All posts
Email

Resolving the "554 5.7.5 Permanent Error Evaluating DMARC Policy" Issue: A Comprehensive Guide

July 2, 2024

Facing a "554 5.7.5 Permanent Error Evaluating DMARC Policy" error when sending emails? Been there before. It’s a major bummer. Here’s our guide to help you fix it.

This error can hinder the successful delivery of emails, potentially impacting your reach, marketing efforts, and transactional emails with customers, vendors, and teammates. Basically, it can create a mess. In this comprehensive guide, we will delve into the reasons behind this error and provide effective solutions to resolve it.

To scan and troubleshoot your DMARC policy, feel free to use our Email Deliverability Score Tool 🔧

Palisade Email Deliverability Score Tool

Understanding the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error

What is the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error?

Before we dive into resolving the issue, it is crucial to understand the nature of the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. This error occurs when the recipient's server fails to evaluate the DMARC policy for incoming emails correctly. As a result, the recipient server may reject or mark the email as spam, preventing it from reaching the intended recipient.

Importance of resolving the issue quickly

Resolving the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue promptly is vital for several reasons. First and foremost, it ensures that your business emails reach the intended recipients without disruption. Additionally, resolving the error helps maintain your brand's reputation and prevents your domain from being flagged as spam. By addressing the issue, you demonstrate a commitment to email security and foster trust among your customers and business partners.

Reasons behind 554 5.7.5 Permanent Error Evaluating DMARC Policy

Impact of SPF and DKIM on DMARC policy evaluation

DMARC relies on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for email authentication. SPF verifies the sender's IP address, while DKIM verifies the integrity of the email's content. Both SPF and DKIM records need to be correctly configured to ensure accurate DMARC policy evaluation.

Incorrect SPF Record

SPF (Sender Policy Framework) is another critical component of email authentication that affects DMARC policy evaluation. An incorrect SPF record can contribute to the occurrence of the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error.‍

Understanding SPF and its role in email authentication

SPF helps verify that the sender's IP address is authorized to send emails on behalf of a specific domain. The SPF record is a DNS TXT record that lists the IP addresses or hostnames authorized to send emails for the domain. When an email is received, the recipient server checks the SPF record to ensure that the sender is authorized to send emails for the given domain.

Importance of correctly configuring SPF records

Misconfigured SPF records, such as missing or incorrect entries, can lead to email authentication failures and trigger the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. It is crucial to ensure that the SPF record is accurately configured to include all authorized senders.

Impact of misconfigured SPF records on DMARC policy evaluation

DMARC policy evaluation heavily relies on SPF records. Misconfigured SPF records can result in failed authentication, leading to DMARC policy failures and triggering the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

SPF Record Checker Tool 🔧

SPF Checker Tool - Palisade

Incorrect DKIM Email Authentication Record

DKIM, an email authentication method, plays a crucial role in DMARC policy evaluation. An incorrect DKIM record can trigger the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. It is essential to understand the significance of DKIM and address common issues associated with DKIM authentication.‍

Definition and significance of DKIM

DKIM adds a digital signature to outgoing emails, allowing the recipient server to verify the email's authenticity. This signature is added as a DKIM signature header field in the email's header. The recipient server uses the public key published in the DNS to validate the DKIM signature, ensuring the email has not been modified during transit.‍

Common issues with DKIM authentication

Various issues can arise with DKIM authentication, leading to the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. One common issue is a mismatch between the "d=" tag in the DKIM signature and the sending domain. It is essential to ensure that the DKIM signature aligns with the domain from which the email i

Mismatch between "d=" tag and sending domain

A mismatch between the "d=" tag in the DKIM signature and the sending domain can result in failed authentication. Ensure that the DKIM signature aligns with the domain from which the email is sent to prevent authentication errors.‍

D‍KIM Checker Tool 🔧

DKIM Checker Tool - Palisade

Incomplete DMARC Settings

Incomplete or misconfigured DMARC settings can lead to the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol. Incomplete DMARC settings may include not specifying the policy (p=none, p=quarantine, or p=reject) or failing to include the necessary SPF and DKIM records.

For additional insights on DMARC policies, consider exploring the resources available at Global Cyber Alliance.

Explanation of p=none and p=quarantine/reject policies

The DMARC policy specifies how email servers should handle messages that fail authentication. The policy can be set to p=none, p=quarantine, or p=reject:

  • The p=none policy allows emails to pass even if they fail authentication.
  • The p=quarantine policy directs emails that fail authentication to the spam or quarantine folder
  • The p=reject policy outright rejects the email.

DMARC checker tool 🔧

DMARC Checker Tool - Palisade

Wrong Policy on Recipient Side

In addition to the sender's DMARC policy, the recipient server's policies can also impact DMARC evaluation. It is essential to understand how the recipient server's policies influence the evaluation process and how to ensure proper configuration for successful DMARC policy evaluation.‍

How the recipient server's policies can affect DMARC evaluation

The recipient server may have its own policies and settings that impact DMARC evaluation. These policies can include rules for handling emails that fail authentication, such as redirecting them to the spam folder or rejecting them altogether. Understanding and aligning with the recipient server's policies is crucial for successful DMARC policy evaluation.

Ensuring proper configuration to pass policy evaluation on the recipient side

To ensure successful DMARC policy evaluation on the recipient side, it is essential to comply with the recipient server's policies. This may involve collaborating with the recipient to understand their policies and aligning your email authentication settings accordingly.‍

Collaboration with the recipient to evaluate their own DMARC policies

Engaging in a collaborative approach with the recipient can help resolve the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

How to Fix 554 5.7.5 Permanent Error Evaluating DMARC Policy

To fix your “554 5.7.5 Permanent Error Evaluating DMARC Policy” problems, you will need to look at each at your SPF, DKIM, DMARC record and troubleshoot them one by one, in that order, to make sure everything is well configured and aligned.

Verify your Authorized Senders List Record (SPF Record)

SPF Record Checker Tool - Palisade

Change or Create Your SPF Record

Having a neutral SPF record (or no SPF record) can contribute to the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. Changing the SPF record to an appropriate setting can help resolve the problem.

The importance of having an appropriate SPF record

An appropriate SPF record helps authenticate your emails and ensures they are not marked as spam or rejected by the recipient server. A neutral SPF record does not specify any authorization, which can lead to authentication failures.‍

Risks associated with a neutral SPF record

A neutral SPF record does not provide explicit authorization for email sending sources. This lack of authorization can lead to email authentication failures and trigger the "554 5.7.5 Permanent Error Evaluating DMARC Policy".

Change SPF records for effective DMARC implementation

To resolve the issue, update your SPF record to include all authorized sending sources. Specify the IP addresses or hostnames that are allowed to send emails on behalf of your domain. It is essential to review and update the SPF record periodically to account for any changes in your email infrastructure.

For additional information, here’s our guide on how to create a SPF record.‍

Check If Your Email Service Provider Supports SPF Aligned Emails

Some email service providers may not support SPF-aligned emails, which can result in the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. Checking the capabilities of your email service provider and making necessary adjustments is crucial.

Identifying if the email service provider supports SPF-aligned emails

Reach out to your email service provider to determine if they support SPF-aligned emails. They should be able to provide you with information regarding their email authentication capabilities.

Adjusting email service provider settings or considering alternatives for SPF alignment

If your email service provider does not support SPF-aligned emails, you may need to explore alternative options. Consider migrating to an email service provider that supports SPF alignment or adjust the settings within your current provider to ensure SPF alignment.

Example of an SPF record:

An SPF (Sender Policy Framework) record is a type of DNS (Domain Name System) record that identifies which mail servers are permitted to send email on behalf of your domain. Here is an example of an SPF record:

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 include:example.com -all


This SPF record means:

  • v=spf1: This specifies the version of SPF being used.
  • ip4:192.0.2.0/24: This allows all IP addresses from 192.0.2.0 to 192.0.2.255 to send emails for the domain.
  • ip4:198.51.100.0/24: This allows all IP addresses from 198.51.100.0 to 198.51.100.255 to send emails for the domain.
  • include:example.com: This specifies that the SPF record of example.com should be included. Emails sent from IP addresses authorized by example.com are also considered valid for this domain.
  • all: This means that all other servers are not authorized to send emails on behalf of the domain, and such emails should be rejected.

To create or update an SPF record for your domain, you need to log in to your domain's DNS management console and add or edit the TXT record for your domain with the appropriate SPF information.

Need help with this? We're here to help!

Setting up or reviewing your Digital Signatures  (DomainKeys Identified Mail - DKIM) Authentication

DKIM Checker Tool - Palisade

Implementing DKIM email authentication is crucial to resolve the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. You will need one DKIM DNS record per third party app you are using.

D‍KIM Checker Tool 🔧

Importance of DKIM email authentication for passing DMARC

DKIM adds an additional layer of email authentication, verifying the integrity of the email's content. Implementing DKIM strengthens your email authentication mechanism and increases the likelihood of passing DMARC policy evaluation.

Step-by-step instructions for enabling DKIM authentication

Enabling DKIM authentication involves generating a DKIM key pair, publishing the public key in the DNS, and adding the DKIM signature to outgoing emails. Follow the instructions provided by your email service provider or consult relevant documentation to set up DKIM authentication correctly.

  1. Signing: When an email is sent, the sending server generates a unique hash (digital signature) of the email's header and body. This hash is encrypted using the sender's private key and added to the email's header as a DKIM-Signature.
  2. Publishing Public Key: The sender's domain publishes the corresponding public key in the DNS as a TXT record. This public key is used by the receiver's mail server to verify the signature.
  3. Verification: When the email is received, the receiver's mail server retrieves the public key from the sender's DNS records. It then uses this key to decrypt the DKIM-Signature and compare it to a newly generated hash of the email. If they match, the email is authenticated as genuine.

Example of Implementing DKIM for a Third Party Tool

Step 1: Generate DKIM Keys

Look into the documentation of your third party tool to find out how to generate and find out DKIM keys. Once you found it:

  1. Generate Keys:
    • Go to the DKIM Core key generator tool.
    • Select a key length (2048-bit is recommended).
    • Enter a selector (e.g., thirdparty).
  2. Generate the key pair:
    • Click "Generate Keys".
  3. Copy the generated keys:
    • Copy the public key provided (it will be used in your DNS settings).
    • Copy the private key provided (it will be used in the third-party app).

Step 2: Publish the DKIM Public Key in DNS

Putting DNS record in Cloudflare
  1. Login to your DNS provider’s management console.
  2. Add a new TXT record:
    • Host/Name: <selector>._domainkey.example.com (replace <selector> with thirdparty and example.com with your domain).
    • Type: TXT
    • Value: The public key generated from the DKIM key generator tool. It will look something like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9sK...

Example DNS TXT Record

thirdparty._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9sK..."

For more examples, here’s our guide on How to Setup DKIM for Office 365.

About to throw away your keyboard? We're here to help!

Review your DMARC Record Policy

Validating and resolving errors in the DMARC record is essential for successful DMARC implementation. This section introduces the DMARC lookup tool by PowerDMARC, which can assist in identifying and resolving potential errors.

DMARC Validator Tool 🔧

DMARC Checker Tool Palisade
Importance of validating and resolving errors in the DMARC record

Validating the DMARC record ensures its correctness and reduces the chances of encountering authentication errors. Resolving errors identified in the DMARC record improves email deliverability and prevents the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

Change p=none Policy For DMARC

Temporarily changing the DMARC policy from p=none to p=reject or p=quarantine can help resolve the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

Understanding the role of DMARC policies in email authentication

DMARC policies determine how email servers handle messages that fail authentication. The p=none policy allows all emails, including those that fail authentication, to pass. Changing the policy to p=reject or p=quarantine ensures that emails failing authentication are either rejected or marked as spam.

Temporary change to p=none policy to send emails without DMARC errors

To allow emails to pass without triggering the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error, temporarily change the DMARC policy to p=none. This change will enable you to send emails while you address the underlying authentication issues.

Reverting back to p=reject or p=quarantine policy for email spoofing prevention

Once you have resolved the authentication issues and ensured proper email authentication, revert the DMARC policy back to p=reject or p=quarantine. This change will help prevent email spoofing and protect your brand integrity.

Steps to check and identify potential errors in the DMARC record

Utilize the this tool to validate your DMARC record. Enter your domain name, and the tool will provide a detailed analysis of your DMARC record, highlighting any errors or areas of improvement. Use the provided recommendations to fix the identified issues and ensure a valid DMARC record.

DMARC Policy Formatting Requirements

Adhering to the proper formatting requirements is crucial for a valid DMARC policy. This section outlines the essential formatting elements to consider when configuring your DMARC record.

Explanation of DMARC policy formatting requirements

To ensure a valid DMARC policy, adhere to the following formatting requirements:  • Start the DMARC record with "v=DMARC1" to indicate the version.  • Specify the policy using the "p=" tag, which can be set to none, quarantine, or reject.  • Use colons (:) as separators between tags and their corresponding values.  • Avoid including extra characters, such as unnecessary spaces, special characters, or bad quotes, in the DMARC record.

Remove Extra Characters From The Record

Extra characters or symbols in the DMARC record can cause the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. Identifying and removing these extra characters is a crucial step in resolving the problem.

Example of a DMARC Record with Unwanted Characters

Incorrect DMARC Record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; sp=quarantine; aspf=r; extra-character=!;

In this example, the extra-character=!; part is an unwanted and incorrect entry that should be removed.

Corrected DMARC Record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; sp=quarantine; aspf=r;

In the corrected version, the invalid extra-character=!; has been removed, leaving a properly formatted DMARC record.

Common causes of the error

Extra characters in the DMARC record can result from manual entry errors, copy-pasting issues, or formatting inconsistencies. It is essential to review the DMARC record carefully to identify any unnecessary characters.‍Identifying and fixing extra characters or symbols in DMARC recordsReview the DMARC record and ensure that it adheres to the proper formatting requirements. Remove any extra characters, symbols, or spaces that might be causing the error. Validate the DMARC record using available tools to ensure its correctness.

More details on How to create a DMARC record in this guide.

Good news is: Resolving 554 5.7.5 Error doesn’t have to be so Complicated

Resolving the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error involves a deep dive into the complexities of DMARC, SPF, and DKIM protocols. These email authentication standards are foundational in safeguarding your business's email communications, upholding brand integrity, and ensuring the trust of your customers.

At Palisade, we think no one should have to deal with that anymore and that is why we are building a DNS Engine and Monitoring Software to completely offload that from teams.

If you are interested in testing our product and never have to deal with that again, let’s chat!

More resources

Related articles

Latest insights and expert advice
Email
20

Email Deployment in 2024: What Does It Mean and How to Do It Right? Our Complete Guide.

Email

New Deadline: 7 Days Left to get your Emails in line with Google

Email

Debunking: Email Deliverability is not Set and Forget

All posts
Email

Resolving the "554 5.7.5 Permanent Error Evaluating DMARC Policy" Issue: A Comprehensive Guide

Published on
July 2, 2024
Table of Contents
This is also a heading
This is a heading
Contributors
Samuel Chenard
Chief technology officer
Dominic Landry
Email security specialist
Subscribe to our newsletter
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Facing a "554 5.7.5 Permanent Error Evaluating DMARC Policy" error when sending emails? Been there before. It’s a major bummer. Here’s our guide to help you fix it.

This error can hinder the successful delivery of emails, potentially impacting your reach, marketing efforts, and transactional emails with customers, vendors, and teammates. Basically, it can create a mess. In this comprehensive guide, we will delve into the reasons behind this error and provide effective solutions to resolve it.

To scan and troubleshoot your DMARC policy, feel free to use our Email Deliverability Score Tool 🔧

Palisade Email Deliverability Score Tool

Understanding the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error

What is the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error?

Before we dive into resolving the issue, it is crucial to understand the nature of the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. This error occurs when the recipient's server fails to evaluate the DMARC policy for incoming emails correctly. As a result, the recipient server may reject or mark the email as spam, preventing it from reaching the intended recipient.

Importance of resolving the issue quickly

Resolving the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue promptly is vital for several reasons. First and foremost, it ensures that your business emails reach the intended recipients without disruption. Additionally, resolving the error helps maintain your brand's reputation and prevents your domain from being flagged as spam. By addressing the issue, you demonstrate a commitment to email security and foster trust among your customers and business partners.

Reasons behind 554 5.7.5 Permanent Error Evaluating DMARC Policy

Impact of SPF and DKIM on DMARC policy evaluation

DMARC relies on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for email authentication. SPF verifies the sender's IP address, while DKIM verifies the integrity of the email's content. Both SPF and DKIM records need to be correctly configured to ensure accurate DMARC policy evaluation.

Incorrect SPF Record

SPF (Sender Policy Framework) is another critical component of email authentication that affects DMARC policy evaluation. An incorrect SPF record can contribute to the occurrence of the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error.‍

Understanding SPF and its role in email authentication

SPF helps verify that the sender's IP address is authorized to send emails on behalf of a specific domain. The SPF record is a DNS TXT record that lists the IP addresses or hostnames authorized to send emails for the domain. When an email is received, the recipient server checks the SPF record to ensure that the sender is authorized to send emails for the given domain.

Importance of correctly configuring SPF records

Misconfigured SPF records, such as missing or incorrect entries, can lead to email authentication failures and trigger the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. It is crucial to ensure that the SPF record is accurately configured to include all authorized senders.

Impact of misconfigured SPF records on DMARC policy evaluation

DMARC policy evaluation heavily relies on SPF records. Misconfigured SPF records can result in failed authentication, leading to DMARC policy failures and triggering the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

SPF Record Checker Tool 🔧

SPF Checker Tool - Palisade

Incorrect DKIM Email Authentication Record

DKIM, an email authentication method, plays a crucial role in DMARC policy evaluation. An incorrect DKIM record can trigger the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. It is essential to understand the significance of DKIM and address common issues associated with DKIM authentication.‍

Definition and significance of DKIM

DKIM adds a digital signature to outgoing emails, allowing the recipient server to verify the email's authenticity. This signature is added as a DKIM signature header field in the email's header. The recipient server uses the public key published in the DNS to validate the DKIM signature, ensuring the email has not been modified during transit.‍

Common issues with DKIM authentication

Various issues can arise with DKIM authentication, leading to the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. One common issue is a mismatch between the "d=" tag in the DKIM signature and the sending domain. It is essential to ensure that the DKIM signature aligns with the domain from which the email i

Mismatch between "d=" tag and sending domain

A mismatch between the "d=" tag in the DKIM signature and the sending domain can result in failed authentication. Ensure that the DKIM signature aligns with the domain from which the email is sent to prevent authentication errors.‍

D‍KIM Checker Tool 🔧

DKIM Checker Tool - Palisade

Incomplete DMARC Settings

Incomplete or misconfigured DMARC settings can lead to the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol. Incomplete DMARC settings may include not specifying the policy (p=none, p=quarantine, or p=reject) or failing to include the necessary SPF and DKIM records.

For additional insights on DMARC policies, consider exploring the resources available at Global Cyber Alliance.

Explanation of p=none and p=quarantine/reject policies

The DMARC policy specifies how email servers should handle messages that fail authentication. The policy can be set to p=none, p=quarantine, or p=reject:

  • The p=none policy allows emails to pass even if they fail authentication.
  • The p=quarantine policy directs emails that fail authentication to the spam or quarantine folder
  • The p=reject policy outright rejects the email.

DMARC checker tool 🔧

DMARC Checker Tool - Palisade

Wrong Policy on Recipient Side

In addition to the sender's DMARC policy, the recipient server's policies can also impact DMARC evaluation. It is essential to understand how the recipient server's policies influence the evaluation process and how to ensure proper configuration for successful DMARC policy evaluation.‍

How the recipient server's policies can affect DMARC evaluation

The recipient server may have its own policies and settings that impact DMARC evaluation. These policies can include rules for handling emails that fail authentication, such as redirecting them to the spam folder or rejecting them altogether. Understanding and aligning with the recipient server's policies is crucial for successful DMARC policy evaluation.

Ensuring proper configuration to pass policy evaluation on the recipient side

To ensure successful DMARC policy evaluation on the recipient side, it is essential to comply with the recipient server's policies. This may involve collaborating with the recipient to understand their policies and aligning your email authentication settings accordingly.‍

Collaboration with the recipient to evaluate their own DMARC policies

Engaging in a collaborative approach with the recipient can help resolve the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

How to Fix 554 5.7.5 Permanent Error Evaluating DMARC Policy

To fix your “554 5.7.5 Permanent Error Evaluating DMARC Policy” problems, you will need to look at each at your SPF, DKIM, DMARC record and troubleshoot them one by one, in that order, to make sure everything is well configured and aligned.

Verify your Authorized Senders List Record (SPF Record)

SPF Record Checker Tool - Palisade

Change or Create Your SPF Record

Having a neutral SPF record (or no SPF record) can contribute to the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. Changing the SPF record to an appropriate setting can help resolve the problem.

The importance of having an appropriate SPF record

An appropriate SPF record helps authenticate your emails and ensures they are not marked as spam or rejected by the recipient server. A neutral SPF record does not specify any authorization, which can lead to authentication failures.‍

Risks associated with a neutral SPF record

A neutral SPF record does not provide explicit authorization for email sending sources. This lack of authorization can lead to email authentication failures and trigger the "554 5.7.5 Permanent Error Evaluating DMARC Policy".

Change SPF records for effective DMARC implementation

To resolve the issue, update your SPF record to include all authorized sending sources. Specify the IP addresses or hostnames that are allowed to send emails on behalf of your domain. It is essential to review and update the SPF record periodically to account for any changes in your email infrastructure.

For additional information, here’s our guide on how to create a SPF record.‍

Check If Your Email Service Provider Supports SPF Aligned Emails

Some email service providers may not support SPF-aligned emails, which can result in the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error. Checking the capabilities of your email service provider and making necessary adjustments is crucial.

Identifying if the email service provider supports SPF-aligned emails

Reach out to your email service provider to determine if they support SPF-aligned emails. They should be able to provide you with information regarding their email authentication capabilities.

Adjusting email service provider settings or considering alternatives for SPF alignment

If your email service provider does not support SPF-aligned emails, you may need to explore alternative options. Consider migrating to an email service provider that supports SPF alignment or adjust the settings within your current provider to ensure SPF alignment.

Example of an SPF record:

An SPF (Sender Policy Framework) record is a type of DNS (Domain Name System) record that identifies which mail servers are permitted to send email on behalf of your domain. Here is an example of an SPF record:

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 include:example.com -all


This SPF record means:

  • v=spf1: This specifies the version of SPF being used.
  • ip4:192.0.2.0/24: This allows all IP addresses from 192.0.2.0 to 192.0.2.255 to send emails for the domain.
  • ip4:198.51.100.0/24: This allows all IP addresses from 198.51.100.0 to 198.51.100.255 to send emails for the domain.
  • include:example.com: This specifies that the SPF record of example.com should be included. Emails sent from IP addresses authorized by example.com are also considered valid for this domain.
  • all: This means that all other servers are not authorized to send emails on behalf of the domain, and such emails should be rejected.

To create or update an SPF record for your domain, you need to log in to your domain's DNS management console and add or edit the TXT record for your domain with the appropriate SPF information.

Need help with this? We're here to help!

Setting up or reviewing your Digital Signatures  (DomainKeys Identified Mail - DKIM) Authentication

DKIM Checker Tool - Palisade

Implementing DKIM email authentication is crucial to resolve the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. You will need one DKIM DNS record per third party app you are using.

D‍KIM Checker Tool 🔧

Importance of DKIM email authentication for passing DMARC

DKIM adds an additional layer of email authentication, verifying the integrity of the email's content. Implementing DKIM strengthens your email authentication mechanism and increases the likelihood of passing DMARC policy evaluation.

Step-by-step instructions for enabling DKIM authentication

Enabling DKIM authentication involves generating a DKIM key pair, publishing the public key in the DNS, and adding the DKIM signature to outgoing emails. Follow the instructions provided by your email service provider or consult relevant documentation to set up DKIM authentication correctly.

  1. Signing: When an email is sent, the sending server generates a unique hash (digital signature) of the email's header and body. This hash is encrypted using the sender's private key and added to the email's header as a DKIM-Signature.
  2. Publishing Public Key: The sender's domain publishes the corresponding public key in the DNS as a TXT record. This public key is used by the receiver's mail server to verify the signature.
  3. Verification: When the email is received, the receiver's mail server retrieves the public key from the sender's DNS records. It then uses this key to decrypt the DKIM-Signature and compare it to a newly generated hash of the email. If they match, the email is authenticated as genuine.

Example of Implementing DKIM for a Third Party Tool

Step 1: Generate DKIM Keys

Look into the documentation of your third party tool to find out how to generate and find out DKIM keys. Once you found it:

  1. Generate Keys:
    • Go to the DKIM Core key generator tool.
    • Select a key length (2048-bit is recommended).
    • Enter a selector (e.g., thirdparty).
  2. Generate the key pair:
    • Click "Generate Keys".
  3. Copy the generated keys:
    • Copy the public key provided (it will be used in your DNS settings).
    • Copy the private key provided (it will be used in the third-party app).

Step 2: Publish the DKIM Public Key in DNS

Putting DNS record in Cloudflare
  1. Login to your DNS provider’s management console.
  2. Add a new TXT record:
    • Host/Name: <selector>._domainkey.example.com (replace <selector> with thirdparty and example.com with your domain).
    • Type: TXT
    • Value: The public key generated from the DKIM key generator tool. It will look something like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9sK...

Example DNS TXT Record

thirdparty._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9sK..."

For more examples, here’s our guide on How to Setup DKIM for Office 365.

About to throw away your keyboard? We're here to help!

Review your DMARC Record Policy

Validating and resolving errors in the DMARC record is essential for successful DMARC implementation. This section introduces the DMARC lookup tool by PowerDMARC, which can assist in identifying and resolving potential errors.

DMARC Validator Tool 🔧

DMARC Checker Tool Palisade
Importance of validating and resolving errors in the DMARC record

Validating the DMARC record ensures its correctness and reduces the chances of encountering authentication errors. Resolving errors identified in the DMARC record improves email deliverability and prevents the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

Change p=none Policy For DMARC

Temporarily changing the DMARC policy from p=none to p=reject or p=quarantine can help resolve the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue.

Understanding the role of DMARC policies in email authentication

DMARC policies determine how email servers handle messages that fail authentication. The p=none policy allows all emails, including those that fail authentication, to pass. Changing the policy to p=reject or p=quarantine ensures that emails failing authentication are either rejected or marked as spam.

Temporary change to p=none policy to send emails without DMARC errors

To allow emails to pass without triggering the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error, temporarily change the DMARC policy to p=none. This change will enable you to send emails while you address the underlying authentication issues.

Reverting back to p=reject or p=quarantine policy for email spoofing prevention

Once you have resolved the authentication issues and ensured proper email authentication, revert the DMARC policy back to p=reject or p=quarantine. This change will help prevent email spoofing and protect your brand integrity.

Steps to check and identify potential errors in the DMARC record

Utilize the this tool to validate your DMARC record. Enter your domain name, and the tool will provide a detailed analysis of your DMARC record, highlighting any errors or areas of improvement. Use the provided recommendations to fix the identified issues and ensure a valid DMARC record.

DMARC Policy Formatting Requirements

Adhering to the proper formatting requirements is crucial for a valid DMARC policy. This section outlines the essential formatting elements to consider when configuring your DMARC record.

Explanation of DMARC policy formatting requirements

To ensure a valid DMARC policy, adhere to the following formatting requirements:  • Start the DMARC record with "v=DMARC1" to indicate the version.  • Specify the policy using the "p=" tag, which can be set to none, quarantine, or reject.  • Use colons (:) as separators between tags and their corresponding values.  • Avoid including extra characters, such as unnecessary spaces, special characters, or bad quotes, in the DMARC record.

Remove Extra Characters From The Record

Extra characters or symbols in the DMARC record can cause the "554 5.7.5 Permanent Error Evaluating DMARC Policy" issue. Identifying and removing these extra characters is a crucial step in resolving the problem.

Example of a DMARC Record with Unwanted Characters

Incorrect DMARC Record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; sp=quarantine; aspf=r; extra-character=!;

In this example, the extra-character=!; part is an unwanted and incorrect entry that should be removed.

Corrected DMARC Record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; sp=quarantine; aspf=r;

In the corrected version, the invalid extra-character=!; has been removed, leaving a properly formatted DMARC record.

Common causes of the error

Extra characters in the DMARC record can result from manual entry errors, copy-pasting issues, or formatting inconsistencies. It is essential to review the DMARC record carefully to identify any unnecessary characters.‍Identifying and fixing extra characters or symbols in DMARC recordsReview the DMARC record and ensure that it adheres to the proper formatting requirements. Remove any extra characters, symbols, or spaces that might be causing the error. Validate the DMARC record using available tools to ensure its correctness.

More details on How to create a DMARC record in this guide.

Good news is: Resolving 554 5.7.5 Error doesn’t have to be so Complicated

Resolving the "554 5.7.5 Permanent Error Evaluating DMARC Policy" error involves a deep dive into the complexities of DMARC, SPF, and DKIM protocols. These email authentication standards are foundational in safeguarding your business's email communications, upholding brand integrity, and ensuring the trust of your customers.

At Palisade, we think no one should have to deal with that anymore and that is why we are building a DNS Engine and Monitoring Software to completely offload that from teams.

If you are interested in testing our product and never have to deal with that again, let’s chat!

Your Website Title
Palisade - Email Spam Score & Compliance - Land your emails in the inbox and not in spam. | Product Hunt