What 550 5.7.520 Means
Microsoft 365 blocked the message based on a content policy. The 5.7.520 enhanced code maps to 'access denied, your organization does not allow external forwarding' or a similar content-policy rejection. The specific text in the bounce identifies which policy triggered.
Microsoft 365 tenants with custom transport rules, anti-malware policies, or sensitive-data filters. The rejection is recipient-tenant-specific.
Recipient organization's transport rule rejected the message (e.g. 'block external forwarding', 'block messages with specific keywords'); anti-malware policy flagged content; safe-attachments scan detected risk; or data-loss-prevention (DLP) policy matched something in the message body.
How to Fix 550 5.7.520
- 1
Read the bounce text for the specific policy
Microsoft's bounce usually includes the rule name or policy that triggered. Common variants: 'external forwarding blocked', 'message contains a flagged keyword', 'attachment failed safe-attachments scan'. Each has a different fix path.
- 2
If external forwarding blocked — find an alternate route
Some recipient organizations block all mail that arrives via forwarding (e.g. mail you sent to alias@old.com that auto-forwards to user@new.com). The block is on the recipient side. Find a direct address for the prospect at their current organization.
- 3
If keyword-flagged — review message content
Tenants often block keywords related to security/compliance topics (e.g. financial product mentions if they're not in finance). Review your message for terms specific to the recipient's industry that might trigger DLP rules.
- 4
If safe-attachments — remove or change the attachment
Microsoft's Safe Attachments scans attached files in a sandbox before delivery. Suspicious attachments are blocked. For cold email, don't attach files — link instead. Hosted documents bypass attachment scanning entirely.
- 5
Recognize you can't bypass tenant policies
Recipient organizations choose their own policies. If they've configured aggressive content filtering, you can't bypass it from the sending side. Find prospects whose organizations don't have ironclad policies, or accept that this prospect's organization isn't reachable via cold email.
References
550 5.7.520 in the Cold Email Context
5.7.520 is a recipient-tenant policy rejection — your infrastructure quality doesn't change the outcome. The cold-email-specific learning: organizations with aggressive content filtering are signaling 'cold email is not welcome here.' Persistent 5.7.520 from a target org means you should focus elsewhere or wait for warmer introductions. ColdRelay's infrastructure quality is irrelevant to this specific error — it's purely a content + recipient-policy interaction handled at the recipient side.
Frequently Asked Questions
Can I appeal a tenant content block?
Only via direct contact with the recipient organization's IT. They configured the policy; they're the only ones who can adjust it. For cold outreach where you have no prior relationship, this typically isn't realistic.
Does 5.7.520 affect my reputation?
Marginally. Microsoft tracks block rates as a reputation signal. Many 5.7.520 events from the same recipient organization is just policy mismatch (not a reputation event). Many 5.7.520 events across many organizations might indicate broader content issues.
Will switching the From address help?
Only if the recipient's policy is keyed off specific From-addresses (rare). Most content policies match on body text or attachment characteristics, not on sender. Test by sending a stripped-down version of the message.
Is this the same as a spam rejection?
No. Spam rejection (5.7.1) is global classification. 5.7.520 is recipient-tenant policy. Same end result (no delivery) but different mechanisms. The remediation differs accordingly.