DMARC Failing? Find Out Why
Check your DMARC record and diagnose SPF/DKIM alignment issues causing failures.
Takes ~10 seconds
How DMARC Authentication Works
Email arrives at receiving server
Server checks for DMARC record at _dmarc.sender-domain.com
SPF check + alignment
Does Return-Path domain match From domain? Did SPF pass?
DKIM check + alignment
Does DKIM d= domain match From domain? Did signature verify?
DMARC verdict
PASS if SPF+aligned OR DKIM+aligned. FAIL if neither.
Common Reasons DMARC Fails
SPF alignment failure
SPF passes but the Return-Path domain doesn't match your From domain. Many email services use their own domain in Return-Path by default. Configure custom Return-Path or rely on DKIM alignment instead.
DKIM alignment failure
DKIM signature verifies but the d= domain doesn't match your From domain. Configure your email service to sign with your domain, not theirs. Check DKIM configuration.
No DMARC record published
Without a DMARC record, receivers can't verify alignment. Publish a record at _dmarc.yourdomain.com starting with v=DMARC1; p=none for monitoring. Check DMARC record.
Email forwarding breaks authentication
When emails are forwarded, SPF fails (new sender IP) and DKIM may break if headers are modified. This is a known limitation. ARC (Authenticated Received Chain) helps but isn't universally supported.
Third-party sender not configured
Marketing tools, CRMs, or transactional email services sending on your behalf need proper configuration. Add them to SPF and set up DKIM signing with your domain.
Subdomain policy mismatch
If you send from subdomains (e.g., mail.example.com), check the sp= tag in your DMARC record. Subdomains inherit the main policy unless sp= specifies otherwise.
How to Fix DMARC Failures
Check DMARC Reports
If you have rua= configured, analyze aggregate reports to see which sources are failing and why.
Fix SPF Alignment
Configure custom Return-Path/envelope sender to use your domain or a subdomain. Verify SPF.
Fix DKIM Alignment
Set up DKIM signing with your domain (d=yourdomain.com) for each sending service. Verify DKIM.
Inventory All Senders
List every service that sends email as your domain: marketing, transactional, CRM, support tickets, etc.
Progress DMARC Policy
Once alignment is fixed, move from p=none → p=quarantine → p=reject over weeks/months.
Frequently Asked Questions
Why is DMARC failing?
DMARC fails when neither SPF nor DKIM passes with alignment. The domain in your From header must match the domain that passed authentication (Return-Path for SPF, d= tag for DKIM).
What is DMARC alignment?
DMARC alignment means the domain in your From header matches the domain used for SPF (Return-Path) or DKIM (d= tag). Relaxed alignment (default) allows subdomains; strict (adkim=s/aspf=s) requires exact match.
How do I fix DMARC alignment?
Configure your email service to use your domain in the Return-Path (for SPF alignment) and sign with DKIM using your domain (for DKIM alignment). At least one must align for DMARC to pass.
Fix DMARC Failures Permanently
Create a free account to monitor DMARC reports, track alignment, and get fix recommendations.
Start Free Monitoring