Exchange Server

SMTP 554 5.1.0 Sender Denied Caused by Mailbox Junk Email Configuration

Avatar photo
Post author:Written By 19 Comments

Mailbox users can set their own Junk email controls using Outlook or Outlook Web App, including blocking senders.

exchange-outlook-junk-email-block-sender-01

When a mailbox user blocks a sender the sender’s email address is added to the “Blocked Senders” list, visible in Outlook’s Junk Email Options.

exchange-outlook-junk-email-block-sender-02

This list is also accessible in Outlook Web App, by navigating to the Options (by clicking the gear icon in the top right) and looking in the “block and allow” section.

exchange-outlook-junk-email-block-sender-03

When an email address is blocked like this any email messages from the sender will go to that user’s junk email folder. However, if Safelist Aggregation is being used the emails will be rejected by the server instead. The sender will receive an NDR with information similar to this:

Delivery to the following recipient failed permanently:

alan.reid@exchangeserverpro.net

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain exchangeserverpro.net by maila.locklan.com.au. [58.7.213.10].

The error that the other server returned was:
554 5.1.0 Sender denied

The user in your organization can remove the email address from their blocked sender list, and then a safelist update will stop the server from blocking those emails.

However, there are situations where the person may not be capable of removing the blocked sender, or you may simply want to do it yourself as the Exchange administrator. In these cases you can manage a mailbox’s junk email configuration using PowerShell.

Running Get-MailboxJunkEmailConfiguration will allow you to see the current trusted and blocked email addresses for that mailbox user.

[PS] C:>Get-MailboxJunkEmailConfiguration alan.reid


RunspaceId               : 11371828-d5da-40c3-a9fc-fc287c2fcf0a
Enabled                  : True
TrustedListsOnly         : False
ContactsTrusted          : True
TrustedSendersAndDomains : {}
BlockedSendersAndDomains : {alan.oliveirabio@yahoo.com.br, exchangeserverpro@gmail.com, info@globalsales.co.cc,
                           register@ebrguide.net, service@paypal.net}
MailboxOwnerId           : exchangeserverpro.net/Company/Head Office/Users/Alan.Reid
Identity                 : exchangeserverpro.net/Company/Head Office/Users/Alan.Reid
IsValid                  : True
ObjectState              : Unchanged

To remove an item from the BlockedSendersAndDomains use Set-MailboxJunkEmailConfiguration.

[PS] C:>Set-MailboxJunkEmailConfiguration alan.reid -BlockedSendersAndDomains @{remove="exchangeserverpro@gmail.com"}

The above command will remove exchangeserverpro@gmail.com from the BlockedSendersAndDomains but leave the other entries in place.

[PS] C:>Get-MailboxJunkEmailConfiguration alan.reid


RunspaceId               : 11371828-d5da-40c3-a9fc-fc287c2fcf0a
Enabled                  : True
TrustedListsOnly         : False
ContactsTrusted          : True
TrustedSendersAndDomains : {}
BlockedSendersAndDomains : {alan.oliveirabio@yahoo.com.br, info@globalsales.co.cc, register@ebrguide.net,
                           service@paypal.net}
MailboxOwnerId           : exchangeserverpro.net/Company/Head Office/Users/Alan.Reid
Identity                 : exchangeserverpro.net/Company/Head Office/Users/Alan.Reid
IsValid                  : True
ObjectState              : Unchanged

Make sure you update Safelist Aggregation again after making the change by running Update-Safelist.

[PS] C:>Update-SafeList alan.reid

When that sender sends to the mailbox they will no longer be blocked by the mailbox’s junk email configuration.

Tags: , , , , ,

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  3. John Benischek 12 May 2021 Reply

    I have a hybrid Email system and one user from the cloud always gets “Remote Server returned ‘554 5.1.0 Sender denied'” when she sends to ONE particular onprem user. The onprem user does NOT have the Cloud user in Junk Mail or in the Block list. I added the cloud user to the “Safe Sender or Recipient List” but the Edge Server still blocks the cloud user when sending to that one onprem user. Is there a way I can force the Edge Server to accept email from that Cloud user?

  4. Maax 19 Jun 2018 Reply

    Excellent help!, I have a question what about a shared mailbox? Can i use this command in PS to do the same? Or there is an another to do it?

    Thanks in advance!!

  5. Chretien 29 Sep 2017 Reply

    SMTP 554 5.1.0 Sender Denied Caused by Mailbox Junk Email Configuration

    How to remove the usage of safelist aggregation on the exchange environment, since the desactivation of the contentfilter does not solve the issue.

    Thanks a lot
    Chretien

  6. Madurama 19 Apr 2017 Reply

    great info, this save my life in 2017

  7. massimo 10 Mar 2017 Reply

    Nice info! thx
    and it work !!!!!

  8. Rocketman 16 Aug 2016 Reply

    If the Exchange Anti-Spam agent is running the logs located in:

    Program FilesMicrosoftExchange ServerV14TransportRolesLogsAgentLog

    can be searched for the recipients address and the entry PerRecipientBlockedSender

  9. Darrell 3 Sep 2015 Reply

    I’ve removed the address from the blocked senders list through Web App, and validated it through the PowerShell above, even done the Update-SafeList command on it. But the emails still keep getting blocked with 554 5.1.0 (Sender denied).

    Anywhere I can check to see why the main Exchange (through PowerShell) doesn’t show the address in the list, but the address is still being blocked? Is there some synchronization or something that needs to happen?

    I’ve even added the address to the Trusted Senders list, but it’s still blocking it.

    Any ideas?

    1. Avatar photo
      Paul Cunningham 3 Sep 2015 Reply

      Are they being blocked by the Exchange mailbox/transport server? Or an Edge server? Or a separate email security appliance/service?

  10. Claude 27 May 2015 Reply

    Hi,

    you saved my day !

    thx !

    Claude.

  11. Graham 27 Mar 2015 Reply

    I lost a week trying to understand why the server rejected scan to mail from a mopier to a particular user before I did a network trace and found the SMTP error code.

    There’s one more thing to add for those not used to PowerShell : $FormatEnumerationLimit=-1 otherwise only the first 16 items in the lists are shown (my problem user had >300 blocked addresses!).

    1. lirco 30 Nov 2017 Reply

      Or you can expand the list explicitly to a file:

      get-mailboxjunkemailconfiguration -identity | select-object BlockedSendersAndDo
      mains -Expand BlockedSendersAndDomains | out-file “C:\Users\Public\Documents\list.txt”

    2. lirco 30 Nov 2017 Reply

      sorry for an incorrect carriage return

      get-mailboxjunkemailconfiguration -identity username | select-object BlockedSendersAndDomains -Expand BlockedSendersAndDomains | out-file “C:\Users\Public\Documents\list.txt”

  12. Kevin Compateso 11 Oct 2014 Reply

    Is there a way to modify the NDR to say something more descriptive, like “Sender denied due to the recipients blocked sender list”. We had a user mistakenly add a sender to their sender denied list and we tried for days to figure out why. Of course, it was the last place we checked!

      1. Avatar photo
        Paul Cunningham 12 Oct 2014 Reply

        Sorry, to clarify, the article explains how to create a custom DSN to replace a built-in notification. I’m not sure if it is supported or possible in Exchange 2013 though. The cmdlets are there, I just haven’t tested the outcomes.

  13. serdar 1 Oct 2014 Reply

    Nice info! thx

Leave a Reply