Common DMARC Errors for Outgoing Emails | EasyDMARC

DMARC Rejection Errors: 554 5.7.5 Permanent Error Explained

Last Modified on: August 28, 2025
4 Min Read
top image DMARC error

When sending email, you may face rejections such as 554 5.7.5 permanent error evaluating dmarc policy. These errors aren’t random. They mean your domain’s DMARC, SPF, or DKIM setup is broken. Most cases come down to DNS syntax issues or misalignment under DMARC enforcement.

Common Error Messages

You can see error messages like:
554 5.7.5 permanent error evaluating dmarc policy
remote server returned '554 5.7.5 permanent error evaluating dmarc policy'


451 4.7.5 temporary error evaluating dmarc policy
permanent error evaluating dmarc policy
email rejected per dmarc policy

Common SMTP error codes can start with 554, which means that the transaction has failed. It’s a permanent error, and the server will not try to send the message again.

These are the real-world error strings you’ll often see when DMARC fails:

  • 554 5.7.5 permanent error evaluating DMARC policy (generic across multiple providers)
dmarc 554 5.7.5 permanent error evaluating dmarc policy
  • 521 5.2.1 This message failed DMARC evaluation and is being refused due to provided DMARC policy (Google)
  • 550 5.7.1 Unauthenticated email from example.com is not accepted due to the domain’s DMARC policy (Google)

Important Notes:

  • You might also see “email rejected per DMARC policy” or “Unauthenticated email not accepted” variants depending on the receiving MTA.
  • Generic 550/554 rejections without DMARC in the string – those are often unrelated (spam blocks, RBL hits, etc.).

Why These Errors Happen

  • Invalid DNS syntax: bad quoting, missing semicolons, or wrong separators.
  • Policy enforced but not aligned: DMARC set to p=quarantine or p=reject while SPF/DKIM fail alignment.
  • Header From mismatch: From: [email protected] but MAIL FROM or DKIM d= points elsewhere.
  • SPF issues:
    • Missing sending IPs/hosts
    • Ending with ?all (neutral) instead of ~all or -all
    • Too many lookups (>10) → “permerror”
  • DKIM issues: Selector not published, key missing, or DKIM d= misaligned with From domain.

Troubleshooting Steps

  1. Validate DNS Records
    • DMARC’s Basic requirements:
      • The record must begin with “v=DMARC1” note that the DMARC version is required (Which is 1).
      • The policy should be the second value in the record and must be either p=none or p=quarantine or p=reject. (Also check for spelling errors).
      • Use of colons as separators instead of semicolons, or lack of semicolons between values.
      • Excess characters or bad quoting

    Example of an invalid DMARC Record:

    Unvallid DMARC Record

    Example of a Valid DMARC Record:

    how does a Valid DMARC Record look like?

    For the DMARC record, you can use our DMARC lookup tool to check if the record is valid. 

    • SPF: All authorized sources included, ends with ~all or -all. Avoid ?all.

    Update the SPF record with the valid IP addresses or the sources that are legitimate to send an email from, check if your record is set to neutral as you need softfail ~all or hardfail -all if you’re deploying DMARC.

    You can use our SPF lookup tool to check if your record is valid, Also check our EasySPF feature if you’re having DNS lookup limitations.

    • DKIM: Ensure selector record exists, TXT key is valid, and d= aligns with From domain.

    For DKIM make sure that the DKIM signature domain and sender (Header From) domain align, also check for errors in the record you can use our DKIM lookup tool to verify.

    2. Check Alignment

    DMARC passes only if SPF or DKIM both pass and align with the From domain.

    Example (Alignment Failure):

    Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of bounce@mailer.example.net designates 192.0.2.1 as permitted sender) [email protected];
    dkim=fail (bad signature) header.d=mailer.example.net;
    dmarc=fail (p=reject) header.from=example.com

    • SPF = pass (but MAIL FROM = mailer.example.net, not aligned with example.com)
    • DKIM = fail
    • DMARC = fail → 554/550 rejection

    Example (Alignment Pass)

    spf=pass (google.com: domain of [email protected] designates 203.0.113.10 as permitted sender) [email protected];dkim=pass header.d=example.com;dmarc=pass (p=reject) header.from=example.com

    • SPF = pass and aligned
    • DKIM = pass and aligned
    • DMARC = pass → message delivered

    3. Test and Monitor

    Key Takeaway

    A 554 5.7.5 rejection is not a “Gmail filter problem.” It’s DMARC enforcement doing its job. If your records are misconfigured, or alignment is broken, your email will be rejected.

    👉 Use EasyDMARC’s solution to validate SPF, DKIM, and DMARC.
    👉 Monitor reports to identify shadow IT and failing services.
    👉 Contact EasyDMARC Support if you need direct help fixing DNS or alignment issues.

    Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.
    Comments
    guest
    0 Comments
    Inline Feedbacks
    View all comments

    succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

    succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us