E
Email Deliverability

DMARC Fail: Troubleshooting DMARC Authentication Failures

Your emails are failing DMARC checks. Learn what causes DMARC failures, how to diagnose alignment issues, and how to fix your SPF and DKIM configuration.

Email Authentication

DMARC failure means your email didn't pass authentication checks. Depending on your DMARC policy, this can result in emails going to spam (p=quarantine) or being rejected entirely (p=reject). Understanding why DMARC fails is the first step to fixing it.

How DMARC Authentication Works

DMARC doesn't do its own authentication. It builds on SPF and DKIM, adding an alignment requirement:

For DMARC to pass, you need:

  1. SPF to pass AND align with the From header domain, OR
  2. DKIM to pass AND align with the From header domain

If neither condition is met, DMARC fails.

The key concept is alignment. SPF or DKIM passing isn't enough — the authenticated domain must match (or be a subdomain of) the domain in your From header.

DMARC Failure Scenarios

Scenario 1: SPF Passes, DKIM Passes, DMARC Fails

This confusing situation happens when alignment fails:

From: sender@company.com
SPF: pass (authenticated via mail.thirdparty.com)
DKIM: pass (signed by thirdparty.com)
DMARC: fail

Even though SPF and DKIM both pass, neither aligns with company.com. The email is authenticated — but for the wrong domain.

Scenario 2: Nothing Is Set Up

From: sender@company.com
SPF: none (no SPF record)
DKIM: none (no DKIM signature)
DMARC: fail

No authentication means guaranteed DMARC failure.

Scenario 3: Forwarded Emails

From: sender@company.com
SPF: fail (forwarding server not authorized)
DKIM: fail (message modified in transit)
DMARC: fail

Forwarding commonly breaks authentication, especially SPF.

"DMARC Policy Not Enabled" Message

If you're seeing warnings about DMARC policy not being enabled, it means one of:

No DMARC record exists: Your domain doesn't have a DMARC DNS record at _dmarc.yourdomain.com.

Policy is set to none:

v=DMARC1; p=none

A p=none policy tells receivers to take no action on failures — it's monitoring mode, not enforcement.

How to check: Use a DMARC checker to see your current policy.

Diagnosing DMARC Failures

Check Email Headers

When DMARC fails, the authentication results in email headers tell you why:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@mail.thirdparty.com header.s=selector1;
       spf=pass (google.com: domain of bounce@mail.thirdparty.com designates 192.0.2.1 as permitted sender);
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=company.com

This reveals:

  • DKIM passed for mail.thirdparty.com (not company.com)
  • SPF passed for mail.thirdparty.com (not company.com)
  • DMARC failed because neither aligns with company.com

Review DMARC Reports

If you have DMARC reporting enabled (rua=mailto:...), aggregate reports show:

  • Which IPs are sending as your domain
  • Pass/fail rates by source
  • Alignment status

These reports identify exactly which sending sources are causing failures.

Audit Your Sending Sources

List everywhere email is sent from your domain:

  • Corporate email (Google Workspace, Microsoft 365)
  • Marketing platforms (Mailchimp, HubSpot, etc.)
  • Transactional email (SendGrid, Postmark, etc.)
  • CRM systems (Salesforce, etc.)
  • Support systems (Zendesk, Intercom, etc.)
  • Custom applications

Each needs proper authentication.

Fixing DMARC Failures

Fix 1: Configure SPF for All Senders

Your SPF record must include every service that sends email as your domain:

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all

Check your SPF: Use SPF Record Check to verify your record.

SPF has a 10 DNS lookup limit. Adding too many includes causes SPF to fail entirely with a permerror.

Fix 2: Set Up DKIM for Each Sender

Each sending service should sign emails with DKIM using your domain:

  1. Generate keys in the service's dashboard
  2. Add DNS records as instructed (TXT or CNAME)
  3. Enable signing in the service settings
  4. Verify with DKIM Test

When properly configured, DKIM signs as d=yourdomain.com, achieving alignment.

Fix 3: Understand Alignment Modes

DMARC supports two alignment modes:

Relaxed alignment (default):

  • aspf=r and adkim=r
  • Subdomains are allowed
  • mail.company.com aligns with company.com

Strict alignment:

  • aspf=s and adkim=s
  • Exact match required
  • mail.company.com does NOT align with company.com

If you're sending from subdomains, ensure your policy uses relaxed alignment.

Fix 4: Handle Third-Party Senders

For services that can't sign with your DKIM:

Option A: Use their subdomain Some services let you send from their domain (like company.mail.service.com). This sidesteps alignment issues but affects branding.

Option B: Custom sending domain Configure the service to use your domain with proper DKIM setup.

Option C: Accept partial coverage If SPF alignment works (service IPs in your SPF), DMARC passes even without DKIM.

DMARC Policy Progression

Start with Monitoring

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

p=none doesn't affect delivery but generates reports. Use these to identify:

  • All legitimate sending sources
  • Which sources are properly authenticated
  • What needs fixing

Move to Quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Once legitimate sources pass authentication, quarantine mode sends failing emails to spam. This catches remaining issues while allowing some recovery (recipients can check spam).

Enforce with Reject

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Full enforcement rejects failing emails entirely. Only enable this when you're confident all legitimate email is authenticated.

Special Cases

Email Forwarding

Forwarding frequently breaks DMARC:

  • Forwarding server isn't in your SPF
  • Message modifications break DKIM

Solutions:

  • ARC (Authenticated Received Chain) — modern servers use this
  • Direct delivery where possible
  • Accept some forwarding failures as unavoidable

Mailing Lists

When you post to a mailing list:

  1. List server receives your email
  2. List modifies it (adds headers, footers)
  3. List sends to subscribers with original From address
  4. SPF fails (list server not in your SPF)
  5. DKIM fails (message was modified)
  6. DMARC fails

Most modern mailing lists handle this by:

  • Supporting ARC
  • Rewriting the From address
  • Preserving original DKIM where possible

SaaS Applications

Many SaaS tools send email on your behalf but authenticate as themselves:

  • Invoice emails from accounting software
  • Notification emails from project management tools
  • Automated emails from internal systems

Each needs proper DKIM configuration to align with your domain.

Monitoring DMARC Health

DMARC can fail due to:

  • DNS changes affecting SPF records
  • DKIM key rotation issues
  • New sending sources not configured
  • Changes to sending service infrastructure

Continuous monitoring catches these issues before they cause widespread delivery failures.

Related Articles

Related Articles

Monitor DMARC Automatically

The Email Deliverability Suite monitors your DMARC policy, SPF, DKIM, MX records and blacklist status daily. Get alerts when authentication configuration changes — before your emails start failing.

Catch DMARC issues early

SPF, DKIM, DMARC, MX, and blacklist monitoring for unlimited domains. $39/month.