Usually, setting up a DMARC record is a piece of cake.
However, due to its technical nature, some issues may arrive.
If you get the error message “554 5.7.5 Permanent Error Evaluating DMARC Policy” we’ll explain how to solve it below. ⬇️
When creating a DMARC record, it's easy to unwillingly add an unnecessary character or two that don't catch your attention at first.
Look closely at your DMARC record to ensure it does not contain extra quotation marks, spaces, periods, or other redundant characters.
Check the following two DMARc records. Only one of them is valid. Let’s see if you can spot the wrong one.
v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com;
v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com.;
The incorrect DMARC record is the second one.
Why? There’s an additional period after “yourdomain.com” that would render the record invalid.
Your SPF record should specify which email servers are authorized to send email through your domain.
A neutral SPF record does not specify any authorized mail servers.
It basically leaves the decision up to the receiving mail server.
SPF neutrality is achieved by implementing the ?all tag to the record.
A neutral SPF record can be useful for new domains for SPF authentication troubleshooting, but it doesn’t offer any security and may be the reason for the permanent error to occur.
Instead of using the tag above, use:
A well-configured DKIM record ensures that an email’s content cannot be tampered with during transit.
A mismatch indicates a misalignment between the domain in the DKIM signature and the domain from which the email is being sent.
This could be due to a misconfiguration, but it could also be more malicious, for example, in cases where cybercriminals have tampered with the email.
If this is the reason you're getting the DMARC error, the only way to know is to check and verify your DKIM. Ensure that the correct domain is in the “d=” tag.
Email forwarding may also cause this issue. If the email is being forwarded before reaching the recipient's domain, it’s essential that the DKIM signature gets updated correctly.
The 554 5.7.5 Permanent Error prevents you from sending emails.
While you investigate what’s happening with your DMARC authentication, set your DMARC policy to “p=none”.
This will let all emails pass through, and thus, not offer any protection, but it will allow you to send emails while you get to the bottom of the issue.
This setting is also recommended as a starting point when implementing DMARC for the first time.
It allows you to monitor what happens to your emails (do they fail authentication, and why?) through the reports the DMARC mechanism sends you.
Some ESPs use their own SPF and do not allow you to use yours.
This could cause the 554 5.7.5 permanent error.
The best way to find out is to ask your ESP if they allow custom SPF authentication.
If they don’t, consider changing email service providers. A provider that won't let you authenticate your sending domain will not likely get you reasonable open rates.
Sometimes the problem is not on your side and instead the receiving server’s DMARC policies are causing the error.
However, it's important to rule out the other potential causes above before considering this.
If indeed the receiving server is causing the problem, consider discussing this with the recipient.
In the end, it’s also in their best interest that emails get through correctly.
The “554 5.7.5 Permanent Error Evaluating DMARC Policy” can be a nuisance.
However, not taking care of this can be costly and cause security and deliverability issues.
Fortunately, armed with the potential solutions above and a little patience, it shouldn’t be hard to fix this and restore proper DMARC policy evaluation.