5.7.20

Enhanced Status Code 5.7.20: SPF Validation Failed

Permanent failure High severity Security RFC 7208
What it means

Enhanced Status Code 5.7.20 means “SPF Validation Failed.” Your email failed SPF (Sender Policy Framework) authentication. The sending IP address is not authorized in your domain's SPF record to send email on behalf of your domain. Update your SPF record to include the sending server.

At a glance
Code5.7.20
Bounce typeHard (permanent)
SeverityHigh
CategorySecurity
What to doSuppress the address; do not retry
StandardRFC 7208
What it looks like in your mail logs 
550 5.7.20 spf=fail (sender IP 203.0.113.10 is not authorized by example.com SPF record); message rejected

What does 5.7.20 mean?

Enhanced status code 5.7.20 specifically indicates an SPF authentication failure. The receiving server checked your domain's SPF record and determined that the IP address sending the email is not authorized to send on behalf of your domain.

SPF works by publishing a DNS TXT record listing the IP addresses and servers authorized to send email for your domain. When a receiving server gets an email claiming to be from your domain, it checks the sender's IP against your SPF record. If the IP is not listed, SPF fails.

Common causes include not updating your SPF record when adding a new ESP or sending service, DNS propagation delays after SPF record changes, or exceeding the SPF 10-lookup limit. Use our SPF Checker to verify your record.

How 5.7.20 plays out

Your server attempts delivery
The recipient server returns a permanent 5.7.20 rejection
This is a hard bounce: the message will not be accepted as sent
Suppress the address and fix the root cause before resending

Where 5.7.20 sits: soft vs hard bounce

Soft bounce (4xx) Hard bounce (5xx)
NatureTemporaryPermanent
SMTP class4xx5xx
What to doLet it retrySuppress the address
Recoverable?OftenNo
5.7.20 is✓ this code

Common causes of 5.7.20

  • Sending IP is not included in your domain's SPF record
  • SPF record has not been updated after adding a new sending service
  • SPF record exceeds the 10 DNS lookup limit
  • DNS propagation delay after SPF record changes
  • Email forwarding broke SPF alignment (original IP no longer matches)
  • Sending through an unauthorized relay or third-party service

How to fix 5.7.20

  • Check your SPF record using our SPF Checker tool
  • Add the sending server's IP or include statement to your SPF record
  • Ensure your SPF record does not exceed the 10 DNS lookup limit
  • Wait for DNS propagation (up to 48 hours) after SPF record changes
  • For forwarded email, implement DKIM and ARC to preserve authentication
  • Verify all your sending services are listed in your SPF record

Frequently asked questions

What does error 550 5.7.20 mean?
Error 550 5.7.20 indicates that SPF (Sender Policy Framework) validation failed for your email. The recipient's server checked your domain's SPF record and determined that the sending IP address is not authorized to send email on behalf of your domain. This is a permanent rejection, and the message will not be delivered until the SPF configuration is corrected. Microsoft 365 commonly returns this specific sub-code.
How do I fix SPF validation failed error 5.7.20?
Check your domain's DNS for an SPF TXT record and ensure the sending server's IP address is listed as an authorized sender. If you use Microsoft 365, your SPF record should include "include:spf.protection.outlook.com". If you use third-party services (Mailchimp, SendGrid, etc.), add their include mechanisms as well. Ensure you have only one SPF record per domain; multiple SPF records cause all validations to fail. Validate your record using an online SPF checker tool.
What is the difference between 5.7.20 and 5.7.23 SPF errors?
Both codes indicate SPF validation failure, but they are used by different providers. Microsoft 365 typically returns 5.7.20 for SPF failures in general, while 5.7.23 specifically indicates the SPF record evaluation itself failed (such as a syntax error or DNS lookup timeout). Gmail uses different sub-codes in the 5.7.x range. In all cases, the fix is the same: ensure your SPF record is valid, complete, and stays within the 10 DNS lookup limit.
Can too many DNS lookups cause a 5.7.20 SPF failure?
Yes. The SPF specification (RFC 7208) limits DNS lookups to 10 per SPF evaluation. Each "include", "a", "mx", and "redirect" mechanism counts as a lookup. If your SPF record exceeds 10 lookups, the evaluation returns a "permerror" result, and most receiving servers treat this as an SPF failure. Use SPF flattening (replacing include statements with IP addresses) or move sending services to subdomains with their own SPF records to stay within the limit.

Related bounce codes

5.7.26 DMARC Authentication Failed

Sources & further reading

RFC 7208 · The standard that defines this reply code IETF Datatracker · RFC 8601 defines the Authentication-Results header that records the spf=fail result Microsoft Learn · Fix NDR error 5.7.23 in Exchange Online, the Microsoft Sender Policy Framework rejection code
Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← All bounce codes