SMTP

SMTP Error 541

SMTP 541 is a non-RFC anti-spam gateway rejection for policy or reputation. Fix it with SPF, DKIM, DMARC, a clean blocklist status, and spam-free content.

Updated Jul 1, 2026

The short answer

"SMTP 541" is not a standard RFC 5321 reply code. It is emitted by anti-spam gateways and filtering appliances to reject a message for policy or reputation reasons, and is often confused with the enhanced status code 5.4.1 (which most commonly means a recipient-rejected/access-denied problem, not a spam block). The fix: authenticate your mail (SPF, DKIM, DMARC), check your sending IP/domain against blocklists, and stop content that trips spam filters.

Quick answer: 541 is not a standard SMTP reply code defined in RFC 5321. It is a rejection emitted by anti-spam gateways and filtering appliances meaning "the receiving system refused your message for policy or reputation reasons." In the wild it almost always travels with the enhanced code 5.7.1 ("message rejected as spam / by policy"). It is also frequently confused with the enhanced status code 5.4.1, which is a different thing entirely. To clear a true 541: authenticate your mail (SPF, DKIM, DMARC), get your sending IP/domain off blocklists, and remove content that trips spam filters.

What is SMTP Error 541?

The standard SMTP reply codes in RFC 5321 §4.2.3 include 550, 551, 552, 553, 554, and 555 (with 521/556 added later by RFC 7504) — but there is no 541 reply code anywhere in the specification. So when you see "SMTP Error 541," it is almost always one of two things:

  1. A vendor/appliance-specific rejection. Anti-spam gateways and filtering appliances sit in front of the recipient's real mail server and reject messages with a 541-style banner when they decide a message violates policy or comes from a low-reputation sender. The typical full string is 541 5.7.1: Message rejected as spam by Content Filtering or 541 Denied by policy. The 5 means permanent failure (do not retry the exact same request, per RFC 5321), but 541 itself is the vendor's own convention, not an IANA-registered or RFC-defined reply code.
  2. A misread of the enhanced status code 5.4.1. Many MTAs append a three-part RFC 3463 enhanced status code. Written without dots, 5.4.1 looks like "541" — but they are unrelated. See the dedicated section below, because 5.4.1 in practice usually points at a recipient/access problem, not a spam block.

The honest takeaway: the number alone is ambiguous. Read the full text of the bounce, because that text tells you which problem you actually have.

What causes SMTP Error 541?

For a true 541 banner, the cause is policy/reputation, not addressing:

  • Policy / content rejection (most common for true 541 banners). A filter classified your message as spam or as violating a recipient policy. The matching enhanced code is 5.7.1"Delivery not authorized, message refused" / "The sender is not authorized to send to the destination" (RFC 3463, the X.7 Security or Policy class). Triggers include spam-like content, a poor reply-to/brand reputation, or recipient rules that block unauthenticated or cold mail.
  • Sending IP or domain reputation / blocklisting. Gateways score the connecting IP and sending domain. A history of spam complaints, a shared IP gone bad, or a listing on a blocklist (e.g. Spamhaus) causes a reputation-based refusal.
  • Missing or failing authentication. Mail with no valid SPF (RFC 7208), DKIM (RFC 6376), or a failing DMARC (RFC 7489) alignment is increasingly rejected outright by strict receivers.

What about 5.4.1?

If your bounce is literally 5.4.1 (often seen as 550 5.4.1), do not treat it as a spam block. Two things are worth knowing:

  • By the RFC, X.4 is the "Network and Routing Status" class, and RFC 3463 defines X.4.1 as "The outbound connection attempt was not answered, because either the remote system was busy, or was unable to take a call. This is useful only as a persistent transient error." Note that the RFC frames this as a transient condition — the strictly-correct form is 4.4.1.
  • In practice, the most common emitter of 550 5.4.1 is Microsoft Exchange / Microsoft 365, where it means "Recipient address rejected: Access denied." That is a recipient/access/policy problem — the recipient address doesn't exist, isn't synced, is blocked by Directory-Based Edge Blocking, or the receiver's relay/recipient policy refuses it — not an MX/connectivity outage. So for a real 5.4.1, verify the recipient address actually exists and is reachable on the receiving side before assuming a network failure.

How do I fix SMTP Error 541?

Work through these in order:

  1. Read the entire bounce string, not just the number. Note whether it says 5.7.1 (policy/spam), names a filter vendor (Barracuda, Proofpoint, etc.), includes a blocklist URL, or is literally 5.4.1 (recipient/access — see above). This determines everything below.
  2. Verify sender authentication. Publish and validate SPF, DKIM, and DMARC for your sending domain. Check MX/SPF (and DKIM via selector) with Google's Check MX tool, and verify DMARC alignment separately with a tool such as dmarcian's DMARC Inspector or MXToolbox. This is the single highest-leverage fix for modern policy rejections.
  3. Check your IP and domain reputation. Look up your sending IP against major blocklists (e.g. Spamhaus). If listed, follow that list's delisting/appeal process and fix the underlying source of spam before re-applying.
  4. Audit the message content. Remove spam-trigger patterns: deceptive subject lines, link shorteners, mismatched display names, bare image-only bodies, and a high image-to-text ratio. Send a real, personalized message rather than bulk cold mail to addresses you haven't validated.
  5. If a specific gateway is named, contact that receiver/vendor. Reputation problems that span an entire appliance vendor often require requesting allow-listing or a reputation review directly (e.g. Barracuda's reputation/removal request process). Ask the recipient's admin to allow-list your sending domain if you have a legitimate relationship.
  6. If the code is truly 5.4.1, stop treating it as spam. Confirm the recipient address exists and is accepted on the receiving side (on Microsoft 365 this is usually a missing/unsynced recipient or Directory-Based Edge Blocking, not an outage); only if you have evidence of a connectivity problem should you check that the recipient domain's MX records resolve and retry.

With Courier

If Courier surfaces a 541-style failure from a downstream email provider, the rejection is coming from the recipient's mail system, not from Courier. Inspect the message detail/bounce reason in the Courier logs, then apply the authentication and reputation fixes above for the sending domain configured on your email provider (SendGrid, Amazon SES, Mailgun, etc.).

FAQ

Common questions

No. RFC 5321 does not define a 541 reply code — the standard permanent-failure codes are 550, 551, 552, 553, 554, 555, and 556. "541" is a vendor-specific rejection emitted by various commercial anti-spam gateways and appliances, or a misreading of the RFC 3463 enhanced status code 5.4.1.

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 5321 §4.2.3; RFC 3463. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.