When sending email, you may face rejections such as 554 5.7.5 permanent error evaluating dmarc policy. These errors aren’t random. They mean your domain’s DMARC, SPF, or DKIM setup is broken. Most cases come down to DNS syntax issues or misalignment under DMARC enforcement.
Common Error Messages
You can see error messages like:554 5.7.5 permanent error evaluating dmarc policy
remote server returned '554 5.7.5 permanent error evaluating dmarc policy'
451 4.7.5 temporary error evaluating dmarc policy
permanent error evaluating dmarc policy
email rejected per dmarc policy
Common SMTP error codes can start with 554, which means that the transaction has failed. It’s a permanent error, and the server will not try to send the message again.
These are the real-world error strings you’ll often see when DMARC fails:
- 554 5.7.5 permanent error evaluating DMARC policy (generic across multiple providers)
- 521 5.2.1 This message failed DMARC evaluation and is being refused due to provided DMARC policy (Google)
- 550 5.7.1 Unauthenticated email from example.com is not accepted due to the domain’s DMARC policy (Google)
Important Notes:
- You might also see “email rejected per DMARC policy” or “Unauthenticated email not accepted” variants depending on the receiving MTA.
- Generic 550/554 rejections without DMARC in the string – those are often unrelated (spam blocks, RBL hits, etc.).
Why These Errors Happen
- Invalid DNS syntax: bad quoting, missing semicolons, or wrong separators.
- Policy enforced but not aligned: DMARC set to p=quarantine or p=reject while SPF/DKIM fail alignment.
- Header From mismatch: From: [email protected] but MAIL FROM or DKIM d= points elsewhere.
- SPF issues:
- Missing sending IPs/hosts
- Ending with ?all (neutral) instead of ~all or -all
- Too many lookups (>10) → “permerror”
- Missing sending IPs/hosts
- DKIM issues: Selector not published, key missing, or DKIM d= misaligned with From domain.
Troubleshooting Steps
- Validate DNS Records
- DMARC’s Basic requirements:
- The record must begin with “v=DMARC1” note that the DMARC version is required (Which is 1).
- The policy should be the second value in the record and must be either p=none or p=quarantine or p=reject. (Also check for spelling errors).
- Use of colons as separators instead of semicolons, or lack of semicolons between values.
- Excess characters or bad quoting
Example of an invalid DMARC Record:
Example of a Valid DMARC Record:
For the DMARC record, you can use our DMARC lookup tool to check if the record is valid.
- SPF: All authorized sources included, ends with ~all or -all. Avoid ?all.
Update the SPF record with the valid IP addresses or the sources that are legitimate to send an email from, check if your record is set to neutral as you need softfail ~all or hardfail -all if you’re deploying DMARC.
You can use our SPF lookup tool to check if your record is valid, Also check our EasySPF feature if you’re having DNS lookup limitations.
- DKIM: Ensure selector record exists, TXT key is valid, and d= aligns with From domain.
For DKIM make sure that the DKIM signature domain and sender (Header From) domain align, also check for errors in the record you can use our DKIM lookup tool to verify.
2. Check Alignment
DMARC passes only if SPF or DKIM both pass and align with the From domain.
Example (Alignment Failure):
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of bounce@mailer.example.net designates 192.0.2.1 as permitted sender) [email protected];
dkim=fail (bad signature) header.d=mailer.example.net;
dmarc=fail (p=reject) header.from=example.com
- SPF = pass (but MAIL FROM = mailer.example.net, not aligned with example.com)
- DKIM = fail
- DMARC = fail → 554/550 rejection
Example (Alignment Pass)
spf=pass (google.com: domain of [email protected] designates 203.0.113.10 as permitted sender) [email protected];dkim=pass header.d=example.com;dmarc=pass (p=reject) header.from=example.com
- SPF = pass and aligned
- DKIM = pass and aligned
- DMARC = pass → message delivered
3. Test and Monitor
- Use EasyDMARC’s Header Analyzer to quickly check for Authentication and Alignment issues
- Monitor aggregate DMARC reports to catch unauthorized systems or failing services.
Key Takeaway
A 554 5.7.5 rejection is not a “Gmail filter problem.” It’s DMARC enforcement doing its job. If your records are misconfigured, or alignment is broken, your email will be rejected.
👉 Use EasyDMARC’s solution to validate SPF, DKIM, and DMARC.
👉 Monitor reports to identify shadow IT and failing services.
👉 Contact EasyDMARC Support if you need direct help fixing DNS or alignment issues.