SMTP code 554 is a general-purpose permanent failure that indicates the transaction cannot proceed. When it appears as the initial greeting (instead of 220), it means the server is refusing the connection entirely — often because the connecting IP is blacklisted or the server is in a restricted mode. When it appears after the DATA phase, it means the message content was rejected by spam filters, content policies, or DMARC enforcement. Code 554 is the most severe SMTP rejection and covers scenarios that do not fit into more specific 5xx codes. The enhanced status code provides the specific reason.
The server checked the connecting IP against DNS-based blacklists or its own reputation database and rejected the connection. This is common with IPs on shared hosting, cloud providers, or IPs that have recently sent spam. The rejection message usually includes the blacklist name.
The server accepted the envelope but rejected the message content during or after the DATA phase. Triggers include spam-like content, malware in attachments, forged headers, or excessively large messages. The 554 appears after the terminating dot.
The sender's domain has a DMARC record with p=reject, and the message failed both SPF and DKIM alignment. The receiving server enforces the policy by rejecting with 554. This commonly affects messages forwarded through mailing lists that break DKIM signatures.
Some highly restricted servers only accept connections from whitelisted IPs or authenticated senders. All other connections receive an immediate 554 greeting. This is common in enterprise environments.
554 is a broad category. The text following the code provides the specific reason. Look for blacklist names, policy references (DMARC), or content filter identifiers. The enhanced status code (5.7.1 for policy, 5.7.0 for other security) helps categorize the issue.
Look up your sending IP on major blacklists. If you are on a shared IP, another sender may have caused the listing. Consider using a dedicated IP for sending.
dig +short YOUR_IP.zen.spamhaus.org
If the rejection mentions DMARC or authentication failure, check that your SPF record authorizes the sending IP, DKIM is properly signing messages, and your DMARC policy is correct.
dig TXT _dmarc.example.com +short && dig TXT example.com +shortCheck DNS Records
Many servers reject connections from IPs without valid reverse DNS (PTR records). Ensure your sending IP has a PTR record that resolves forward to the same IP.
dig -x YOUR_SENDING_IP +short
If the 554 appears after DATA, the message content triggered a filter. Check for spam-like phrases, suspicious attachments, or forged headers. Send a simple plain-text test message to isolate the trigger.