DMARC Errors For Outgoing Emails (554 5.7.5 permanent error)

    Users can face many DMARC errors when sending an email. Most of them are related to a syntax error in the DNS records and some could even be a temporary or a one-off error.

    Common SMTP error codes can start with 554 which means that the transaction has failed. It’s a permanent error and the server will not try to send the message again.

    Here’s an example of what a DMARC error message could look like.

    554 5.7.5 permanent error evaluating dmarc policy (Protonmail)

    dmarc 554 5.7.5 permanent error evaluating dmarc policy

    521 5.2.1 This message failed DMARC Evaluation and is being refused due to provided dmarc Policy (Google)

    550 5.7.1 Unauthenticated email from is not accepted due to the domain’s dmarc policy (Google)

    550 5.7.1 Policy rejection on the target address (Yandex)

    All these failures are caused by DMARC errors. Usually, this is due to the adoption of DMARC practices.

    Troubleshooting DMARC Errors For Outgoing Emails

    1- The first step would be to check if your DNS records (DMARC, SPF and DKIM) are valid and don’t have any syntax errors, like missing or extra characters, bad record contents.

    DMARC’s Basic requirements:

    • The record must begin with “v=DMARC1” note that the DMARC version is required (Which is 1).
    • The policy should be the second value in the record and must be either p=none or p=quarantine or p=reject. (Also check for spelling errors).
    • Use of colons as separators, instead of semicolons, or lack of semicolons between values.
    • Excess characters or bad quoting

    Example of an invalid DMARC Record:

    Unvallid DMARC Record

    Example of a Valid DMARC Record:

    how does a Valid DMARC Record look like?

    For the DMARC record, you can use our DMARC lookup tool to check if the record is valid. 

    Update the SPF record with the valid IP addresses or the sources that are legitimate to send an email from, check if your record is set to neutral as you need softfail ~all or hardfail -all if you’re deploying DMARC.

     You can use our SPF lookup tool to check if your record is valid, Also check our EasySPF feature if you’re having DNS lookup limitations.

    For DKIM make sure that the DKIM signature domain and sender (Header From) domain align, also check for errors in the record you can use our DKIM lookup tool to verify.

    2- Configure the ‘FROM’ field that is used to send the email should match the ‘MAIL FROM’ for the email to be DMARC compliant and successfully send emails without rejection.

    3- Contact our DMARC specialists for further support on this matter at [email protected]

    Learn about SPF, DKIM, DMARC, Subscribe to our newsletter.


      We're glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.