DMARC failures can prevent your emails from reaching recipients or damage your domain reputation. This guide covers the most common causes of DMARC failures and how to fix them.
Understanding DMARC Failure
DMARC fails when:
- Both SPF and DKIM fail, OR
- Neither SPF nor DKIM aligns with the From header domain
DMARC needs at least one (SPF or DKIM) to pass AND align with the visible From address.
Common DMARC Failures and Solutions
1. Email Service Not Configured for Your Domain
Symptom: Third-party service emails fail DMARC
Cause: The service signs/authenticates using their domain, not yours
Solution: Enable custom domain authentication in the service's settings (often called "domain verification" or "sender authentication")
2. Missing SPF Include
Symptom: SPF fails for specific sending source
Cause: The sender's IP/domain isn't in your SPF record
Solution: Add the service's include statement to your SPF record
3. DKIM Not Enabled
Symptom: DKIM fails or shows "none"
Cause: DKIM signing isn't enabled for the sending service
Solution: Enable DKIM in the service and add their DNS records
4. Alignment Failure
Symptom: SPF passes, DKIM passes, but DMARC fails
Cause: Authenticated domains don't match the From header
Solution: Configure the service to use your domain for authentication, not theirs
5. Email Forwarding
Symptom: Forwarded emails fail DMARC
Cause: Forwarding breaks SPF (new server IP not authorized)
Solution: DKIM usually survives forwarding. Ensure DKIM is enabled. Some forwarding services implement ARC.
6. Mailing List Modification
Symptom: Emails sent to mailing lists fail DMARC
Cause: Lists often modify content, breaking DKIM signatures
Solution: Modern lists should implement ARC. Consider using p=quarantine instead of p=reject if mailing lists are critical.
Diagnosing DMARC Failures
Step 1: Check DMARC Reports
Aggregate reports show exactly what's failing:
- Source IP of failing emails
- SPF result and alignment status
- DKIM result and alignment status
- Volume of failures
Step 2: Identify the Sender
Use the source IP to determine which service is failing:
- Look up the IP with a WHOIS tool
- Compare against known service IP ranges
- Check your list of authorized sending services
Step 3: Test Individual Components
Send test emails and check headers for:
-
spf=passorspf=fail -
dkim=passordkim=fail -
dmarc=passordmarc=fail
Fixing Specific Services
Marketing Platforms
Services like Mailchimp, HubSpot, Klaviyo:
- Go to domain settings/sender authentication
- Add your sending domain
- Add the DNS records they provide (SPF include, DKIM records)
- Verify the domain in their system
Transactional Email Services
Services like SendGrid, Mailgun, Amazon SES:
- Set up domain authentication (usually required during setup)
- Add CNAME or TXT records for DKIM
- Add their include to SPF
- Enable signing with your domain
CRM and Helpdesk
Salesforce, Zendesk, Freshdesk, etc.:
- Configure email authentication in admin settings
- Add required DNS records
- May need to contact support for custom domain setup
Temporary Fixes While Troubleshooting
Lower DMARC Policy
If legitimate email is being blocked:
- Change from
p=rejecttop=quarantineorp=none - This stops blocking while you fix the issue
- Return to stricter policy after fixes
Use pct to Limit Impact
Reduce the percentage affected:
v=DMARC1; p=reject; pct=10; ...
Only 10% of failing emails are affected.
Prevention
- Audit all email sources before moving to enforcement
- Use p=none for at least 2-4 weeks first
- Review DMARC reports regularly
- Set up new services with proper authentication before using them
- Document all sending sources and their authentication status
For complete setup guidance, see our DMARC setup guide.
0 comments