PowerMTA 452 vs 550 Bounce Code Analysis: Complete 2026 Operator Guide

← PowerMTA Operations

PowerMTA 452 vs 550 Bounce Code Analysis: Complete 2026 Operator Guide

December 29, 2026·13 min read·Henrik Larsen

Why bounce code analysis matters

Bounce codes are the receiving environment telling you exactly what happened to a message, and reading them correctly is one of the most consequential skills in email operations. Misread a bounce code and the consequences cascade: suppress an address that should have been retried and you lose a valid recipient; retry an address that should have been suppressed and you waste resources and accumulate bounce rate; treat a sender-side reputation problem as a recipient-side address problem and the root cause stays unaddressed while the symptom recurs campaign after campaign.

PowerMTA records bounce information in the accounting log: the SMTP status code, the enhanced status code, and the human-readable diagnostic text from the receiving server. An operator who can read these accurately diagnoses delivery problems fast; an operator who cannot misclassifies bounces and makes the underlying problems worse.

This guide focuses on 452 and 550 because they are the two codes operators see most and the two most consequential to read correctly. 452 is the archetypal soft bounce; 550 is the archetypal hard bounce; and the variation within the 550 family is exactly where the most expensive misdiagnoses happen. The structure: the first-digit classification, the RFC 3463 enhanced status code system, the 452 family in detail, the 550 family in detail, the specific 550 5.7.1 misdiagnosis trap, the authentication enforcement codes, the Gmail paired-code escalation pattern, greylisting, the suppression decision rules, and the diagnostic workflow for reading bounce patterns from PowerMTA accounting.

The first digit: soft versus hard

The first digit of the three-digit SMTP status code is the critical classifier.

First digitClassMeaningDefault action
2xxSuccessMessage acceptedNone, delivered
3xxIntermediateContinue the dialogueProtocol continues
4xxTransient failure (soft bounce)Try again laterRetry
5xxPermanent failure (hard bounce)This will not workAction required

A 4xx code is a soft bounce: the receiving server is saying "not now, try again later", the condition may resolve without any change to the address, and the correct response is to retry. A 5xx code is a hard bounce: the receiving server is saying "this will not work", the condition will not resolve on retry, and the correct response is action, though the specific action depends on the variant.

This first-digit classification is consistent across all receiving systems: Gmail, Outlook, Yahoo, corporate mail servers, security gateways like Barracuda, Mimecast, and Proofpoint. They all follow the same framework, so the first digit always tells you permanent versus temporary.

PowerMTA respects this classification by default: 4xx responses get retried per the retry directives, 5xx responses get bounced. The codes 452 and 550 sit on opposite sides of this divide, which is why they make the clearest teaching examples.

RFC 3463 enhanced status codes

Most modern mail servers supplement the three-digit code with an enhanced status code in the format X.Y.Z, defined in RFC 3463. The enhanced code provides far more specific failure information than the basic three-digit code alone.

The structure is class.subject.detail:

PositionMeaningCommon values
X (class)Aligns with the SMTP first digit2 success, 4 transient, 5 permanent
Y (subject)The category of the problem1 addressing, 2 mailbox, 7 security/policy
Z (detail)The specific detailProvider-specific specifics

The subject digit (Y) is the most diagnostically useful: X.1 means an addressing problem (the address itself), X.2 means a mailbox problem (the mailbox state), X.7 means a security or policy problem (the sender's reputation or authentication). This single digit frequently tells you whether a bounce is a recipient-side problem or a sender-side problem.

For example, a server returning "550 5.1.1" provides both the SMTP code (550, permanent rejection) and the enhanced code (5.1.1, where 5 is permanent, 1 is addressing, 1 is the specific detail bad destination mailbox address). The enhanced code tells you the specific email address does not exist on that domain. A server returning "550 5.7.1" provides 550 (permanent) plus 5.7.1 (5 permanent, 7 security/policy, 1 delivery not authorized), which is an entirely different problem despite the identical 550 base code.

Reading the enhanced status code is what separates accurate bounce handling from the crude approach of treating all 550 codes identically.

The 452 family: soft bounces

452 is a 4xx code, a soft bounce. The base meaning is insufficient system storage.

CodeMeaningTypeAction
452 4.2.2Mailbox over quota (full)SoftRetry ~72h, suppress after 3-5 repeats
452 (generic)Insufficient system storageSoftRetry, server-side storage issue
421Service unavailableSoftRetry in 30-60 min
450 4.7.1Greylisting or temp blockSoftRetry, resolves quickly (see below)
451 4.7.1Local processing error / temp blockSoftRetry, server-side

The most common 452 is 452 4.2.2, mailbox over quota. Gmail phrases this as "over quota". The recipient's inbox hit its storage limit. This is a genuine soft bounce the first time, the recipient may simply have a full inbox they will clear.

The substantive nuance with 452 4.2.2: a single occurrence is genuinely temporary, but a pattern of 452 to the same address across multiple separate campaigns indicates an abandoned account. A mailbox that stays full across many days belongs to someone no longer checking that email. The handling rule: retry a single 452 over roughly 72 hours, but if the same address returns 452 across 3 to 5 separate sends, suppress it as effectively dead.

A specific 451 quirk worth noting: Apple's servers sometimes return 451 4.7.1 service unavailable during inbound load spikes. This trips up operators who mistake it for a permanent block; it is a soft bounce that resolves on retry, not a reputation problem.

The 550 family: hard bounces

550 is a 5xx code, a hard bounce. But the 550 family contains fundamentally different problems behind the same base code, and the enhanced status code is what distinguishes them.

CodeMeaningReal problemAction
550 5.1.1Address does not existRecipient-side: bad addressSuppress immediately
550 5.7.1Policy / reputation blockSender-side: reputationInvestigate, do NOT suppress
550 5.7.26Unauthenticated mailSender-side: authenticationFix authentication
550 5.7.515Missing SPF/DKIM/DMARCSender-side: authenticationFix authentication
551User not localRecipient-side: address movedUpdate address
552Storage exceeded / quotaMixed: message size or mailboxRetry, suppress if persistent
553Mailbox name invalidRecipient-side: bad formatSuppress, fix format
554 5.7.xTransaction failed / policy rejectionSender-side: content or authFix content/auth

The critical observation: the 550 family splits into recipient-side problems and sender-side problems. 550 5.1.1 (address does not exist) and 553 (mailbox name invalid) are recipient-side: the address itself is the problem, and suppression is correct. 550 5.7.1 (policy block), 550 5.7.26 (unauthenticated), 550 5.7.515 (missing authentication), and 554 5.7.x (policy rejection) are sender-side: the address is fine, the sender's reputation or authentication or content is the problem, and suppression accomplishes nothing.

The X.7 subject digit is the tell. Any 550 with a 5.7.x enhanced code is a security or policy problem, which is almost always sender-side. Any 550 with a 5.1.x enhanced code is an addressing problem, which is recipient-side.

The 550 5.7.1 misdiagnosis trap

The single most common bounce-handling mistake is treating 550 5.7.1 as an address problem and suppressing the recipient.

550 5.7.1 means delivery not authorized, message refused. The 5.7 portion is the security/policy class. The receiving server is refusing the message because of the sender's reputation, an authentication failure, a policy block, or a blacklist listing. The recipient address almost certainly exists and is perfectly valid.

Suppressing the recipient on a 550 5.7.1 bounce does nothing to fix the actual problem because the address was never the problem. Worse, it actively harms the operation: the list shrinks while the underlying reputation or authentication problem stays unaddressed, so the next campaign hits exactly the same wall, generates more 5.7.1 bounces, and suppresses more valid recipients. The operator ends up with a smaller list and an unsolved problem.

5.7.1 is a sender-side problem wearing a recipient-side disguise

When you see 550 5.7.1 in PowerMTA accounting, do not suppress the recipient. The 5.7 enhanced class means security/policy, which is a sender-side problem. The correct response is sender-side investigation: check whether the sending IP is on a blacklist, verify SPF, DKIM, and DMARC alignment, review sending reputation at the relevant postmaster tools, examine whether content is triggering policy filters. A cluster of 550 5.7.1 codes, especially concentrated on one campaign or one receiving domain, is a clear signal of a systematic sender-side problem. Treating it as list hygiene leaves the root cause unsolved.

The correct response to 550 5.7.1: investigate the sender side. Is the sending IP blacklisted? Is authentication aligned? Is the reputation degraded at this receiver? Is the content triggering filters? The answer to one of those questions is the actual problem, and fixing it resolves the 5.7.1 bounces. List cleaning does not.

Authentication enforcement codes

Since 2024, Gmail, Microsoft, and Yahoo introduced specific enforcement codes to reject messages from senders who do not meet bulk sender requirements. These are 5.7.x codes, sender-side problems.

CodeMeaningFix
550 5.7.26Unauthenticated mail (Gmail)Add proper SPF/DKIM authentication
550 5.7.515Missing SPF/DKIM/DMARCImplement all three authentication mechanisms
554 5.7.xPolicy rejectionFix content and authentication
553 / 554 (auth)DMARC/DKIM failureFix SPF/DKIM/DMARC alignment

When 550 5.7.26 appears in PowerMTA accounting, the 26 detail (Gmail uses this for unauthenticated mail) tells you the sending domain is not properly authenticated. When 550 5.7.515 appears, it indicates missing SPF, DKIM, or DMARC. These are not address problems; they are configuration problems with the sending setup, and the fix is implementing the missing authentication.

These codes became substantially more common after the Gmail and Yahoo bulk sender requirements took effect in February 2024. An operator who sees a sudden cluster of 5.7.26 or 5.7.515 codes is almost certainly hitting the bulk sender authentication enforcement, and the fix is authentication, not list cleaning.

Gmail paired-code escalation

Gmail's bulk sender enforcement introduced a paired-code pattern that operators must recognize. The same compliance issue appears first as a 421 temporary warning and escalates to a 550 permanent rejection if it is not fixed.

The escalation pattern:

  1. A compliance problem (authentication, reputation, complaint rate) first surfaces as a 421 temporary deferral. PowerMTA retries it as a normal soft bounce.
  2. If the underlying problem is not fixed, Gmail escalates: the same problem starts returning as a 550 permanent rejection.
  3. At the 550 stage, messages hard-bounce and the operator has lost the grace period the 421 warning represented.

The operational lesson: a cluster of 421 codes from Gmail is a warning, not a routine soft bounce. It is Gmail saying "fix this before we escalate". An operator who treats Gmail 421 deferrals as normal soft bounces and just lets PowerMTA retry them is missing the warning, and the escalation to 550 follows. When Gmail 421 codes appear in a pattern, investigate the cause (authentication, reputation, complaints) during the 421 grace period rather than waiting for the 550 escalation.

Greylisting and false soft bounces

Greylisting is a specific soft-bounce pattern that should not be counted toward soft-bounce thresholds.

450 4.7.1 greylisting is a deliberate temporary rejection: the receiving server rejects the first delivery attempt from an unfamiliar sender, expecting a legitimate sender to retry (spammers frequently do not). Greylisting typically resolves on the first retry after a few minutes.

The handling nuance: greylisting 450 4.7.1 is a normal, expected soft bounce that resolves immediately on retry. It should not count toward an address's soft-bounce threshold, because it is not an indication of any problem with the address or the sender. An operator whose bounce handling counts greylisting retries toward a soft-bounce-suppression threshold will incorrectly suppress valid addresses that simply went through normal greylisting.

PowerMTA's retry handling naturally retries greylisting and the message delivers on the second attempt. The thing to get right is the accounting: do not let a greylisting 450 contribute to a decision to suppress an address, because greylisting is not a problem, it is normal receiving-server behavior.

Suppression decision rules

Pulling the analysis together into clear suppression decision rules:

CodeSuppress?Reasoning
452 4.2.2 (single)NoRetry, mailbox temporarily full
452 4.2.2 (3-5 repeats)YesPersistently full = abandoned account
421 (single)NoRetry, server temporarily unavailable
421 Gmail (pattern)No, investigateCompliance warning before escalation
450 4.7.1 (greylisting)NoNormal, resolves on retry, do not count
550 5.1.1Yes, immediatelyAddress does not exist
550 5.7.1No, investigate sender sideReputation/policy problem, not address
550 5.7.26No, fix authenticationUnauthenticated mail, sender config
550 5.7.515No, fix authenticationMissing SPF/DKIM/DMARC
551Update addressUser not local, address moved
552Retry, suppress if persistentStorage or message size
553YesInvalid mailbox name format
554 5.7.xNo, fix content/authPolicy rejection, sender side

The pattern across the rules: suppress recipient-side problems (5.1.1, 553, persistent 452, 551 after address update fails), investigate sender-side problems (any 5.7.x, Gmail 421 patterns), retry genuine transient conditions (single 452, single 421, greylisting). The enhanced status code, specifically the X.7 versus X.1 distinction, is the key to applying these rules correctly.

Reading bounce patterns in accounting

PowerMTA accounting records bounce details in the dsnStatus (enhanced status code) and dsnDiag (diagnostic text) fields. The diagnostic queries for bounce analysis:

Bounce code distribution. What codes are appearing and how often:

SELECT
    dsnStatus,
    count() AS occurrences
FROM pmta_accounting
WHERE type = 'b'
  AND timeLogged >= now() - INTERVAL 7 DAY
GROUP BY dsnStatus
ORDER BY occurrences DESC;

Sender-side problem detection. Looking specifically for 5.7.x codes that indicate sender-side problems:

SELECT
    dsnStatus,
    rcptDomain,
    count() AS occurrences
FROM pmta_accounting
WHERE type = 'b'
  AND dsnStatus LIKE '5.7.%'
  AND timeLogged >= now() - INTERVAL 7 DAY
GROUP BY dsnStatus, rcptDomain
ORDER BY occurrences DESC;

A cluster of 5.7.x codes concentrated on one receiving domain points to a reputation or authentication problem with that specific receiver. A cluster spread across many receivers points to a broader sender-side problem (blacklisting, authentication misconfiguration).

Repeated 452 detection. Finding addresses that return 452 across multiple sends, candidates for suppression:

SELECT
    rcpt,
    count() AS bounce_452_count
FROM pmta_accounting
WHERE dsnStatus = '4.2.2'
  AND timeLogged >= now() - INTERVAL 30 DAY
GROUP BY rcpt
HAVING bounce_452_count >= 3
ORDER BY bounce_452_count DESC;

The interpretation framework. When analyzing bounce patterns:

  • Clusters of the same code point to systematic issues, not random recipient problems.
  • 5.1.x codes concentrated anywhere mean address quality problems, clean the list.
  • 5.7.x codes concentrated on one campaign mean that campaign's content triggered filters.
  • 5.7.x codes concentrated on one receiver mean a reputation problem with that receiver.
  • 5.7.x codes spread broadly mean an authentication or blacklisting problem affecting everything.
  • 452 codes concentrated on the same addresses across time mean abandoned accounts, suppress them.
  • Gmail 421 codes in a pattern mean a compliance warning, investigate before the 550 escalation.
The list that got cleaned to death

An operator we worked with had a steadily shrinking list and could not understand why. Their bounce handling was aggressive: any 550 triggered immediate suppression of the recipient. Accounting analysis revealed the problem. A large fraction of their 550 bounces were 550 5.7.1, and their bounce handler was suppressing every one of them as if the address were invalid. But 5.7.1 is a policy/reputation problem, not an address problem. The actual root cause was a DKIM alignment issue: their sending domain's DKIM was misconfigured, a subset of receivers rejected the unaligned mail with 550 5.7.1, and the bounce handler suppressed all those perfectly valid recipients. Over several months, they had suppressed thousands of real, valid addresses, each one a recipient who never had anything wrong with their address. The fix had two parts: correct the DKIM alignment (which stopped the 5.7.1 bounces at the source), and reconfigure the bounce handler to distinguish 5.1.x address problems (suppress) from 5.7.x policy problems (investigate, do not suppress). The wrongly-suppressed addresses had to be carefully reviewed and reinstated. The lesson: a bounce handler that treats all 550 codes identically does not clean a list, it destroys one. The enhanced status code distinction between 5.1.x and 5.7.x is not academic, it is the difference between hygiene and self-harm.

Bounce code analysis is a foundational email operations skill, and the 452-versus-550 contrast is the clearest entry point. The first digit classifies soft versus hard. The enhanced status code, particularly the X.7-versus-X.1 subject digit, classifies sender-side versus recipient-side. Get both right and bounce handling becomes accurate: retry genuine transient failures, suppress genuine address problems, investigate genuine sender-side problems. Get them wrong and the consequences compound: valid recipients suppressed, root causes unaddressed, lists shrinking while the real problems recur. PowerMTA gives you the raw bounce data in the accounting log; the skill is reading it correctly, and that skill rests on understanding that not all 550 codes are the same problem and that the enhanced status code is the key to telling them apart.

H
Henrik Larsen

Email Infrastructure Engineer at Cloud Server for Email. Analyzes bounce patterns from PowerMTA accounting and designs bounce-handling logic for ESP clients. Related: PowerMTA Accounting Log Reference, retry-after Directive and Backoff, smtp-pattern-list Conditional Routing.