Back to Course
Լight modeDark mode

DMARC Authentication Failures

Identifying why is DMARC failing can be complicated. We will go through some typical reasons, and the factors that contribute to them, so that you can work towards rectifying the problem more promptly.

DMARC Alignment Failures

DMARC makes use of domain alignment to authenticate your emails. This means that DMARC verifies whether the domain mentioned in the From address (in the visible header) is authentic by matching it against the domain mentioned in the hidden Return-path header (for SPF) and DKIM signature header (for DKIM). If either match, the email passes DMARC, or else DMARC fails.

Hence, if your emails are failing DMARC it can be a case of domain misalignment. That is neither SPF nor DKIM identifiers are aligning and the email is appearing to be sent from an unauthorized source. This however is just one of the reasons why is DMARC failing.

DMARC Alignment Mode 

Your protocol alignment mode also plays a huge role in your messages passing or failing DMARC. 

You can choose from the following alignment modes for SPF authentication:

  • Relaxed: This signifies that if the domain in the Return-path header and the domain in the From header is simply an organizational match, even then SPF will pass.
  • Strict: This signifies that only if the domain in the Return-path header and the domain in the From header is an exact match, only then SPF will pass.

You can choose from the following alignment modes for DKIM authentication:

  • Relaxed: This signifies that if the domain in the DKIM signature and the domain in the From header is simply an organizational match, even then DKIM will pass.
  • Strict: This signifies that only if the domain in the DKIM signature and the domain in the From header is an exact match, only then DKIM will pass.

Note that for emails to pass DMARC authentication, either SPF or DKIM needs to align.  

Not Setting Up Your DKIM Signature 

A very common case in which your DMARC may be failing is that you haven’t specified a DKIM signature for your domain. In such cases, your email exchange service provider assigns a default DKIM signature to your outbound emails that don’t align with the domain in your From header. The receiving MTA fails to align the two domains, and hence, DKIM and DMARC fail for your message (if your messages are aligned against both SPF and DKIM).

Not Adding Sending Sources to Your DNS 

It is important to note that when you set up DMARC for your domain, receiving MTAs perform DNS queries to authorize your sending sources. This means that unless you have all your authorized sending sources listed in your domain’s DNS, your emails will fail DMARC for those sources that are not listed since the receiver would not be able to find them in your DNS. Hence, to ensure that your legitimate emails are always delivered be sure to make entries on all your authorized third-party email vendors that are authorized to send emails on behalf of your domain, in your DNS.

In Case of Email Forwarding

During email forwarding, the email passes through an intermediary server before it ultimately gets delivered to the receiving server. During email forwarding, the SPF check fails since the IP address of the intermediary server doesn’t match that of the sending server, and this new IP address is usually not included within the original server’s SPF record. On the contrary, forwarding emails usually don’t impact DKIM email authentication, unless the intermediary server or the forwarding entity makes certain alterations in the content of the message.

As we know that SPF inevitably fails during email forwarding, if in case the sending source is DKIM neutral and solely relies on SPF for validation, the forwarded email will be rendered illegitimate during DMARC authentication. To resolve this issue, you should immediately opt for full DMARC compliance at your organization by aligning and authenticating all outgoing messages against both SPF and DKIM, as for an email to pass DMARC authentication, the email would be required to pass either SPF or DKIM authentication and alignment.

Your Domain is Being Spoofed

If you have your DMARC, SPF, and DKIM protocols properly configured for your domain, with your policies at enforcement and valid error-free records, and the problem isn’t either of the above-mentioned cases, then the most probable reason why your emails are failing DMARC is that your domain is being spoofed or forged. This is when impersonators and threat actors try to send emails that appear to be coming from your domain using a malicious IP address.

If you have DMARC implemented on a reject policy, it will fail and the spoofed email will not be delivered to your recipient’s inbox. Hence domain spoofing can be the answer to why is DMARC failing in most cases.

Why does DMARC fail for third-party mailbox providers? (Gmail, Mailchimp, Sendgrid, etc)

If you are using external mailbox providers to send emails on your behalf, you need to enable DMARC, SPF, and/or DKIM for them. You can do so by either contacting them and asking them to handle implementation for you, or you can take matters into your own hands and manually activate the protocols. To do so you need to have access to your account portal hosted on each of these platforms (as an admin).

If your Gmail messages are failing DMARC, hover over to your domain’s SPF record and check whether you have included _spf.google.com in it. If not, this may be a reason why receiving servers are failing to identify Gmail as your authorized sending source. The same applies to your emails sent from Mailchimp, Sendgrid, and others.

How to fix DMARC failure?

#Step 1: With a none policy, you can begin by monitoring your domain with DMARC (RUA) Aggregate Reports and keep a close eye on your inbound and outbound emails, this will help you respond to any unwanted delivery issues

#Step 2: After that, we help you shift to an enforced policy that would ultimately aid you in gaining immunity against domain spoofing and phishing attacks

#Step 3: Takedown malicious IP addresses and report them directly from the PowerDMARC platform to evade future impersonation attacks, with the help of our Threat Intelligence engine

#Step 4: Enable DMARC (RUF) Forensic reports to gain detailed information about cases where your emails have failed DMARC so that you can get to the root of the problem and fix it faster

DMARC Fundamentals >DMARC Authentication Failures
Course content
Email Authentication Fundamentals