DMARC Authentication Failures

Identifying why DMARC is failing can be complicated. We will go through some typical reasons and the factors that contribute to them, so you can work towards rectifying the problem more promptly.

DMARC Alignment Failures

DMARC makes use of domain alignment to authenticate your emails. This means DMARC verifies whether the domain in the visible From address is authentic by matching it against the domain in the hidden Return-Path header (for SPF) and the DKIM signature (for DKIM). If either aligns, the email passes DMARC; otherwise, DMARC fails.

So if your emails are failing DMARC, it can be a case of domain misalignment, where neither the SPF nor the DKIM identifier aligns, and the email appears to be sent from an unauthorized source. This is just one of the reasons DMARC might be failing.

DMARC Alignment Mode

Your alignment mode also plays a large role in whether messages pass or fail DMARC.

You can choose from the following alignment modes for SPF authentication:

Relaxed: SPF will pass if the domain in the Return-Path header and the domain in the From header are an organizational match.
Strict: SPF will pass only if the domain in the Return-Path header and the domain in the From header are an exact match.

You can choose from the following alignment modes for DKIM authentication:

Relaxed: DKIM will pass if the domain in the DKIM signature and the domain in the From header are an organizational match.
Strict: DKIM will pass only if the domain in the DKIM signature and the domain in the From header are an exact match.

Note that for an email to pass DMARC, either SPF or DKIM needs to align.

Not Setting Up Your DKIM Signature

A common cause of DMARC failure is not having specified a DKIM signature for your domain. In such cases, your email service provider may assign a default DKIM signature to your outbound mail that does not align with the domain in your From header. The receiving MTA cannot align the two domains, so DKIM fails. On its own this is not enough to fail DMARC, since an aligned SPF pass would still carry the message, but if SPF also fails or is not aligned, the message will fail DMARC overall. This is why it is important to set up an aligned DKIM signature rather than relying on SPF alone.

Not Adding Sending Sources to Your DNS

When you set up DMARC for your domain, receiving MTAs perform DNS queries to authorize your sending sources. Unless all your authorized sending sources are reflected in your domain's DNS (through SPF and DKIM),your emails will fail DMARC for any source the receiver cannot verify. To ensure your legitimate emails are always delivered, make sure every third-party vendor authorized to send on behalf of your domain is correctly set up in your DNS.

In Case of Email Forwarding

During forwarding, an email passes through an intermediary server before reaching the final recipient. SPF typically fails here, because the intermediary server's IP address does not match the original sending server and is usually not in the original SPF record. Forwarding does not usually affect DKIM, unless the intermediary or forwarding entity alters the message content (for example, a mailing list adding a subject prefix or footer, which can break the DKIM signature).

Because SPF generally fails during forwarding, DKIM becomes your primary defence: a message can still pass DMARC through an aligned DKIM signature even when SPF breaks. For this reason you should make sure DKIM is enabled and aligned for all your sending services rather than relying on SPF alone. Where forwarding or mailing lists also break DKIM, the modern solution is ARC (Authenticated Received Chain, RFC 8617),which lets a trusted forwarder preserve the original authentication results so the final receiver can honour them. The three largest mailbox providers, Gmail, Microsoft 365, and Yahoo, support ARC, so if your mail is forwarded through them the ARC headers are already being added.

Your Domain is Being Spoofed

If you have DMARC, SPF, and DKIM properly configured, with your policies at enforcement and valid, error-free records, and the problem is none of the above, then the most probable reason your emails are failing DMARC is that your domain is being spoofed. This is when impersonators try to send emails that appear to come from your domain using a malicious IP address.

If you have DMARC at an enforced policy (quarantine or reject),these spoofed messages will fail DMARC and be quarantined or blocked rather than delivered to your recipient's inbox. So in many cases, domain spoofing is the answer to why DMARC is failing, and an enforced policy is exactly what stops the fraudulent mail.

Why does DMARC fail for third-party mailbox providers? (Gmail, Mailchimp, Sendgrid, etc.)

If you use external providers to send email on your behalf, you need to set up SPF and DKIM for each of them. You can do this by asking the provider to handle it, or by configuring the protocols yourself through your admin portal on each platform.

If your Gmail messages are failing DMARC, check whether your domain's SPF record includes _spf.google.com. If not, that may be why receiving servers are not recognising Gmail as an authorized sending source. The same logic applies to Mailchimp, Sendgrid, and others: each authorized sender needs to be reflected in your authentication setup.

How to fix DMARC failure

Step 1: Start with a p=none policy and monitor your domain using DMARC aggregate (RUA) reports. Keep a close eye on your inbound and outbound mail so you can spot and respond to delivery issues before enforcing.

Step 2: Once your reports show that your legitimate mail is authenticating and aligning correctly, move towards enforcement. A common safe path is to use the t=y testing-mode flag (introduced in RFC 9989, replacing the historic pct tag) as you raise your policy, holding at quarantine before deciding whether reject is appropriate for your domain. For domains whose users post to mailing lists, RFC 9989 recommends quarantine as the end state rather than reject.

Step 3: Take down malicious IP addresses and report them directly from the PowerDMARC platform to help prevent future impersonation, using our Threat Intelligence engine.

Step 4: If you want detailed per-message information about failures, you can enable DMARC failure (RUF) reports. Note that many large providers no longer send these, so aggregate reports remain your most reliable diagnostic source.