554 5.7.5 Permanent Error Evaluating DMARC Policy: How to Fix It

If your emails are bouncing with "554 5.7.5 permanent error evaluating DMARC policy," your email is being rejected because of a problem with your DMARC configuration. The receiving server tried to check your DMARC record but couldn't process it correctly.

This is a fixable problem. Here's how to diagnose and resolve it.

What This Error Means

The 554 5.7.5 error occurs when a receiving mail server encounters a problem evaluating your domain's DMARC policy. Unlike a DMARC failure (where authentication fails but the record is valid), this error means the server couldn't even read or interpret your DMARC record properly.

The full error typically looks something like:

554 5.7.5 Permanent error evaluating DMARC policy for example.com

When this happens, some mail servers reject the email entirely rather than risk delivering unauthenticated mail. Your legitimate emails get blocked even though the underlying issue is a configuration problem, not a security threat.

Common Causes

Malformed DMARC Record

The most common cause is a syntax error in your DMARC record. DMARC records follow a strict format, and even small mistakes can make the record unreadable.

Common syntax problems:

Missing version tag: Every DMARC record must start with v=DMARC1. Without it, the record is invalid.

# Wrong - missing version
p=reject; rua=mailto:dmarc@example.com

# Correct
v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Invalid tag values: Using values that aren't allowed for a tag.

# Wrong - 'block' isn't a valid policy
v=DMARC1; p=block

# Correct - use 'reject' instead
v=DMARC1; p=reject

Malformed email addresses: The rua and ruf tags require properly formatted mailto: URIs.

# Wrong - missing mailto:
v=DMARC1; p=none; rua=dmarc@example.com

# Correct
v=DMARC1; p=none; rua=mailto:dmarc@example.com

Extra spaces or characters: Stray whitespace or special characters can break parsing.

Multiple DMARC Records

Your domain should have exactly one DMARC record. If there are multiple TXT records at _dmarc.yourdomain.com, some mail servers can't determine which one to use and throw an error.

This sometimes happens when:

• Someone added a new record without removing the old one
• DNS changes were partially applied
• Multiple team members made changes independently

DNS Propagation Issues

If you recently updated your DMARC record, DNS changes may not have fully propagated. Different DNS servers might return different results, causing intermittent errors.

DNS propagation typically takes a few hours, but can take up to 48 hours in some cases.

DNS Lookup Failures

If the receiving server can't reach your DNS servers at all, it can't retrieve your DMARC record. This could be due to:

• DNS server outages
• Network connectivity issues
• Misconfigured DNS hosting

How to Diagnose the Problem

Step 1: Check Your DMARC Record

Use a DMARC checker to see exactly what record is published for your domain. Look for:

• Syntax errors or warnings
• Multiple records
• Missing required tags

The checker at the top of this page will show you your current record and flag common issues.

Step 2: Verify the Record Format

A valid DMARC record should follow this structure:

v=DMARC1; p=<policy>; [optional tags]

Required elements:

• v=DMARC1 must come first
• p= must be one of: none, quarantine, reject

Common optional tags:

• rua=mailto:address@example.com - aggregate report destination
• ruf=mailto:address@example.com - forensic report destination
• sp= - subdomain policy
• pct= - percentage of messages to apply policy to

Step 3: Check for Multiple Records

Look up your DMARC record directly in DNS. There should be only one TXT record at _dmarc.yourdomain.com. If you see multiple records, you need to remove the extras.

Step 4: Wait for Propagation

If you recently made changes, give DNS time to propagate. Check your record from multiple locations to see if it's consistent.

Step-by-Step Fix Guide

Fixing a Malformed Record

1. Identify the syntax error using a DMARC checker
2. Create a corrected version of the record
3. Update the TXT record at _dmarc.yourdomain.com in your DNS
4. Wait for propagation (typically 1-4 hours)
5. Verify the fix with another DMARC check

If you're not sure how to structure your record, use DMARC Creator to generate a valid record.

Fixing Multiple Records

1. Log into your DNS management console
2. Navigate to your domain's DNS records
3. Find all TXT records at _dmarc.yourdomain.com
4. Delete all but one (keep the correct, most recent one)
5. Wait for propagation
6. Verify only one record exists

Fixing DNS Issues

1. Check your DNS provider's status page for outages
2. Verify your nameservers are correctly configured at your registrar
3. Test DNS resolution from multiple locations
4. Contact your DNS provider if issues persist

Preventing This Error

Once you've fixed the immediate problem, take steps to prevent it from happening again:

Use a DMARC generator: Tools like DMARC Creator ensure your record is correctly formatted.

Test before publishing: Validate your record syntax before adding it to DNS.

Document your configuration: Keep records of what your DMARC settings should be, so changes can be verified.

Monitor your DNS: Set up alerts for DNS record changes so you catch problems early.

Coordinate changes: Make sure everyone who might touch DNS knows to check with the team first.

Related Authentication Checks

DMARC depends on SPF and DKIM. While fixing your DMARC record, also verify:

• Your SPF record is valid and includes all authorized senders
• Your DKIM keys are properly published and matching

Problems with SPF or DKIM can cause DMARC failures even when the DMARC record itself is correct.

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.