How to Fix DMARC Failures: Troubleshooting Guide

Fix DMARC Failures Troubleshooting

DMARC failures can prevent your emails from reaching recipients or damage your domain reputation. This guide covers the most common causes of DMARC failures and how to fix them.

Understanding DMARC Failure

DMARC fails when:

  1. Both SPF and DKIM fail, OR
  2. Neither SPF nor DKIM aligns with the From header domain

DMARC needs at least one (SPF or DKIM) to pass AND align with the visible From address.

Common DMARC Failures and Solutions

1. Email Service Not Configured for Your Domain

Symptom: Third-party service emails fail DMARC

Cause: The service signs/authenticates using their domain, not yours

Solution: Enable custom domain authentication in the service's settings (often called "domain verification" or "sender authentication")

2. Missing SPF Include

Symptom: SPF fails for specific sending source

Cause: The sender's IP/domain isn't in your SPF record

Solution: Add the service's include statement to your SPF record

3. DKIM Not Enabled

Symptom: DKIM fails or shows "none"

Cause: DKIM signing isn't enabled for the sending service

Solution: Enable DKIM in the service and add their DNS records

4. Alignment Failure

Symptom: SPF passes, DKIM passes, but DMARC fails

Cause: Authenticated domains don't match the From header

Solution: Configure the service to use your domain for authentication, not theirs

5. Email Forwarding

Symptom: Forwarded emails fail DMARC

Cause: Forwarding breaks SPF (new server IP not authorized)

Solution: DKIM usually survives forwarding. Ensure DKIM is enabled. Some forwarding services implement ARC.

6. Mailing List Modification

Symptom: Emails sent to mailing lists fail DMARC

Cause: Lists often modify content, breaking DKIM signatures

Solution: Modern lists should implement ARC. Consider using p=quarantine instead of p=reject if mailing lists are critical.

Diagnosing DMARC Failures

Step 1: Check DMARC Reports

Aggregate reports show exactly what's failing:

  • Source IP of failing emails
  • SPF result and alignment status
  • DKIM result and alignment status
  • Volume of failures

Step 2: Identify the Sender

Use the source IP to determine which service is failing:

  • Look up the IP with a WHOIS tool
  • Compare against known service IP ranges
  • Check your list of authorized sending services

Step 3: Test Individual Components

Send test emails and check headers for:

  • spf=pass or spf=fail
  • dkim=pass or dkim=fail
  • dmarc=pass or dmarc=fail

Fixing Specific Services

Marketing Platforms

Services like Mailchimp, HubSpot, Klaviyo:

  1. Go to domain settings/sender authentication
  2. Add your sending domain
  3. Add the DNS records they provide (SPF include, DKIM records)
  4. Verify the domain in their system

Transactional Email Services

Services like SendGrid, Mailgun, Amazon SES:

  1. Set up domain authentication (usually required during setup)
  2. Add CNAME or TXT records for DKIM
  3. Add their include to SPF
  4. Enable signing with your domain

CRM and Helpdesk

Salesforce, Zendesk, Freshdesk, etc.:

  1. Configure email authentication in admin settings
  2. Add required DNS records
  3. May need to contact support for custom domain setup

Temporary Fixes While Troubleshooting

Lower DMARC Policy

If legitimate email is being blocked:

  1. Change from p=reject to p=quarantine or p=none
  2. This stops blocking while you fix the issue
  3. Return to stricter policy after fixes

Use pct to Limit Impact

Reduce the percentage affected:

v=DMARC1; p=reject; pct=10; ...

Only 10% of failing emails are affected.

Prevention

  • Audit all email sources before moving to enforcement
  • Use p=none for at least 2-4 weeks first
  • Review DMARC reports regularly
  • Set up new services with proper authentication before using them
  • Document all sending sources and their authentication status

For complete setup guidance, see our DMARC setup guide.

Related Resources

0 comments

Leave a comment

Please note, comments need to be approved before they are published.