DNS Authentication DMARC Fail: What It Means and How to Fix It
Seeing 'DNS Authentication: DMARC Fail' from Mimecast or another email gateway? Learn what this specific error means and how to fix it.
If you've been handed a bounce message or a header trace that says "DNS Authentication: DMARC Fail," you're probably looking at a Mimecast rejection — or a similar message from another email security gateway like Proofpoint, Barracuda, or Microsoft Defender for Office 365. The wording is different from a standard DMARC failure, and the fix is often different too.
This error isn't just telling you that DMARC failed. It's telling you that a gateway in front of the recipient's mailbox made an authentication decision before the message even reached the inbox. Here's what it means, why the phrasing is gateway-specific, and how to fix it.
What "DNS Authentication: DMARC Fail" Actually Means
Mimecast (and gateways that use similar phrasing) groups SPF, DKIM, and DMARC under a single "DNS Authentication" category. When you see this error in a bounce or header, it usually looks something like this:
550 DNS Authentication: DMARC Fail - policy=reject
Or in a message header trace:
X-Mimecast-DnsAuthentication-Result: DMARC Fail (policy=reject; disposition=reject)
Translated into plain English: the gateway checked your sending domain's DMARC record, evaluated SPF and DKIM alignment, and the message failed. Because your DMARC policy is set to p=reject (or because the gateway applies reject at its own discretion), the message was thrown out before delivery.
The reason the phrasing is different from the usual "dmarc=fail" you'd see in Gmail headers is simply that each gateway brands the check their own way. The underlying RFC 7489 evaluation is identical.
Why Gateway Errors Look Different from Gmail or Outlook
Gmail, Outlook.com, and Yahoo tend to show DMARC results in Authentication-Results headers with standard wording:
Authentication-Results: mx.google.com; dmarc=fail (p=REJECT)
Email gateways, on the other hand, sit between the public internet and the recipient's real mailbox. They rewrite or add their own headers and bounce messages. That's why you'll see:
| Gateway | Typical error wording |
|---|---|
| Mimecast | DNS Authentication: DMARC Fail |
| Proofpoint | 550 5.7.1 DMARC unauthenticated mail is prohibited |
| Barracuda | Message rejected due to DMARC policy |
| Microsoft Defender | 550 5.7.509 Access denied, sending domain does not pass DMARC |
| Cisco IronPort | DMARC verification failed (reject) |
The gateway often applies its own DMARC enforcement rules on top of your published policy. Some gateways will reject on p=none if their own reputation scoring kicks in, which is why you can sometimes see a "DMARC Fail" rejection even when your record says p=none.
The Most Common Causes
Gateway-specific DMARC failures almost always come down to one of four things.
1. Third-Party Sender Not Properly Authenticated
The single most common trigger. A service like HubSpot, Mailchimp, DocuSign, or Zendesk is sending on your behalf but isn't signing with your domain's DKIM key, and isn't using a Return-Path aligned with your From address. SPF may technically "pass" against the service's own envelope domain, but it doesn't align with your From header.
Mimecast and Proofpoint are particularly strict about alignment. A configuration that squeaks through at Gmail may be blocked outright at a gateway.
2. Forwarded Mail Breaking SPF
When a recipient has an auto-forward rule, or when mail is routed through a mailing list, SPF almost always breaks. The forwarding server's IP isn't in your SPF record, so SPF fails. If DKIM wasn't signed — or the forwarder modified the body — DKIM fails too. DMARC has nothing to align against and the gateway rejects.
3. Subdomain Sending Without a Subdomain Policy
If you send marketing mail from mail.yourdomain.com but only have a DMARC record at the organizational domain, the gateway applies your sp= tag (subdomain policy). If sp=reject is inherited from p=reject and the subdomain isn't properly set up with its own SPF and DKIM, every subdomain message fails.
4. A Malformed or Missing DMARC Record
Some gateways treat unreadable DMARC records as authentication failures rather than "no policy." If your record has a syntax error, duplicate tags, or there are two TXT records at _dmarc.yourdomain.com, the gateway may log a DMARC Fail even though the intent was to publish p=none.
Gateways are stricter than public mailboxes
Mimecast and Proofpoint often enforce DMARC more aggressively than Gmail or Outlook. A sender that works "fine" everywhere else may still be blocked by a corporate gateway. If you only test against personal Gmail, you'll miss these failures.
How to Fix It, Step by Step
Step 1: Get the Full Bounce or Header
Ask the recipient (or your helpdesk) for the full bounce message, including the X-Mimecast-DnsAuthentication-Result or equivalent header. You need to know exactly which check failed — SPF, DKIM, or alignment — and what the gateway's verdict was.
Step 2: Validate Your DMARC Record
Use the checker above to confirm your record is syntactically valid. Look specifically for:
- A single
v=DMARC1record at_dmarc.yourdomain.com - A valid
p=value (none,quarantine, orreject) - A working
rua=address so you can see what gateways are reporting - A deliberate
sp=tag if you send from subdomains
If anything looks off, regenerate your record with DMARC Creator before touching anything else.
Step 3: Identify the Failing Sender
Pull the source IP from the bounce. Match it against:
- Your SPF includes (is this IP authorized?)
- Known third-party senders (HubSpot, Salesforce, Zendesk, etc.)
- Your own infrastructure
If the IP belongs to a third-party sender, the fix is almost always on their end: enable DKIM signing with your domain, and if they offer it, configure a custom Return-Path so SPF aligns.
Step 4: Verify Alignment, Not Just Pass
This is the step most people skip. A DMARC report showing "SPF: pass, DKIM: pass, DMARC: fail" means both raw checks worked but neither aligned with the From domain. Alignment is what DMARC actually enforces. Review our guide to DMARC alignment for the detail.
Step 5: Test From the Same Route
Send a test message from the failing sender to a Mimecast (or equivalent) test mailbox. Don't just test against Gmail — the gateway is the one rejecting you, so that's where you need to verify the fix.
Preventing It From Happening Again
Most gateway rejections come from drift: a DKIM key was rotated and not updated in DNS, a new sending tool was added without being authenticated, or a subdomain was repurposed. Once you've fixed the immediate issue, the real work is catching the next one before it causes a bounce.
That's where continuous monitoring matters. Deliverability Checker watches your SPF, DKIM, and DMARC records daily and alerts you the moment something drifts — before Mimecast starts rejecting your invoices.
For the full troubleshooting workflow, see our DMARC troubleshooting guide.
Stop gateway rejections before they happen
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks — not after Mimecast bounces a customer email.
Start Monitoring