DMARC Failures: Every Scenario and How to Fix Each One

Failure: Third-Party Sender Not Authorized

Scenario: You use Mailchimp, but DMARC fails for Mailchimp-sent email.

Cause: Mailchimp signs with their domain, not yours. SPF passes for Mailchimp's Return-Path but doesn't align with your From domain.

Fix: Authenticate your domain in Mailchimp so they sign with your domain's DKIM key. This gives you DKIM alignment.

This is the most common DMARC failure I see. It applies to any ESP: SendGrid, HubSpot, Klaviyo, ActiveCampaign.

Failure: DKIM Not Enabled

Scenario: SPF passes and aligns, but only for direct email. Forwarded messages fail DMARC entirely.

Cause: DKIM was never turned on. You're relying solely on SPF, which breaks during forwarding.

Fix: Enable DKIM in your email provider. For Google Workspace or Microsoft 365, it requires explicit activation.

Failure: SPF Alignment Issue

Scenario: Your ESP sends email with a Return-Path at their domain (e.g., bounce.sendgrid.net), not yours.

Cause: SPF passes for the ESP's domain, but the Return-Path doesn't match your From domain.

Fix: Either set up a custom Return-Path with the ESP (if they support it) or rely on DKIM alignment instead. DKIM alignment alone is sufficient for DMARC.

Practitioner note: Don't chase SPF alignment with every ESP. Most ESPs make custom Return-Path harder to configure than custom DKIM. Focus on DKIM alignment — it's more reliable anyway because it survives forwarding.

Failure: Email Forwarding

Scenario: Recipients who forward your email to another address trigger DMARC failures.

Cause: The forwarding server's IP isn't in your SPF record (SPF fails), and if the forwarder modifies the body, DKIM fails too.

Fix: Ensure DKIM is always enabled so forwarded messages that aren't modified still pass via DKIM alignment. For messages that are modified, ARC helps receivers accept them.

Failure: Subdomain Mismatch

Scenario: You send from marketing.yourdomain.com but your DMARC record is only on yourdomain.com.

Cause: With strict alignment, the subdomain doesn't match the root domain.

Fix: Use relaxed alignment (the default) or add DMARC records for specific subdomains. Check the sp= tag in your DMARC record.

Failure: DNS Misconfiguration

Scenario: DMARC is published but nothing works correctly.

Common DNS issues:

• SPF record has syntax errors (permerror)
• DKIM TXT record is truncated
• DMARC record has typos (most common: missing semicolons or spaces)
• Multiple DMARC records at the same hostname (only one is allowed)

Fix: Validate all records with dig or MXToolbox.

Practitioner note: I've seen a domain with two DMARC TXT records at _dmarc — one from a previous administrator and one from the current team. Having multiple DMARC records is a permerror. Delete the old one. There should be exactly one TXT record at _dmarc.yourdomain.com.

Quick Diagnostic Flowchart

1. Check Authentication-Results header → is DMARC failing?
2. Check SPF result → does SPF pass and align?
3. Check DKIM result → does DKIM pass and align?
4. If both alignment checks fail → identify the sender from reports
5. Fix authentication for that sender → custom DKIM or custom Return-Path
6. Verify → send a test and recheck headers

If you're seeing DMARC failures you can't diagnose, I can run a complete authentication audit and fix every failing path.

Sources

• RFC 7489: Domain-based Message Authentication (DMARC)
• dmarcian: DMARC troubleshooting
• Google: Fix DMARC issues
• M3AAWG: DMARC FAQ

---

v1.0 · April 2026