DMARC
451 4.7.5 "Temporary error evaluating DMARC policy" is a transient DNS failure during DMARC checks, not a rejection. Find the real cause and how to fix it.
Updated Jul 1, 2026
The short answer
"4.7.5 Temporary error evaluating DMARC policy" (usually sent as 451 4.7.5 by Gmail/Google) means the receiving server tried to authenticate your message but couldn't finish the DMARC check before a transient problem stopped it — almost always a DNS hiccup looking up your SPF, DKIM, or DMARC TXT records (SERVFAIL, resolver timeout, or a failing SPF include). It is a temporary deferral, not a policy rejection: harden your DNS and retry.
Most senders see this from Gmail / Google Workspace as the full line:
451 4.7.5 Temporary error evaluating DMARC policy (in reply to end of DATA command)
The 451 is the SMTP reply code and 4.7.5 is the RFC 3463 enhanced status code. Read those two numbers before you touch any DNS record — they tell you exactly what happened.
The leading 4 is the decisive digit. Under RFC 3463, a 4.x.x code is a persistent transient failure: "the message as sent is valid, but persistence of some temporary condition has caused abandonment or delay." The .7.x subject is the security/policy class. RFC 3463 §3.8 defines X.7.5 generically as "Cryptographic failure" — "a transport system otherwise authorized to validate or decrypt a message in transport was unable to do so because necessary information such as a key was not available or such information was invalid." The RFC text never mentions DMARC, SPF, or DKIM by name; Google and other providers have adopted X.7.5 as their de facto text for a stalled DMARC/SPF/DKIM check, but that mapping is a provider convention layered on top of the RFC, not an assignment the RFC itself makes.
Put together, 4.7.5 Temporary error evaluating DMARC policy does not mean your message failed DMARC and was rejected by a p=reject policy. It means the receiver started the DMARC evaluation and could not finish it because something timed out or errored mid-check. This is the SMTP-level expression of a DMARC TempError — the temperror result defined by RFC 7489 (DMARC formally registers the temperror/permerror results in its Authentication-Results registry update, §11.2; §6.6.3 separately covers how DNS lookup errors during policy discovery should be handled). The 4.7.5 / 5.7.5 text is Google's own way of surfacing that result over SMTP, not wording RFC 7489 itself assigns. Either way, the receiver is deferring delivery and expects you (or it) to retry.
This is the temporary twin of the permanent 554 5.7.5 Permanent error evaluating DMARC policy. Same subject code, different class digit (5 = won't resolve on retry). If you got the 451/4 version, retrying often succeeds on its own.
DMARC evaluation requires the receiver to perform several DNS TXT lookups — your _dmarc record, your SPF record (and every include/a/mx it chains to), and the DKIM selector key. A temporary failure in any of those lookups produces a temperror. Common transient causes:
include:.Note: a permanently broken record — bad DMARC syntax, an SPF record over the 10-DNS-lookup limit (RFC 7208 §4.6.4), a missing record — typically produces a PermError / 5.7.5, not this temporary code. If 4.7.5 is constant rather than intermittent, treat the underlying lookup as effectively broken and check those too.
4.x.x transient code, a compliant sending MTA will automatically re-queue and retry. Many one-off occurrences clear themselves within minutes once the DNS hiccup passes. Confirm whether the error is a blip or persistent before changing anything._dmarc.<domain>, SPF, and DKIM records directly against your authoritative nameservers (e.g. dig +trace txt _dmarc.example.com, dig txt example.com, dig txt selector._domainkey.example.com). Look for SERVFAIL, slow responses, or one nameserver answering differently than another.include, a, mx, ptr, exists, and redirect each count; ip4/ip6/all do not. Over-budget or deeply nested includes cause timeouts and PermErrors. Flatten or trim unused includes._dmarc record begins with v=DMARC1; followed by a p= policy tag — but treat syntax checks as ruling out the permanent variant; they won't explain a purely intermittent temperror.With Courier
References
FAQ
It is a temporary deferral, not a rejection. The leading 4 in 4.7.5 marks it as a persistent transient failure under RFC 3463 — the receiver couldn't finish evaluating DMARC (a DMARC "temperror"), usually due to a DNS lookup problem. On Gmail/Google Workspace specifically, a true DMARC p=reject rejection or broken record commonly shows up as the permanent 554 5.7.5 instead. RFC 7489 doesn't mandate a specific SMTP code for policy rejections, so other providers may use different codes.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 3463 §2 / §3.8 (X.7.5); RFC 7489 §6.6.3 (DNS-error handling) / §11.2 (temperror/permerror registry). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.