550 5.7.26 unauthenticated email is not accepted

Why Gmail and Yahoo now reject unauthenticated mail, and the path from the bounce string to a passing, aligned message.

Standards basis: Advice based on RFC 9989 for DMARC policy records, RFC 9990 for aggregate reports, and RFC 9991 for failure reports. Historical RFC 7489 behavior is called out where relevant.

Quick answers

What does 550 5.7.26 unauthenticated email mean?
Gmail returns 550 5.7.26 when a message from your From domain is not authenticated in a way that satisfies that domain's DMARC policy. The mail did not produce an aligned SPF or DKIM pass, so Gmail rejected it under the sender's own DMARC record.
Why did Gmail and Yahoo start rejecting my email in 2024?
Both providers introduced bulk sender requirements that took effect in February 2024. Senders must publish SPF and DKIM, have a DMARC record of at least p=none on the From domain, and align the From header with either the SPF domain or the DKIM domain. Mail that fails these checks is rejected.
Who counts as a bulk sender for Gmail?
Google defines a bulk sender as one who sends more than 5,000 messages per day to Gmail accounts. That threshold triggers the full requirement set, but Gmail also tightened basic authentication expectations for all senders, so even low-volume mail should be authenticated and aligned.
Does p=none satisfy the Gmail and Yahoo DMARC requirement?
Yes. Both Google and Yahoo state the DMARC enforcement policy can be set to none. The requirement is that a DMARC record exists on the From domain and the message produces an aligned SPF or DKIM pass. The policy itself can stay at p=none for monitoring.
What is the spam rate limit in Google Postmaster Tools?
Google tells senders to keep the user-reported spam rate below 0.10% and to never reach 0.30% or higher. The rate compares messages recipients mark as spam against messages that reached the inbox. Mail already routed to spam is not counted, so the figure can understate true complaints.

The exact bounce

The "550 5.7.26 unauthenticated email" rejection comes from Gmail when a message fails to authenticate against the sending domain's DMARC policy. In a non-delivery report or SMTP transcript it reads: 

550-5.7.26 Unauthenticated email from example.com is not accepted due to
550-5.7.26 domain's DMARC policy. Please visit
550-5.7.26 https://support.google.com/mail/answer/81126#authentication for
550-5.7.26 more information.

The "not accepted due to domain's DMARC policy" wording is the form many senders have seen for years and still describes the cause well. Google's current SMTP error reference at knowledge.workspace.google.com now phrases the permanent 550 5.7.26 entry as "This email has been blocked because the sender is unauthenticated. Gmail requires all senders to authenticate with either SPF or DKIM," and attaches the older "not accepted due to domain's DMARC policy" line to the temporary 421 4.7.26 variant. Either way, the operative word is "unauthenticated". Gmail completed DMARC evaluation, found no aligned pass, and applied the From domain's policy.

A related rejection uses code 5.7.1: 

550-5.7.1 This message does not have authentication information or fails to
550-5.7.1 pass authentication checks. To best protect our users from spam, the
550-5.7.1 message has been blocked. Please visit
550-5.7.1 https://support.google.com/mail/answer/81126 for more information.

5.7.1 is a general policy and authentication code Gmail uses for more than one condition, so treat it as a starting point rather than a DMARC-specific signal. The embedded link to answer 81126 is Google's sender requirements page, which is the right place to start either way.

Why this happens: the 2024 bulk sender rules

Gmail and Yahoo published aligned sender requirements that took effect on February 1, 2024. Google's threshold for the full requirement set is sending more than 5,000 messages per day to Gmail accounts, per support.google.com/a/answer/81126. Yahoo's bulk sender program is aligned with Google's, documented at senders.yahooinc.com/best-practices, though Yahoo's published page does not restate the 5,000-per-day number.

For a bulk sender to Gmail, all of the following must hold. Yahoo requires the same authentication core for its bulk senders.

  • Publish SPF and DKIM for the sending domain. Google asks for a DKIM key of at least 1024-bit and recommends 2048-bit.
  • Publish a DMARC record on the From domain. The enforcement policy can be set to p=none.
  • The domain in the From: header must align with either the SPF domain or the DKIM domain.
  • For marketing or subscribed mail, support one-click unsubscribe with a List-Unsubscribe header and List-Unsubscribe-Post: List-Unsubscribe=One-Click. This mechanism is defined in RFC 8058; Yahoo names RFC 8058 on its page, while Google describes the headers without printing the RFC number.
  • Sending domains or IPs must have valid forward and reverse DNS (PTR) records.
  • Transmit over a TLS connection (stated by Google; Yahoo's published page does not restate a TLS requirement).
  • Keep the user-reported spam rate in Postmaster Tools below 0.10% and never reach 0.30% or higher (Google's wording). Yahoo states a 0.3% ceiling.

The 0.10% target and the 5,000-per-day number are Google's wording. Do not assume Yahoo publishes the same figures. Yahoo's page states only the 0.3% spam-rate ceiling.

Step 1: read the Authentication-Results

DMARC passes when at least one mechanism produces a pass that is in alignment. RFC 9989 section 5.3.5 puts it plainly: "If one or more of the Authenticated Identifiers align with the Author Domain, the message is considered to pass the DMARC mechanism check." Open a delivered or bounced copy of the message and read the Authentication-Results header the receiver stamped: 

Authentication-Results: mx.google.com;
  spf=pass smtp.mailfrom=bounce.vendor.net;
  dkim=pass header.d=vendor.net;
  dmarc=fail (p=NONE) header.from=example.com

This is an unaligned pass. SPF passed for bounce.vendor.net and DKIM passed for vendor.net, but the visible From domain is example.com. Neither authenticated identity shares an organizational domain with example.com, so neither aligns, and dmarc=fail. The visible From: domain is the Author Domain that DMARC aligns the authenticated identifiers against, per RFC 9989 section 3.2.10. If you do not have a copy of the message, paste raw headers into the email header analyzer to get the same verdict.

Step 2: confirm the From domain has a DMARC record

Query the _dmarc TXT record for the exact domain in the From: header. The _dmarc label is mandatory, per RFC 9989 section 4.7. 

dig +short TXT _dmarc.example.com
dig +short TXT _dmarc.example.com @1.1.1.1
nslookup -type=TXT _dmarc.example.com 8.8.8.8

A satisfying record can be as simple as monitoring mode: 

v=DMARC1; p=none; rua=mailto:[email protected]

If the query returns nothing, the From domain has no DMARC record and you will see Gmail's requirement fail on the policy condition. Build a valid record with the DMARC record generator, then read no DMARC record found for the publish steps.

Step 3: fix SPF and DKIM alignment

The bounce almost always traces to alignment, not to a missing record. SPF aligns when the MAIL FROM (envelope) domain shares an organizational domain with the From domain. DKIM aligns when the signature d= domain shares an organizational domain with the From domain. RFC 9989 section 3.2.10 defines both. Relaxed mode (the default for adkim and aspf) compares organizational domains; strict mode requires an exact match.

Confirm what each domain publishes: 

# SPF lives at the domain apex as a TXT record (RFC 7208 section 3.1)
dig +short TXT example.com @1.1.1.1

# DKIM needs the selector from the message's DKIM-Signature header
dig +short TXT selector1._domainkey.example.com @1.1.1.1

The fix depends on how the mail is sent:

  1. If the message is sent through an email service provider, authenticate your own domain inside that provider so DKIM signs with d=example.com and the Return-Path sits under your domain. This is the single most common fix. See ESP mail fails DMARC for the per-provider steps.
  2. If you send from your own infrastructure, add the sending IPs or includes to your SPF record, and enable DKIM signing on a selector under your domain.
  3. Send a fresh test message and confirm the new Authentication-Results shows an aligned pass, for example dkim=pass header.d=example.com with dmarc=pass.

You only need one aligned pass. RFC 9989 section 5.3.5 uses OR logic: an aligned SPF pass or an aligned DKIM pass is enough. DKIM alignment is the more durable target because it survives forwarding, while SPF does not.

Step 4: meet the rest of the bulk sender checklist

Authentication clears the 5.7.26 rejection, but bulk mail can still be blocked or filtered if the other requirements are missing. Confirm each one:

  • One-click unsubscribe. Marketing mail needs both headers. The minimum is a List-Unsubscribe URL plus the one-click post header.
  • Reverse DNS. Every sending IP needs a PTR record that resolves, and ideally forward-confirms back to the same IP.
  • Spam rate. Watch the user-reported spam rate in Postmaster Tools at gmail.com/postmaster. A sustained climb toward 0.30% will undo good authentication.

The headers for one-click unsubscribe look like this: 

List-Unsubscribe: <https://example.com/unsubscribe?id=abc>, <mailto:[email protected]>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Yahoo asks senders to honor unsubscribe requests within 2 days, per its best-practices page. A high complaint rate triggers a different failure mode, a temporary deferral rather than a 5.7.26 rejection. See high complaint rate deferrals if you are seeing 421 4.7.0 instead.

Validate the fix

After authenticating the domain inside your sending platform and updating DNS, wait at least one TTL, then re-check the published records: 

dig +short TXT _dmarc.example.com @1.1.1.1
dig +short TXT example.com @8.8.8.8

Run the From domain through the DMARC checker for a read-only posture snapshot of the published DMARC and SPF records. Then send a fresh message to a Gmail address you control and open the headers: you want an aligned spf=pass or dkim=pass and a dmarc=pass.

Do not retry the old bounced message to test. DMARC is evaluated at delivery time against the DNS and headers that exist for that new attempt, so only a fresh send proves the fix. If you want to confirm alignment per sending platform in minutes instead of waiting roughly a day for aggregate reports, the Inbox Inspector receives a real campaign at a seed address and evaluates SPF, DKIM, DMARC, alignment, and final disposition itself.

Was this page helpful? Send us feedback

Last updated: May 2026

Standards basis: Advice based on RFC 9989 for DMARC policy records, RFC 9990 for aggregate reports, and RFC 9991 for failure reports. Historical RFC 7489 behavior is called out where relevant.

← All guides Start now

Need expert help with email deliverability?

Hire an email deliverability consultant who has shipped billions of emails. Free assessment, hands-on engagement, written quote before any work starts.

Talk to a consultant