Gmail error 550 5.7.26 "unauthenticated email" — how to fix it

The bounce reads something like: 550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. Since Gmail's 2024 sender requirements, this is one of the most common delivery failures on the internet — and it has a precise meaning: your message arrived with neither a passing SPF check nor a valid DKIM signature. Gmail no longer accepts such mail at any volume.

Updated July 13, 2026

What Gmail is actually checking

For all senders, Gmail requires at least one of SPF or DKIM to pass. For bulk senders (5,000+ messages/day to Gmail), it requires both, plus a DMARC record, aligned authentication, one-click unsubscribe on marketing mail, and a spam-complaint rate under 0.3%. A 5.7.26 bounce means you failed the baseline: neither method produced a pass.

Fix it in three checks

  1. SPF: run your domain through the SPF checker. No record, a second record, or a PermError all read as "no SPF" to Gmail. Publish one valid record that includes every service sending for you.
  2. DKIM: run the DKIM checker. If your sending service isn't signing with your domain, turn it on — for Google Workspace, Microsoft 365, or any major ESP, our setup guides show the exact steps and records.
  3. Verify end to end: send a message to the inbox test and confirm SPF and DKIM both pass with your domain, not your ESP's.

If it's intermittent

Bounces on some mail but not all usually mean multiple sending paths — the CRM authenticates, the billing system doesn't. Each stream needs its own authentication. A DMARC record at p=none with reporting is the systematic way to find the unauthenticated stream: the reports list every source sending as your domain and exactly what failed. Set up DMARC and the culprit shows up within days.

Common questions

I have SPF and DKIM but still get 5.7.26 — why?+

Having the records isn't the same as the message passing. Common gaps: mail sent from a server not in your SPF record, an SPF PermError (counts as no SPF), DKIM signing not actually enabled at the sender, or the message being sent through a path that bypasses your authenticated service. The inbox test shows what a receiver really sees.

Is 5.7.26 the same as landing in spam?+

No — it's harder. Spam-foldered mail was accepted; 5.7.26 mail is refused at the door and the sender gets the bounce. That's also the silver lining: you find out immediately instead of discovering low open rates weeks later.

Does this error mean Gmail thinks I'm a spammer?+

Not necessarily — it's a mechanical authentication check, not a reputation judgment. Fix SPF/DKIM and delivery resumes. But prolonged unauthenticated sending does erode domain reputation, so fix it promptly.