhanced code, and the text that matters.
Last verified 2026-07-16 against the Microsoft 365 email authentication documentation.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.