DMARCbis-ready · The 2026 standard

550 5.7.606: your sending IP is banned at Microsoft

Any code from 5.7.606 through 5.7.649 means the same thing: Microsoft blocked the IP address your mail arrived from. The ban is about infrastructure, not your domain, so step one is working out whose IP it actually is. Here is how to read it, delist it, and keep it from coming back.

What the bounce means

A 550 5.7.606 rejection reads like this:

550 5.7.606 Access denied, banned sending IP [203.0.113.9]. To
request removal from this list please visit
https://sender.office.com/ and follow the directions.

Microsoft blocked the IP address that connected to deliver the message, and it tells you which one in the brackets. The exact code varies across the 5.7.606 to 5.7.649 range, but every code in that range carries the same meaning: banned sending IP. Your domain, your message content, and your authentication records are not what is being judged here; the infrastructure is.

First question: whose IP is it?

Before acting, read the IP out of the bounce and identify it, because the answer changes everything you do next:

  • Your own server's IP. You run your own mail infrastructure and the banned IP is yours. Then the delisting request is yours to file, and the cause is yours to find: an open relay, a compromised account or web form pumping spam through the box, or plain list-quality problems.
  • A shared pool IP at your ESP. If you send through an email service provider or hosted mail platform, the delivering IP usually belongs to a shared pool. A pool neighbor's spam can earn the listing while your own sending was clean. Do not file a delisting request for an IP you do not control; report the bounce to the provider, whose job is to police the pool and work the delisting.

Not sure which case you are in? Paste the headers of any delivered message from the same sending path into our header analyzer and compare the source IP it shows against the banned one in the bounce.

Delisting through sender.office.com

The bounce names the path: the Microsoft delisting portal. Enter the banned IP and follow the directions. Two things make the request worth filing:

  • Fix the cause first. A delisted IP that keeps emitting the same traffic gets listed again. If the box was compromised, close the hole and rotate credentials before you ask.
  • File for the right IP. The one in the bounce text, exactly. If your outbound mail rotates across several IPs, check whether more than one is bouncing before assuming a single listing.

Keeping the IP off the list

IP reputation is earned between incidents, not during them. The hygiene that keeps a sending IP boring: a matching PTR record (forward and reverse DNS that agree, and a HELO name that matches), steady volume instead of sudden bursts, and outbound monitoring so a compromise is caught by you rather than by Microsoft. And know the sibling code: 5.7.511 is the identity-level ban, which follows your address or domain across any IP and has its own delisting path. If you see both, work the compromise angle first; the same incident often earns both listings.

Frequently asked

What does 550 5.7.606 mean?

Microsoft refused the message because the IP address that delivered it is on Microsoft's block list. The whole range 5.7.606 through 5.7.649 means the same thing: a banned sending IP. The ban is about the infrastructure, not your domain or the message, so the first question is whose IP it actually is.

Is it my IP or my email provider's?

Read the IP out of the bounce text. If you run your own mail server, it is yours to delist. If you send through an ESP or a hosted mail service, the IP usually belongs to a shared pool, where a pool neighbor's spam can earn the listing; report the bounce to the provider rather than filing a delisting request for an IP you do not control.

How do I get a banned IP delisted at Microsoft?

The bounce points at Microsoft's sender support form at sender.office.com: enter the banned IP and follow the directions. Fix the cause first, because a delisted IP that keeps emitting spam or compromise traffic gets listed again.

How is 5.7.606 different from 5.7.511?

5.7.606 bans the sending IP address, so it follows the server or pool and can hit every domain sending through it. 5.7.511 bans the sending identity, the address or domain, so it follows you across any IP, and its delisting path is forwarding the NDR to delist@messaging.microsoft.com instead of the sender.office.com form.

Stop decoding 550 5.7.606 by hand

Forward the bounce to your workspace's private diagnose address and trustyourinbox reads it for you: the cause in plain English, the evidence from up to eight sources, what was ruled out, and a one-click DNS fix when one exists. Then a recovery watch confirms from the receivers' own reports once your mail passes again.

Keep reading

Last verified 2026-07-16 against the Microsoft 365 email authentication documentation.

Stop guessing. Start monitoring.

Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.