How do you fix “554 5.7.5 permanent error evaluating DMARC policy”?

Updated July 3, 2026

This bounce means the receiving server tried to look up and evaluate your DMARC policy and hit a permanent error: it couldn't make sense of what your DNS returned, so it rejected the message rather than guess.

Why this happens

The most common cause is multiple DMARC records. The standard allows exactly one TXT record starting with v=DMARC1 at _dmarc.yourdomain.com; if two exist (often because two people or two tools each “added DMARC”), receivers treat the lookup as a permanent failure. Some receivers ignore the domain's DMARC in that case, but stricter ones reject with 554 5.7.5.

A malformed record does it too: a typo like v=DMARC1 without the semicolon, an invalid tag, a policy value that isn't none/quarantine/reject, or a record accidentally published with quotes or whitespace mangled by the DNS host's control panel. The receiver fetches the record, can't parse it, and errors out.

The third cause isn't your record at all: it's DNS. If your nameservers time out, return SERVFAIL, or have broken DNSSEC signatures, the receiver's DMARC lookup fails. Some receivers retry later; others, in some configurations, return this permanent error. This variant comes and goes with your DNS provider's health.

How to fix it

  1. 1

    Check how many DMARC records you have

    Query the TXT records at _dmarc.yourdomain.com (dig txt _dmarc.yourdomain.com, or use our DMARC checker). If more than one record starts with v=DMARC1, that's your problem. Delete all but one.

  2. 2

    Validate the surviving record's syntax

    The record must start exactly with v=DMARC1; followed by a p= tag (none, quarantine, or reject), with tags separated by semicolons. Run it through our DMARC checker, which flags invalid tags, missing semicolons, and stray characters.

  3. 3

    Check the record is where receivers look

    The record lives at the host _dmarc (so _dmarc.yourdomain.com), not at the root and not at dmarc without the underscore. If you sent from a subdomain, receivers also fall back to the organizational domain's record. Make sure whichever applies is clean.

  4. 4

    Test your DNS health

    If the record itself is fine, check for DNS-level failures: query from a few different networks, look for SERVFAIL responses, and if you use DNSSEC, validate the chain. Intermittent 554 5.7.5 bounces with a clean record point at flaky nameservers.

  5. 5

    Wait out the TTL and re-test

    After fixing DNS, old bad answers live in caches until the TTL expires. Re-send a test after the TTL window and confirm the bounce is gone, then re-run the checker to confirm exactly one valid record resolves.

Verify the fix

Run the check that corresponds to this error. You'll see the same red/amber/green verdicts mailbox providers effectively apply.

Open the DMARC checker →

Preventing it next time

Duplicate and malformed DMARC records usually appear during unrelated DNS work: a migration, a new tool's setup wizard, a colleague pasting a second record. DMARCPath checks your DMARC record continuously and alerts you the moment it becomes invalid or duplicated, so you fix it within hours instead of discovering it through a week of bounced mail and confused customers.

Frequently asked questions

My DMARC record looks fine, so why am I still getting this bounce?
Check for a second record. Two syntactically perfect DMARC records are still a permanent error, and DNS control panels often show them on separate lines where a duplicate is easy to miss. If there's truly one valid record, suspect DNS timeouts or DNSSEC breakage.
Can I fix this by deleting my DMARC record entirely?
It might stop this specific bounce, but it's the wrong direction: Gmail and Yahoo now expect DMARC, and no record hurts deliverability broadly. Fix the record; don't remove it.
Does this error mean my SPF or DKIM is broken?
No. 554 5.7.5 is about evaluating your DMARC policy itself: the receiver failed before it ever weighed your SPF and DKIM results. Fix the DMARC record or DNS first, then check the rest.

Catch this before your customers do

DMARCPath watches your domain's authentication continuously and alerts you the day something breaks, not the week a customer mentions your emails stopped arriving. One domain free.

Start monitoring free →