SMTP
SMTP 454 is a temporary failure — usually auth throttling or TLS issues (454 4.7.0) or relay access denied (454 4.7.1). Learn what triggers it and how to fix it.
Updated Jul 1, 2026
The short answer
SMTP 454 is a transient negative reply (RFC 5321 4yz: the command was refused but the condition is temporary, so retry later). It most often means a temporary authentication failure — "454 4.7.0" (Google "too many login attempts", Exchange Kerberos/SPN/clock issues, SES rate throttling, or TLS not available) — or "454 4.7.1 Relay access denied" when the server requires authentication before accepting the recipient. Fix it by backing off and retrying, fixing credentials/App Password, or resolving TLS.
SMTP reply code 454 is a transient negative completion reply. Per RFC 5321 §4.2.1, any 4yz code means: "The command was not accepted, but the error condition is temporary. The sender SHOULD retry the command later." That single fact reframes most 454 troubleshooting — unlike a permanent 5yz rejection, a well-behaved client should back off and retry rather than treat it as a hard failure.
454 is overwhelmingly used for two temporary conditions:
1. Temporary authentication failure — 454 4.7.0. The server accepted your AUTH attempt format but couldn't complete authentication right now. Real-world triggers:
454 4.7.0 Too many login attempts, please try again later when an account exceeds its concurrent-connection or login-frequency limits (often repeated bad passwords or too many tools polling the same mailbox). See the Gmail/Workspace community.454 Throttling failure: Maximum sending rate exceeded after DATA when you exceed your account's max send rate. SES also returns a distinct 454 Throttling failure: Daily message quota exceeded when you hit your 24-hour sending limit — that needs a different fix (wait for the daily reset or request a quota increase) than the per-second rate-limit case.454 4.7.0 Temporary authentication failure is logged with Event ID 1035 and is typically caused by clock skew (>5 min), Active Directory replication lag, missing/duplicate SPNs, or Kerberos ports blocked by a firewall — not by your client credentials at all (Microsoft Learn).454 TLS not available due to temporary reason (e.g., a temporarily unavailable or invalid certificate). RFC 3207 itself doesn't attach an enhanced status code to this reply, but real-world servers (Postfix, Gmail) commonly pair it with 4.7.0, consistent with the auth-failure code above.2. Relay/auth denial — 454 4.7.1. Per the enhanced-status-code registry (RFC 3463), X.7.1 means "Delivery not authorized, message refused." In practice this shows up as 454 4.7.1 Relay access denied when the server requires authentication before it will accept the recipient — a distinct condition from the TLS case above, not the same code reused for a different meaning.
Related implementation-specific messages seen in the wild (not RFC 3207 text itself): 454 4.5.0 ... no commands allowed to pipeline after STARTTLS (Postfix/Sendmail enforcing the STARTTLS pipelining restriction from RFC 2920) and 454 5.5.1 STARTTLS may not be repeated (note: this one pairs a transient 4yz base reply with a permanent 5.x.x enhanced code — a known implementation quirk, not a spec-defined combination).
Match the fix to the enhanced status code in the response (454 4.7.0 vs 454 4.7.1):
454 4.7.0 TLS-unavailable replies. Ensure the server's certificate is valid and current, connect on a TLS-capable port, and issue STARTTLS only once. Both port 587 (STARTTLS) and port 465 (implicit TLS) are valid per RFC 8314 — neither is deprecated.454 4.7.1. Authenticate before sending, or confirm your IP/account is authorized to relay through that server.454 4.7.0): sync clocks to within 5 minutes, force AD replication, verify/deduplicate the SMTP/SMTPSVC SPNs with SetSPN, open Kerberos ports, and confirm Exchange Authentication is enabled on the receive connector.Treat 454 as "try again," not "give up." Implementing exponential-backoff retry logic resolves the majority of these — the underlying condition is temporary by definition.
References
FAQ
No. 454 is a 4yz transient negative reply (RFC 5321 §4.2.1): the command was refused but the condition is temporary, and the sender SHOULD retry later. This is the opposite of a 5yz permanent failure, where retrying won't help.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 5321 §4.2.1; RFC 3207; RFC 3463. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.