Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: Outbound emails bounced with '554 5.7.28 Mail flood detected'

Hi Everyone!

Are any of your Central Email protected email addresses getting their outbound emails bounced with '554 5.7.28 Mail flood detected' ?


Here's how it looks like in the Non-Delivery (NDR) email alert:

Behavior Info: By the way, this does not appear in Message History since the email is blocked at connection level. So the sender will only get an NDR email stating the above.


This is due to the affected email address sending a higher than normal amount of emails out to the Internet which makes Central Email think that there is a mail flood.

This KB article below shows the amount of emails a standard user can send within a 10-minute and a 24-hour period compared to a user with bulk sender privileges:


So, If the email address is not meant to send bulk emails then we recommend getting this investigated on the sender side.

If it is meant to send this amount of emails, then you can request for it to have "bulk sender privileges". This can be done by following the instructions in this link:

Please note that Sophos will review the request within 72 hours. During this period, one of the things below may be done to reduce the impact to the affected account:

  1. Send outbound emails at a lower rate per minute/hour as specified in the KB article
  2. Disable outbound scanning within Central Email. Note that this means you will have to configure your email server to send directly to the Internet.
  3. If #2 cannot be done since all of the outbound emails will be affected, another option is to create a send connector in the email server so that when outbound emails are coming from the email address, it will not be sent to the Central Email server but directly to the Internet. 

!!! For options 2 and 3 above, please make sure that you configure your public DNS so that it also provides for sender authentication technologies like SPF, DKIM, and DMARC if your domain is taking part on any of them. 

Edited title
[edited by: Raphael Alganes at 8:51 AM (GMT -8) on 11 Jan 2024]