The SMTP Transaction Flow
Before diagnosing failures, you need to know what a successful SMTP delivery looks like. An email transaction consists of a series of commands and responses:
Client Server
| |
|<-- 220 mail.example.com ESMTP -----|
|--- EHLO sending-server.com ------->|
|<-- 250-mail.example.com |
|<-- 250 STARTTLS |
|--- STARTTLS ---------------------->|
|<-- 220 Go ahead |
| [TLS handshake] |
|--- MAIL FROM:<[email protected]> >|
|<-- 250 OK |
|--- RCPT TO:<[email protected]> -->|
|<-- 250 OK |
|--- DATA --------------------------->|
|<-- 354 Start mail input |
|--- [message body] . -------------->|
|<-- 250 OK: queued |
|--- QUIT -------------------------->|
|<-- 221 Bye |Failures can occur at any step. The three-digit response code and the text following it pinpoint exactly where and why delivery failed.
Understanding SMTP Response Codes
SMTP uses a three-digit code structure:
- First digit: 2 = success, 3 = intermediate, 4 = temporary failure, 5 = permanent failure
- Second digit: category (0=syntax, 1=information, 2=connections, 5=mail system)
- Third digit: specific detail
The critical distinction for operations:
| Class | Meaning | Sender Action |
|---|---|---|
| 4xx | Temporary failure — try again later | Retry with exponential backoff |
| 5xx | Permanent failure — do not retry | Bounce to sender, remove address |
4xx Temporary Failures
421 — Service Temporarily Unavailable
The receiving server is busy or at capacity. This is the server's way of saying "try again later."
421 4.7.0 Try again later, closing connection.Action: Your mail server should automatically retry. Check your retry schedule (RFC 5321 recommends retrying for at least 4-5 days, with increasing intervals).
450 / 451 — Greylisting
Many mail servers implement greylisting: the first delivery attempt from an unknown sender is temporarily rejected. Legitimate mail servers retry; spam sources typically don't.
450 4.2.0 Mailbox temporarily unavailable
451 4.7.1 Please try again laterAction: Wait for your mail server to retry (usually 5-10 minutes). If you control the sending server, ensure your retry logic doesn't give up after the first 4xx.
452 — Insufficient System Storage
The recipient's mailbox is full, or the receiving server has disk space issues.
452 4.2.2 Mailbox fullAction: Retry later. If this persists for days, the address may be abandoned.
Rate Limiting (4xx)
Sending too many messages too quickly triggers temporary rate limits:
421 4.7.28 Gmail has detected an unusual rate of requests from your IP.Action: Implement sending rate limits on your side. For Gmail, stay under roughly 3,000 messages per day per IP. Spread bursts over time.
5xx Permanent Failures
550 — Mailbox Not Found / Policy Rejection
The most common 5xx. The recipient address doesn't exist, or the receiving server's policy rejects your message.
550 5.1.1 The email account that you tried to reach does not exist.
550 5.7.1 Message rejected due to spam content.Action for 5.1.1: Remove the address from your mailing list immediately. Continuing to send to invalid addresses harms your sender reputation.
Action for 5.7.1: Your message content triggered a spam filter. Review:
- Spam trigger words in subject/body
- Spam-heavy HTML patterns (large images, no text, excessive links)
- Your unsubscribe link (required by CAN-SPAM)
551 — User Not Local
551 5.1.6 User has moved; please try forwarding to new address.The recipient has moved. Update your records.
552 — Message Too Large
552 5.3.4 Message size exceeds fixed maximum message size.Most mail servers impose a size limit (typically 10-25 MB). Send attachments via a link to cloud storage instead of inline attachments.
554 — SPF/DKIM/DMARC Failure
Authentication failures are now permanent rejections at many receivers:
554 5.7.5 Permanent error evaluating DMARC policy
554 5.7.1 Message rejected because of unacceptable contentDiagnose authentication failures:
# Check your SPF record
dig TXT yourdomain.com | grep 'v=spf1'
# Check DKIM record (replace 'selector' with your actual selector)
dig TXT selector._domainkey.yourdomain.com
# Check DMARC record
dig TXT _dmarc.yourdomain.comDiagnostic Tools
Manual SMTP Session with openssl
Connect directly to a mail server to observe its responses:
# Connect to port 587 (submission) with STARTTLS
openssl s_client -connect mail.example.com:587 -starttls smtp
# You'll see the server's banner, then type:
EHLO test.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
# Watch for 4xx or 5xx responses at each stepmail-tester.com
Send a test message to the address mail-tester.com gives you, then visit the results page. It scores your message on:
- SPF, DKIM, DMARC alignment
- Blacklist status
- Spam content analysis
- Technical header correctness
MXToolbox
Use MXToolbox (mxtoolbox.com) to:
- Check if your IP or domain is on any blacklists (DNSBL check)
- Verify MX records
- Test SMTP connectivity
- Inspect email headers from a received bounce
Reputation Recovery
Blacklist Delisting
If your IP is on a blacklist, identify which one from MXToolbox, then visit the blacklist provider's delisting page. Most require you to:
- Confirm the issue that caused the listing is resolved
- Submit your IP for removal
- Wait 24-48 hours for propagation
Major blacklists: Spamhaus (zen.spamhaus.org), Barracuda (barracudacentral.org), SpamCop (bl.spamcop.net).
IP Warming
New sending IPs have no reputation — receiving servers are cautious. Warm up a new IP gradually:
| Day | Volume |
|---|---|
| 1-2 | 200 messages |
| 3-4 | 500 messages |
| 5-6 | 1,000 messages |
| 7-8 | 2,000 messages |
| ... | Double every 2 days until target volume |
Start with your most engaged subscribers (high open rates). A positive engagement signal helps receivers accept more from your IP.
List Hygiene
A high bounce rate (over 2%) and spam complaint rate (over 0.1%) are the fastest paths to a blocked sending reputation. Remove hard bounces immediately (5xx codes). Set up a feedback loop with major ISPs (Gmail Postmaster Tools, Microsoft SNDS) to receive spam complaint data.