Your email failed SPF (Sender Policy Framework) authentication. The sending IP address is not authorized in your domain's SPF record to send email on behalf of your domain. Update your SPF record to include the sending server.
What Does Error 5.7.20 Mean?
Enhanced status code 5.7.20 specifically indicates an SPF authentication failure. The receiving server checked your domain's SPF record and determined that the IP address sending the email is not authorized to send on behalf of your domain.
SPF works by publishing a DNS TXT record listing the IP addresses and servers authorized to send email for your domain. When a receiving server gets an email claiming to be from your domain, it checks the sender's IP against your SPF record. If the IP is not listed, SPF fails.
Common causes include not updating your SPF record when adding a new ESP or sending service, DNS propagation delays after SPF record changes, or exceeding the SPF 10-lookup limit. Use our SPF Checker to verify your record.
Common Causes
- Sending IP is not included in your domain's SPF record
- SPF record has not been updated after adding a new sending service
- SPF record exceeds the 10 DNS lookup limit
- DNS propagation delay after SPF record changes
- Email forwarding broke SPF alignment (original IP no longer matches)
- Sending through an unauthorized relay or third-party service
How to Fix Error 5.7.20
- Check your SPF record using our SPF Checker tool
- Add the sending server's IP or include statement to your SPF record
- Ensure your SPF record does not exceed the 10 DNS lookup limit
- Wait for DNS propagation (up to 48 hours) after SPF record changes
- For forwarded email, implement DKIM and ARC to preserve authentication
- Verify all your sending services are listed in your SPF record
Frequently Asked Questions
Error 550 5.7.20 indicates that SPF (Sender Policy Framework) validation failed for your email. The recipient's server checked your domain's SPF record and determined that the sending IP address is not authorized to send email on behalf of your domain. This is a permanent rejection, and the message will not be delivered until the SPF configuration is corrected. Microsoft 365 commonly returns this specific sub-code.
Check your domain's DNS for an SPF TXT record and ensure the sending server's IP address is listed as an authorized sender. If you use Microsoft 365, your SPF record should include "include:spf.protection.outlook.com". If you use third-party services (Mailchimp, SendGrid, etc.), add their include mechanisms as well. Ensure you have only one SPF record per domain -- multiple SPF records cause all validations to fail. Validate your record using an online SPF checker tool.
Both codes indicate SPF validation failure, but they are used by different providers. Microsoft 365 typically returns 5.7.20 for SPF failures in general, while 5.7.23 specifically indicates the SPF record evaluation itself failed (such as a syntax error or DNS lookup timeout). Gmail uses different sub-codes in the 5.7.x range. In all cases, the fix is the same: ensure your SPF record is valid, complete, and stays within the 10 DNS lookup limit.
Yes. The SPF specification (RFC 7208) limits DNS lookups to 10 per SPF evaluation. Each "include", "a", "mx", and "redirect" mechanism counts as a lookup. If your SPF record exceeds 10 lookups, the evaluation returns a "permerror" result, and most receiving servers treat this as an SPF failure. Use SPF flattening (replacing include statements with IP addresses) or move sending services to subdomains with their own SPF records to stay within the limit.