ACS Email to iCloud rejected 554 5.7.1 [BS01] - shared pool IP reputation / PTR

Abdessamade Abarchihi 0 Reputation points
2026-06-08T23:05:53.77+00:00

ACS Email to iCloud/Apple addresses (@iclXXX.com, @XX.com) is rejected with:

554 5.7.1 [BS01] Message rejected due to local policy

(https://support.apple.com/en-us/HT204137)

This is affecting real production users who cannot receive invite/credential emails.

Our prod sender domain mail.XXrtialaXXX.com is fully verified in ACS:

  • SPF: Verified
  • DKIM selector1-azurecomm-prod-net: Verified
  • DKIM2 selector2-azurecomm-prod-net: Verified
  • Domain ownership: Verified
  • DMARC: p=none, passing

Sender: ******@mail.XartiaXXXXX.com

Recipient domain: iclXXX.com

Sample bounce date: 2026-06-0X

Since SPF/DKIM/DMARC all pass, this looks like a shared-pool sending IP

reputation / PTR reverse-DNS issue with Apple.

Requests:

  1. Check PTR / reverse-DNS alignment for our ACS sending IPs.
  2. Investigate and repair the shared-pool IP reputation with Apple, including delisting if applicable.
  3. Confirm whether a dedicated IP / dedicated sending option is available for ACS Email, or if iCloud reputation is only fixable via shared-pool remediation.

This is a production-impacting deliverability issue. Please escalate to the ACS

email deliverability team / a support case, as this requires investigation of

Microsoft-controlled shared-pool IPs and PTR records that we cannot action ourselves.

Azure Communication Services

1 answer

Sort by: Most helpful
  1. AI answer

    2026-06-08T23:06:11.79+00:00

    554 5.7.1 rejections at iCloud with SPF/DKIM/DMARC passing are consistent with recipient-side reputation or policy checks, including reverse DNS (PTR) and shared IP reputation. For Azure Communication Services (ACS) Email, PTR and outbound IP reputation are controlled by the service and not configurable per tenant.

    From the available information:

    1. Reverse DNS / PTR and reputation
      • Reverse DNS (PTR) is a common additional anti-spam check. If the sending IP’s PTR doesn’t align with the HELO/EHLO or visible domain, or if the IP has poor reputation, some providers return 5.7.x policy errors.
      • ACS documents 5.7.25 “Reverse DNS Validation Failed” as a bounce reason when a recipient rejects based on reverse DNS: the guidance is to verify reverse DNS settings, but in ACS these are managed by the platform, not by the customer.
      • Similarly, 5.7.26 “Multiple Authentication Checks Failed” and the “reputation-issues” bounce category indicate that even with correct SPF/DKIM/DMARC, recipient systems can still block based on IP/domain reputation or local policy.
      • There is no documented mechanism in ACS for customers to view or change PTR records or directly remediate shared-pool IP reputation with specific providers such as Apple.
    2. What can be done from the tenant side
      • Ensure all DNS authentication is correct and stable (which is already the case in this scenario):
        • SPF record present and passing.
        • DKIM selectors configured and verified.
        • DMARC record present; even with p=none, it signals policy and alignment.
      • Avoid repeated sends to invalid or bouncing addresses, as ACS notes that repeated bounces and poor list hygiene negatively affect sender reputation.
      • Monitor bounce codes from ACS for affected iCloud recipients to see whether they map to ACS-documented categories like 5.7.25 (reverse DNS), 5.7.26 (multiple checks), or “reputation-issues.” This helps support triage.
    3. Required next step: support escalation
      • Because ACS uses Microsoft-controlled shared outbound IPs and manages PTR records centrally, investigation of:
        • Actual sending IPs used for this tenant’s traffic to iCloud.
        • PTR alignment for those IPs.
        • Their reputation status with Apple and any delisting or remediation.
      • must be performed by the ACS service team via a support case.
      • The documented guidance for reputation-related and DMARC/SPF/DKIM-related issues in Microsoft SaaS email products is to open a support ticket when configuration is correct but bounces persist, so that engineering can review logs, IPs, and provider-specific blocks.
    4. Dedicated IP / dedicated sending option
      • The provided material for ACS Email focuses on shared-pool reputation management and bounce handling; it does not document a dedicated IP or dedicated-sending feature for ACS Email, nor any customer-facing control over outbound IP selection.
      • As a result, improving iCloud deliverability in this case depends on shared-pool remediation by the ACS team rather than tenant-side PTR or IP changes.

    Actionable path:

    1. Collect recent bounce samples from ACS for icloud.com recipients, including full SMTP response and timestamps.
    2. Open an Azure support ticket for Azure Communication Services Email, attach the samples, and explicitly request:
      • Review of sending IPs used for mail.martialapps.com to iCloud.
      • Verification of PTR / reverse DNS alignment for those IPs.
      • Reputation and block status with Apple and any required delisting/remediation.
    3. Ask support to confirm whether any ACS feature for dedicated IPs exists for the subscription; if not, rely on shared-pool remediation.

    This aligns with ACS guidance that reputation, reverse DNS failures (5.7.25), and broader “reputation-issues” bounces require additional investigation and support involvement once DNS authentication is correctly configured.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.