SMTP code 502 means the server understands the command but has chosen not to implement it. This is common for commands like VRFY (verify address), EXPN (expand mailing list), and TURN, which many administrators disable for security reasons. Unlike 500 (unrecognized command), the server knows what was asked but refuses to perform it. Some servers also return 502 for AUTH mechanisms they do not support or for ESMTP extensions that are not configured. The command will never work on this server — the client should not retry it.
Almost all production mail servers disable the VRFY (verify user) and EXPN (expand mailing list) commands to prevent email address harvesting. Spammers use these commands to discover valid addresses, so disabling them with 502 is a standard security practice.
The client requested an authentication mechanism (e.g., AUTH CRAM-MD5) that the server does not support. The server's EHLO response lists available AUTH mechanisms — the client should use one of those instead.
Commands like TURN, SEND, SOML, and SAML are defined in older SMTP RFCs but rarely implemented in modern mail servers. Sending these commands will produce 502 on virtually all current servers.
Send EHLO and review the server's capability list. Only use commands and extensions that the server explicitly advertises. If AUTH is listed, check which mechanisms are supported.
openssl s_client -connect mail.example.com:587 -starttls smtp
If VRFY is disabled (502), send a test message to check address validity instead. If a specific AUTH mechanism returns 502, try AUTH PLAIN or AUTH LOGIN which are more commonly supported.
Avoid TURN, SEND, SOML, and SAML. These are obsolete and not supported by modern servers. Stick to the core command set: EHLO, MAIL FROM, RCPT TO, DATA, QUIT, RSET.