D
DMARC Record Checker

DMARC Fail: Why It Happens and How to Fix It

Learn why DMARC fails, understand SPF and DKIM alignment issues, and follow step-by-step instructions to diagnose and fix DMARC failures.

When DMARC fails, your emails may end up in spam folders or get rejected entirely, depending on the receiving domain's policy. Understanding why DMARC fails is the first step to fixing it.

DMARC failures almost always come down to SPF problems, DKIM problems, or alignment issues. Here's how to diagnose and fix each one.

What Causes DMARC to Fail

DMARC checks two things:

  1. Authentication: Does the email pass SPF or DKIM?
  2. Alignment: Does the authenticated domain match the From address domain?

For DMARC to pass, the email must pass either SPF or DKIM, AND the passing result must align with the From domain. Let's break down each failure type.

SPF Alignment Failures

SPF verifies that the sending server's IP address is authorized to send email for the domain in the envelope sender (Return-Path). But DMARC also requires this domain to align with the From address domain.

How SPF Alignment Works

When you send an email, there are two "from" addresses:

Envelope sender (Return-Path): The technical address used for delivery and bounces. This is what SPF checks.

Header From: The address recipients see in their email client. This is what DMARC protects.

For SPF alignment, these two domains must match (or at least be related, depending on alignment mode).

Common SPF Alignment Problems

Third-party senders with their own envelope domain: Many email services use their own domain in the envelope sender. For example, Mailchimp might use bounce.mailchimp.com as the Return-Path even though your From address is you@yourdomain.com. SPF passes for mailchimp.com, but it doesn't align with yourdomain.com.

Forwarded email: When email is forwarded, the forwarding server's IP sends the message, but the original envelope sender remains. SPF fails because the forwarding server isn't in the original domain's SPF record.

Misconfigured sending services: Some services need custom envelope sender configuration to use your domain instead of theirs.

Fixing SPF Alignment

  1. Check your SPF record: Make sure all legitimate sending IPs are included. Test with SPF Record Check.

  2. Configure custom return paths: Some email services let you set a custom envelope sender domain. This usually requires adding DNS records.

  3. Rely on DKIM instead: If SPF alignment is difficult (like with email forwarding), ensure DKIM is set up. DMARC passes if either SPF or DKIM aligns.

SPF alone isn't enough

Even if SPF passes, DMARC can still fail if the envelope domain doesn't align with your From domain. That's why DKIM is so important.

DKIM Alignment Failures

DKIM adds a cryptographic signature to your emails. The receiving server verifies this signature using a public key published in DNS. For DMARC, the domain in the DKIM signature must align with the From address domain.

How DKIM Alignment Works

The DKIM signature includes a d= tag specifying the signing domain. For example:

DKIM-Signature: d=yourdomain.com; s=selector; ...

For DKIM alignment, this d= domain must match (or be related to) the From address domain.

Common DKIM Alignment Problems

Signing with the wrong domain: Some email services sign with their own domain by default. The signature is valid, but it doesn't align with your From domain.

Missing DKIM setup: If DKIM isn't configured at all, there's no signature to check. DKIM fails, and you're relying entirely on SPF.

Key mismatch: The private key used to sign doesn't match the public key in DNS. This causes signature verification to fail.

Message modification: If something alters the email after signing (like a mailing list adding a footer), the signature becomes invalid.

Fixing DKIM Alignment

  1. Set up DKIM for your domain: Configure your email provider to sign with your domain, not theirs. This usually involves adding CNAME or TXT records to your DNS.

  2. Verify your DKIM keys: Use DKIM Test to confirm your public key is correctly published and matches.

  3. Check all sending services: Each service that sends email as your domain needs its own DKIM configuration.

  4. Monitor for changes: DKIM keys can expire or get rotated. Make sure DNS records stay current.

Relaxed vs Strict Alignment

DMARC offers two alignment modes:

Relaxed alignment (default): The domains must share the same organizational domain. For example, mail.example.com aligns with example.com.

Strict alignment: The domains must match exactly. mail.example.com does NOT align with example.com.

Your DMARC record controls this with the aspf and adkim tags:

v=DMARC1; p=reject; aspf=r; adkim=r
  • aspf=r - Relaxed SPF alignment (default)
  • aspf=s - Strict SPF alignment
  • adkim=r - Relaxed DKIM alignment (default)
  • adkim=s - Strict DKIM alignment

Most domains should use relaxed alignment. Strict alignment creates more failures without significantly improving security for typical use cases.

Diagnosing DMARC Failures

When you're seeing DMARC failures, here's how to find the root cause:

Step 1: Check Your DMARC Reports

If you have rua= configured, your DMARC reports show exactly what's failing and why. Look for:

  • Which IPs are failing
  • Whether SPF passed or failed
  • Whether DKIM passed or failed
  • The policy applied

Step 2: Test Individual Components

Check each authentication method separately:

SPF: Use SPF Record Check to verify your record is valid and includes all sending IPs.

DKIM: Use DKIM Test to verify your keys are published correctly.

DMARC: Use the checker at the top of this page to verify your record syntax.

Step 3: Send Test Emails

Send test emails from each service you use and check the headers. Look for:

Authentication-Results: dmarc=fail (p=none dis=none) ...

The headers tell you exactly what passed and failed.

Step 4: Identify the Failing Source

Once you know which service is failing, you can focus your fix on that specific sender.

Common Scenarios and Fixes

Email Marketing Platform Failing DMARC

Symptom: Marketing emails from Mailchimp, SendGrid, etc. fail DMARC.

Cause: The service is using their domain for SPF and/or DKIM.

Fix: Set up custom domain authentication in your email platform. This typically involves adding CNAME records for DKIM and sometimes configuring a custom return-path domain for SPF.

Forwarded Emails Failing

Symptom: Emails forwarded by recipients fail DMARC at the final destination.

Cause: SPF breaks when email is forwarded because the forwarding server's IP isn't authorized for the original domain.

Fix: Ensure DKIM is properly configured. DKIM signatures survive forwarding (unless the message is modified), so DKIM alignment can pass even when SPF fails.

Internal Email Failing

Symptom: Email from your own mail server fails DMARC.

Cause: Your server's IP isn't in SPF, or DKIM isn't configured.

Fix: Add your mail server's IP to your SPF record and configure DKIM signing on the server.

CRM or Helpdesk System Failing

Symptom: Emails from Salesforce, Zendesk, HubSpot, etc. fail DMARC.

Cause: These services need specific configuration to send as your domain properly.

Fix: Follow the provider's documentation for email authentication setup. Most have specific guides for SPF, DKIM, and DMARC.

Prevention Checklist

To avoid DMARC failures:

  • [ ] Inventory all services that send email as your domain
  • [ ] Configure SPF to include all sending IPs
  • [ ] Set up DKIM for each sending service
  • [ ] Use relaxed alignment unless you have a specific need for strict
  • [ ] Monitor DMARC reports regularly
  • [ ] Test email from each source after making changes
  • [ ] Document your configuration so changes can be reviewed

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

Related Articles