Emails are not sent (550 5.1.8 Access denied, bad outbound sender)
When a user sends an email, it does not reach the recipient, and this user gets a non-delivery report with the following error:
550 5.1.8 Access denied, bad outbound sender AS(41000001) Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send messages outside of your organization. Contact your email admin for assistance.
This error means that Office 365 (Microsoft 365) has added the user to the blocked senders' list because this person's emails have been recognized as spam. This might happen, for example, if the user has sent an email to a large number of recipients, exceeding the limits of the Office 365 plan (you can check the Office 365 sending limits for individual recipients and distribution groups in this Microsoft's article).
To solve this problem, the admin of the Office 365 tenant needs to:
- Make sure that the user account has not been hacked or compromised in any way. See this MS article to learn more, or check these guidelines for admins.
- If the tenant admin is certain that the account is safe, they need to follow these steps to remove the account from the block list and resume its mail flow:
- Log in to the Microsoft 365 Defender portal.
- Go to Email & collaboration > Review > Restricted Users, as shown in Fig. 1.
- Select the entry related to the user you want to whitelist by clicking it and next click Unblock (Fig. 2.).
- The Unblock User wizard that opens contains detailed information on the reason for blocking the account as well as recommendations for actions and improving the protection level. Since you’re certain that the user’s account is safe, you can proceed by clicking Next > Submit.
- Finally, click Yes to confirm that you want to remove restrictions from the user (Fig. 3.). Keep in mind that removing the restrictions may take up to 1 hour.
Office 365 can notify you when your users get blocked. It can also forward all suspicious emails to your mailbox. To configure these options, go to Email & collaboration > Policies & rules > Threat policies > Anti-spam and click the policy of your choice. Next, scroll down and click Edit protection options. Now, you can enable the options (Fig. 4., items 1) and provide your email address in both the fields (Fig. 4., items 2) to receive notifications as well as suspicious emails.
If the list of restricted users is empty but the user’s emails are still blocked, it may mean that the default outbound spam policy in the Microsoft 365 Defender admin center comes into play, locking the user who exceeds its message count limit out.
There’s no way for an admin to add an exception (the affected user) to the default policy named Anti-spam outbound policy (Default) because the policy is applied organization-wide using the setting configured for the Restriction placed on users who reach the message limit option (see Fig. 6.). Instead, the admin can increase global message limits to appropriate value(s) that will prevent the user from being blocked.
Remember to increase the limits with care. Setting limits too high may cause your domain to be blacklisted and lose reputation for sending too many emails.
- Open the Anti-spam policies page by clicking this link (you may be required to log in with your admin account).
- Select Anti-spam outbound policy (Default).
- In the pane that opens, click Edit protection settings (Fig. 5.).
- Enter a higher value of external, internal, or daily message limit, depending on which one applies to the affected (restricted) user (Fig. 6.). The maximum value for each field is 10000.
It might be a good idea to ask the affected user how many emails they (intend to) send externally, internally or daily on average. That way, you can avoid setting the values to an unnecessary high level, which can be potentially risky for your domain’s reputation.