What does NDR 550 5.1.1 mean in Exchange Online?

NDR 550 5.1.1 means Exchange Online cannot find the recipient mailbox in the directory. The email address format is valid, but no matching mailbox, mail-enabled user, or mail contact exists. Common causes: typo in address, directory sync lag (hybrid), mailbox soft-deleted, or SMTP proxy mismatch.

How do I fix 550 5.1.1 recipient not found?

1) Verify the recipient email address is spelled correctly. 2) Run Get-Recipient user@domain.com to confirm mailbox exists. 3) If hybrid, force AAD Connect sync with Start-ADSyncSyncCycle -PolicyType Delta. 4) Check if mailbox was recently deleted and restore with Undo-SoftDeletedMailbox if within 30 days. 5) Verify SMTP proxy addresses match the send-to address.

What is the difference between 550 5.1.1 and 550 5.7.1?

550 5.1.1 means recipient not found—the mailbox doesn't exist in the directory. 550 5.7.1 means delivery not authorized or relay denied—the sender is blocked by policy, or the recipient's mailbox exists but rejects external mail. 5.1.1 is a routing issue; 5.7.1 is a policy/permission issue.

How long does it take for new mailbox to appear after AAD Connect sync?

After forcing a delta sync with Start-ADSyncSyncCycle, mailbox attributes typically replicate to Exchange Online within 5-10 minutes. Full provisioning (mailbox ready to receive) can take 15-30 minutes. Run Get-Recipient to verify the mailbox is visible before retrying mail delivery.

Fix NDR 550 5.1.1: Recipient Resolution and Routing Checklist

Complete diagnostic guide for "550 5.1.1 Recipient rejected" errors. Root causes include invalid recipients, directory sync lag, and mail attribute misconfigurations. Systematic remediation with safe rollback.

⚠️ Business Consequence: Why This Matters

Financial Impact: Client-facing emails rejected = lost sales ($2K–$15K per missed opportunity)
Compliance Exposure: Failed audit notifications = regulatory violations (HIPAA/SOX: $10K–$50K+ penalties)
Operational Risk: Critical vendor/partner communications bouncing back undetected
Reputation Impact: Persistent NDRs damage sender reputation, future email deliverability at risk

Average diagnosis time: 15–20 minutes — prevents extended delivery failures.

⚡ TL;DR: Quick Resolution for NDR 550 5.1.1

What breaks: Exchange can't find the recipient mailbox—directory sync lag, typo in email address, mailbox soft-deleted, or SMTP proxy mismatch.
Confirm: Run Get-Recipient user@domain.com in PowerShell. If empty, recipient doesn't exist in directory. Check message trace for "RESOLVER.ADR.RecipNotFound". Diagnosis time: 2-3 minutes.
Fastest fix: Verify email address spelling, force AAD Connect sync if hybrid (Start-ADSyncSyncCycle -PolicyType Delta), or restore soft-deleted mailbox if within 30 days. Time to resolution: 5-15 minutes.
Decision matrix: Typo → Resend with correct address. Sync lag → Force sync and wait 5 min. Soft-deleted → Restore via Undo-SoftDeletedMailbox. Unknown user → Verify in on-prem AD.
Rollback: No rollback needed—this is recipient validation, not configuration change. See health check for directory sync status.

Symptom Definition

Senders receive NDR with error code:

550 5.1.1 The email account that you tried to reach does not exist. Please double-check the recipient's email address and try again.

This means:

The recipient email address is valid format, but no mailbox found in the directory
This is not a temporary error (will not succeed on retry)
Mail was accepted by EOP, rejected by tenant
Scope can be: single recipient, all recipients in a domain, or distribution list

Exact Error Messages

Standard NDR message:

550 5.1.1 The email account that you tried to reach does not exist. Please double-check the recipient's email address and try again.

Variations (same root cause):

550 5.1.1 RESOLVER.ADR.RecipNotFound
550 5.1.1 user unknown
550 5.1.2 bad destination mailbox address

Root Causes & Conditions

New mailbox not yet synced: User created in on-premises, not yet replicated to Exchange Online
Directory sync stopped or lagged: AAD Connect not running, or sync interval too long (>1 hour)
Mailbox SMTP address mismatch: User created in Office 365 directly, but PrimarySmtpAddress doesn't match send-as address
Mailbox soft-deleted: User mailbox was deleted but not yet purged from directory (recoverable for 30 days)
Distribution list missing members: DL exists but no members provisioned in Exchange Online
Recipient filter excluded user: Recipient filtering policy is hiding the user from address book
Mail attribute missing: ProxyAddress or mail attribute not populated during sync
Mailbox type wrong: User is marked as "MailUser" instead of "UserMailbox"

What NOT to Do

❌ Do not recreate the mailbox until you've checked if it's in soft-delete state (recovery is possible)
❌ Do not disable directory sync to fix this (will create more mismatches)
❌ Do not change the recipient's SMTP address before checking for external forwarding rules that depend on old address
❌ Do not force-delete a soft-deleted mailbox without 30-day backup confirmation
❌ Do not modify recipient filters in bulk (only add/remove specific users)

Diagnostic Steps

Step 1: Confirm Recipient Does NOT Exist (2 min)

Check if mailbox exists:

Get-Mailbox -Identity "user@yourdomain.com" -ErrorAction SilentlyContinue

If command returns nothing → mailbox truly does not exist. Go to Step 2.

If command returns a mailbox → mailbox exists but is misconfigured. Go to Step 5.

Step 2: Check Directory Sync Status (3 min)

If using hybrid (on-premises + Exchange Online):

Get-ADUser -Identity "user_logon_name"

If user exists on-premises → sync is incomplete. Check sync status:

Get-MsolDirSyncStatus | Select-Object LastSyncTime

If LastSyncTime >1 hour ago → force sync immediately (see Rollback 1).

If user does NOT exist on-premises → user was created directly in Office 365. Go to Step 3.

Step 3: Check SMTP Address Consistency (3 min)

For users created directly in Office 365:

Get-User -Identity "user@yourdomain.com" | Select-Object Identity, PrimarySmtpAddress, ExternalEmailAddress

Check if PrimarySmtpAddress matches the address being sent to.

If mismatch → update PrimarySmtpAddress (see Rollback 2).

If match → go to Step 4.

Step 4: Check for Soft-Deleted Mailbox (5 min)

If mailbox was recently deleted:

Get-Mailbox -SoftDeleted -Identity "user@yourdomain.com"

If found → mailbox can be recovered (within 30 days). See Rollback 3.

If not found → mailbox is permanently deleted or never existed.

Step 5: Check Mailbox Properties (5 min)

If mailbox does exist but NDR still returned:

Get-Mailbox -Identity "user@yourdomain.com" | Select-Object RecipientType, RecipientTypeDetails, PrimarySmtpAddress

Expected: RecipientTypeDetails = "UserMailbox" AND PrimarySmtpAddress is set

If RecipientTypeDetails is "MailUser" (not "UserMailbox") → mailbox is misconfigured. See Rollback 4.

If no PrimarySmtpAddress → add it (see Rollback 2).

Step 6: Check Recipient Filter Policy (3 min)

Verify user is not filtered out:

Get-User -Identity "user@yourdomain.com" | Select-Object HiddenFromAddressListsEnabled

If True → user is hidden. Set to False (see Rollback 5).

Root Cause Patterns

Root cause patterns for NDR 550 5.1.1 with evidence and fixes
Pattern	Diagnostic Evidence	Fix
Directory sync lag	User exists in on-premises AD, not in O365, LastSyncTime >1h ago	Force delta sync
SMTP address mismatch	Get-Mailbox shows different PrimarySmtpAddress than sent-to address	Set-Mailbox correct PrimarySmtpAddress
Soft-deleted mailbox	Get-Mailbox -SoftDeleted returns result	Restore-Mailbox
MailUser instead of UserMailbox	RecipientTypeDetails shows "MailUser"	Convert to UserMailbox (require license)
User hidden from address list	HiddenFromAddressListsEnabled = True	Set-User -HiddenFromAddressListsEnabled $false

Safe Remediation (Rollback)

Rollback 1: Force Directory Sync

On AAD Connect server: Import-Module ADSync Start-ADSyncSyncCycle -PolicyType Delta
Monitor sync progress in AAD Connect UI
Once complete, wait 5 minutes for replication
Test by sending mail to the newly synced user

Rollback 2: Set Primary SMTP Address

Set-Mailbox -Identity "user@yourdomain.com" -PrimarySmtpAddress "correct@yourdomain.com"
Wait 5 minutes for change to replicate
Test by sending mail to the user

Rollback 3: Restore Soft-Deleted Mailbox

New-MailboxRestoreRequest -SourceMailbox "SoftDeletedMailbox" -TargetMailbox "user@yourdomain.com" -AllowLegacyDNMismatch
Monitor restore progress
Once complete, verify mailbox is active and accessible

Rollback 4: Convert MailUser to UserMailbox

Ensure user has Exchange Online license assigned
Enable-Mailbox -Identity "user@yourdomain.com"
Wait 2 hours for mailbox to be fully provisioned
Verify RecipientTypeDetails is now "UserMailbox"

Rollback 5: Unhide User from Address List

Set-User -Identity "user@yourdomain.com" -HiddenFromAddressListsEnabled $false
Wait 5 minutes for replication
Test mail delivery to the user

When to Escalate

Mailbox exists, SMTP address is correct, but NDR persists
Directory sync is stuck for >2 hours
Soft-deleted mailbox restore fails

Related Guides

NDR 5.5.4 Mail Not Flowing Message Trace Guide