DMARC fails when neither SPF nor DKIM pass with alignment to your From: domain. To pass DMARC, you need either SPF pass + SPF alignment OR DKIM pass + DKIM alignment (or both). Check your DMARC aggregate reports to identify which authentication method is failing and why. Common causes include missing authentication records, third-party senders not properly configured, forwarded email breaking SPF, and alignment mismatches between envelope and header domains.
DMARC Authentication Failed: Complete Troubleshooting Guide
How DMARC Authentication Works
DMARC requires either:
- SPF pass + SPF alignment — The IP is authorized by SPF AND the envelope domain aligns with From: domain
- DKIM pass + DKIM alignment — The DKIM signature is valid AND the DKIM d= domain aligns with From: domain
You need one or both. If neither condition is met, DMARC fails.
DMARC Pass = (SPF pass AND SPF aligned) OR (DKIM pass AND DKIM aligned)
Diagnosing DMARC Failures
Step 1: Check Your DMARC Reports
Your DMARC aggregate reports (RUA) show:
- Which IPs are failing
- Whether SPF passed or failed for each IP
- Whether DKIM passed or failed for each IP
- Whether alignment succeeded
Where to get reports:
- Email address in your
rua=tag receives daily XML files - Use a parser: dmarcian, EasyDMARC, DMARC Analyzer
Step 2: Identify the Source
For each failing source, determine:
| Source Type | Typical Cause |
|---|---|
| Your ESP (Mailchimp, SendGrid, etc.) | DKIM not configured, wrong domain in DKIM |
| Your email provider (Google, Microsoft) | Should pass — check for misconfig |
| Third-party SaaS | Not sending with your DKIM |
| Unknown IPs | Possibly spoofing — or a service you forgot |
| Forwarded email | SPF broken, possibly DKIM too |
Step 3: Check Headers on Failed Email
If you can access a failed message:
Authentication-Results: mx.google.com;
dkim=pass header.d=yourdomain.com;
spf=pass (sender IP is 1.2.3.4) smtp.mailfrom=bounce.esp.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com
This shows:
- DKIM passed with d=yourdomain.com (aligned ✓)
- SPF passed but smtp.mailfrom=bounce.esp.com (not aligned ✗)
- DMARC would pass because DKIM is aligned
Wait — if DKIM passed and aligned, why did DMARC fail? Look closer at the actual DKIM result.
Practitioner note: Headers can be misleading. I've seen "dkim=pass" where the passing signature was from a third-party relay, not the customer's domain. Always verify the header.d matches your From: domain.
Common Failure Scenarios
Scenario 1: Third-Party Sender Without DKIM
The problem: You use a CRM (HubSpot), helpdesk (Zendesk), or marketing tool (Klaviyo) that sends email as you, but DKIM isn't configured.
What happens:
- SPF might pass (if their IP is in your SPF record)
- But SPF envelope is their domain, not yours → alignment fails
- No DKIM with your domain → no DKIM alignment
- DMARC fails
The fix:
- Configure DKIM in the third-party tool
- Add their DKIM key to your DNS
- Verify the DKIM d= value is your domain
Scenario 2: Email Forwarding
The problem: Someone forwards your email via a rule (personal forwards, mailing lists, .forward files).
What happens:
- SPF fails — forwarder's IP isn't in your SPF
- DKIM may fail — if the forwarder modifies the message body
- DMARC fails
The fix:
- You can't fix other people's forwards
- Rely on DKIM (if not modified, it survives forwarding)
- Encourage receiving domains to support ARC
- Accept some DMARC failures from forwards as normal
Scenario 3: Subdomain Alignment Issues
The problem: You send from marketing.example.com but DKIM signs as example.com (or vice versa).
With relaxed alignment (default):
- From: [email protected]
- DKIM d=example.com
- Result: Aligned (subdomain of org domain)
With strict alignment:
- From: [email protected]
- DKIM d=example.com
- Result: Not aligned (must match exactly)
The fix:
- Use relaxed alignment (adkim=r, aspf=r) — this is the default
- Or configure DKIM to sign with the exact sending subdomain
Scenario 4: Envelope Domain Mismatch
The problem: Your ESP uses their domain for bounce handling.
Example:
- From: [email protected]
- Return-Path: [email protected]
- SPF check: esp-bounces.com — passes their SPF
- SPF alignment: esp-bounces.com vs yourdomain.com — fails
The fix:
- Most ESPs support custom return-path/envelope domain
- Configure it to use a subdomain: bounces.yourdomain.com
- Add the ESP's IPs to that subdomain's SPF
Scenario 5: Missing DMARC-Friendly Configuration
The problem: You have both SPF and DKIM configured, but neither aligns.
Example:
- SPF passes for sendgrid.net (their IP in your SPF via include)
- DKIM passes for sendgrid.net (you didn't add custom DKIM)
- From: [email protected]
- Neither aligns → DMARC fails
The fix:
- Add custom DKIM in SendGrid that signs with yourdomain.com
- Or configure link branding/return-path with your domain
Fixing by Sender Type
Google Workspace / Microsoft 365
These should pass by default. If failing:
- Verify DKIM is enabled in admin console
- Check SPF includes the correct mechanism
- Confirm you're sending from the authorized domain
Marketing ESP (Mailchimp, Klaviyo, etc.)
- Add custom DKIM in ESP settings
- Publish the DKIM key to your DNS
- Optionally configure custom envelope domain for SPF alignment
Transactional (SendGrid, Mailgun, Postmark)
- Verify domain in provider dashboard
- Add DKIM records they provide
- Enable link branding / custom return-path
- Ensure SPF includes their mechanism
CRM / SaaS Tools
- Check if custom DKIM is available
- If yes, configure it
- If no, you may need to accept DMARC failures from that sender
- Consider using a subdomain dedicated to that service
The Alignment Matrix
| SPF Result | SPF Aligned | DKIM Result | DKIM Aligned | DMARC Result |
|---|---|---|---|---|
| Pass | Yes | Pass | Yes | Pass |
| Pass | Yes | Fail | - | Pass |
| Pass | No | Pass | Yes | Pass |
| Fail | - | Pass | Yes | Pass |
| Pass | No | Pass | No | Fail |
| Pass | No | Fail | - | Fail |
| Fail | - | Fail | - | Fail |
| Fail | - | Pass | No | Fail |
The key insight: you need at least one pass with alignment.
Practitioner note: Most DMARC failures I see come from forgetting to configure DKIM for one sender. People add the SPF include and assume they're done. SPF alignment almost never works with third-party senders unless you set up custom return-path — DKIM is the reliable path.
Moving to Enforcement
Only move beyond p=none when:
- You've identified all legitimate sending sources in reports
- Each source has at least one aligned authentication method
- You've tested at p=quarantine with pct=25 first
- Failure rate from legitimate sources is near zero
If you're struggling to interpret your DMARC reports or fix persistent authentication failures, schedule a consultation — I'll analyze your reports and configure your senders correctly.
Sources
- RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- dmarcian: DMARC Guide
- Google: DMARC troubleshooting
- Microsoft: DMARC implementation
v1.0 · March 2026
Frequently Asked Questions
Why is my DMARC failing when SPF passes?
SPF passing isn't enough — it must also align. DMARC checks if the SPF-authenticated domain matches (or is a subdomain of) your From: header domain. If they differ, SPF alignment fails even when SPF itself passes.
What causes DMARC alignment failure?
Alignment fails when the authenticated domain doesn't match the From: domain. This happens with third-party senders using their own envelope domain, forwarded email, or misconfigured ESPs not using your domain in the return-path.
How do I fix DMARC failures from third-party senders?
Configure DKIM signing with your domain for each third-party sender. Even if their SPF doesn't align, DKIM can sign with your domain and provide alignment. This is the standard fix for ESPs and SaaS tools.
Can email forwarding cause DMARC to fail?
Yes. Forwarding typically breaks SPF (different sending IP) and may break DKIM (if the message is modified). ARC helps preserve authentication through forwards if the forwarder supports it.
Should I set DMARC to reject if I'm getting failures?
Not immediately. Stay at p=none while you investigate failures. Move to p=quarantine only after you've identified and fixed all legitimate sender authentication issues. Otherwise you'll block your own email.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.