SMTP
SMTP Error 502 means the server understood the command but doesn't implement it (RFC 5321). Learn the real causes — disabled VRFY/EXPN/AUTH — and how to fix it.
Updated Jul 1, 2026
The short answer
SMTP 502 is a permanent reply code meaning "Command not implemented" (RFC 5321 §4.2.4): the server recognized the command but does not support or has disabled it. It commonly hits VRFY, EXPN, ETRN, HELP, or AUTH that an admin turned off. Fix it by removing or replacing the unsupported command in your client/script, or use a relay that implements it.
SMTP Error 502 is a permanent negative reply defined in RFC 5321 §4.2.4 with the text "Command not implemented." The leading 5 makes it permanent (retrying the same command will fail again), and the middle 0 places it in the syntax/unimplemented-command group. In practice it means: the server parsed your command fine, it just doesn't offer that command — either it was never implemented, or an administrator disabled it.
You'll often see it with an enhanced status code, e.g. 502 5.5.1 Command not implemented. In RFC 3463 the leading 5 is the "Permanent Failure" class and the .5. subject is "Mail Delivery Protocol Status"; detail code 5.5.1 ("Invalid command") is the natural pairing for a 502, since the command is recognized but unsupported.
VRFY (verify address) and EXPN (expand mailing list) are very commonly turned off to prevent address harvesting. RFC 5321 §3.5.3 explicitly says a server that won't do the work "SHOULD" answer with 502. HELP and ETRN are also frequently disabled.AUTH mechanism (or AUTH not enabled at all). If your client issues AUTH LOGIN/AUTH PLAIN and the relay never advertised AUTH in its EHLO response (or only supports a different mechanism such as XOAUTH2), you can get a 502.A subtle distinction: 502 is not "out of order." If you send RCPT TO before MAIL FROM, the server returns 503 Bad sequence of commands (RFC 5321 §3.3), not 502. And if the command itself is malformed or unknown, you get 500 Syntax error, command unrecognized. 502 specifically means "valid, known command — but I don't do that one." Note the original "valid but not yet activated" phrasing is imprecise: the command does not have to be temporarily inactive; it may simply never be supported.
502 5.5.1 VRFY command is disabled). That command is the whole problem.openssl s_client -starttls smtp -connect smtp.example.com:587 (or -connect host:465 for implicit TLS) and issue EHLO yourdomain.com. The 250- lines list exactly which extensions/commands the server advertises — if your command isn't there, it isn't implemented.VRFY/EXPN: stop calling them. They are optional and routinely disabled; don't rely on them to validate recipients.AUTH: use a mechanism the server advertised. For Gmail/Google Workspace that means an App Password (with 2-Step Verification) or OAuth2/XOAUTH2. Google removed "Less Secure Apps" for personal Gmail accounts in 2022; Google Workspace phased out the same password-based access on a later timeline, fully ending by May 2025. Ports 587 (STARTTLS) and 465 (implicit TLS) are both valid.disable_vrfy_command = no) — but leave VRFY/EXPN disabled if they were off for anti-harvesting reasons.With Courier
VRFY/EXPN/AUTH commands. A 502 surfaced in provider logs points at the upstream provider's configuration or credentials — fix it there, then resend.References
FAQ
Permanent. The leading 5 marks it as a permanent negative completion reply per RFC 5321 §4.2.4, so resending the same command will fail again. You must change or remove the command rather than retry.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 5321 §4.2.4. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.