What 550 5.7.1 Means
Per RFC 7489, DMARC ties SPF and DKIM together with an alignment requirement: the authenticated identifier (the SPF-passing domain or the DKIM-signed domain) must match the From-header domain. If neither aligns and your DMARC policy is p=reject (or p=quarantine), Gmail rejects with 550 5.7.1 and the descriptive text typically includes 'DMARC policy' or 'DMARC reject'.
Gmail consumer accounts and Google Workspace, post-February 2024 enforcement of the bulk-sender DMARC requirement. Microsoft, Yahoo, and most enterprise gateways enforce identically.
Your DMARC policy is p=reject or p=quarantine, AND: the From-header domain doesn't match the SPF-authenticated domain (relaxed/strict mismatch), AND DKIM doesn't sign with a domain that aligns with the From, OR both SPF and DKIM failed outright. A common cold email cause: tracking-link rewrites change the From or signing domain mid-flight.
How to Fix 550 5.7.1
- 1
Look up your current DMARC policy
Check the TXT record at _dmarc.yourdomain.com. The policy is in the 'p=' tag. p=none means 'monitor only — don't reject', p=quarantine sends to spam, p=reject hard-rejects. If your policy is p=reject and you're seeing failures, you have a real alignment problem — don't just downgrade to p=none, fix the alignment.
- 2
Run an alignment check
Send a test message to a personal Gmail and view the message source (Show Original). Look at the Authentication-Results header. It will tell you whether SPF and DKIM passed AND whether they aligned with the From header. The d= tag in DKIM and the SPF identity (Return-Path domain) must match the From domain for at least one of them.
- 3
Fix DKIM alignment
If DKIM is signing with the wrong domain, your sending platform is signing with its own domain rather than yours. ColdRelay signs with your sending domain by default. For other platforms, configure the signing domain in their dashboard to match your From. DKIM aligned is usually the easier fix because SPF alignment depends on Return-Path, which sending platforms control.
- 4
Fix SPF alignment
SPF alignment requires the Return-Path domain (envelope-from) to match the From-header domain. Many sending platforms use a custom-bounce domain for Return-Path that doesn't match your From. Either switch the platform's Return-Path to your sending domain, or rely on DKIM alignment instead (DMARC requires only one to pass).
- 5
Don't downgrade DMARC to p=none as a fix
Downgrading p=reject to p=none stops the rejections, but it also tells receivers your domain isn't claiming authentication enforcement. That weakens deliverability over time. Fix the alignment instead and keep the strict policy.
Note: If you do need to temporarily downgrade while fixing, set pct=0 with p=reject — this keeps the policy declared but applied to 0% of traffic. Saner than p=none.
- 6
Verify with the Email Deliverability Test
Use coldrelay.com/tools/email-deliverability-test to confirm SPF, DKIM, and DMARC all pass for your sending domain. Once green, the 5.7.1 DMARC rejects stop.
References
550 5.7.1 in the Cold Email Context
DMARC rejects became the dominant cold email rejection category after Gmail and Yahoo's February 2024 enforcement push. Before that, most cold senders ran with no DMARC at all and got away with it. Now Gmail requires DMARC for bulk senders and enforces alignment. The cleanest setup is: your sending domain signs with DKIM where d= matches the From, your Return-Path domain matches the From, and DMARC is published with at least p=none (graduating to p=quarantine then p=reject as your reputation matures). ColdRelay's domain provisioning sets all of this automatically — when you add a sending domain in the dashboard, SPF, DKIM, and a starter DMARC record are generated with proper alignment. The Domains page shows per-record green/red status so any drift is immediately visible.
Frequently Asked Questions
Should my DMARC policy be p=none, p=quarantine, or p=reject?
Start with p=none (monitor only) while you stabilize SPF and DKIM. Once both pass consistently for 2-4 weeks of normal sending, move to p=quarantine. After another 2-4 weeks of clean data, move to p=reject. The progression protects against accidental DMARC blocks during stabilization.
Does DMARC require both SPF and DKIM to pass?
No — only one needs to pass AND align. If DKIM passes and aligns with the From, the message passes DMARC regardless of SPF. If SPF passes and aligns, DKIM doesn't matter. Both is best, but one aligned is sufficient.
What does 'aligned' mean?
DMARC alignment means the authenticated identifier (DKIM's d= domain, or SPF's Return-Path domain) matches the From-header domain. Relaxed alignment allows subdomains (mail.example.com aligns with example.com); strict requires exact match. Default is relaxed.
Why does my SPF pass but DMARC fail?
SPF authentication passes when the sending IP is authorized. DMARC alignment passes when the authenticated domain matches the From. If SPF authenticates via a relay's domain (e.g. mandrill.com) but the From is yourdomain.com, SPF passes but doesn't align — DMARC fails on the SPF side. DKIM alignment can rescue this if DKIM signs with yourdomain.com.