TL;DR: Most DMARC failures come down to alignment problems. SPF or DKIM might pass, but the authenticated domain doesn't match your From header. Fix alignment by configuring third-party senders to use your domain in Return-Path and DKIM signatures, validate DNS syntax, and use ARC to handle forwarding. Start with p=none, monitor reports weekly, and only move to enforcement after hitting 95%+ pass rates.
Key takeaways
- Alignment ≠ authentication: SPF and DKIM can pass while DMARC still fails if the authenticated domain doesn't match the From header domain
- Only one needs to align: DMARC passes if either SPF or DKIM aligns. You don't need both.
- Third-party senders are the usual culprit: Marketing platforms, CRMs, and support tools often send with their own domains, breaking alignment
- Use relaxed alignment (default) unless you have strict security requirements. It allows subdomains to align with parent domains.
- Start at p=none: Collect reports for 2+ weeks before moving to quarantine or reject
- Hit 95% pass rates for at least a month before enforcing p=reject
- Review aggregate reports weekly: A sudden drop in pass rates signals something changed
- ARC preserves authentication through forwarding: It doesn't replace SPF/DKIM but helps when emails get forwarded
- SPF has a 10 DNS lookup limit: Exceeding it causes intermittent failures. Flatten includes to IPs if needed.
DMARC authentication failures block legitimate emails, damage sender reputation, and leave security gaps that attackers exploit. One misaligned DNS record can send hundreds of business-critical messages to spam folders. When SPF passes and DKIM signs correctly but DMARC still fails, IT teams face hours of XML report analysis, DNS troubleshooting, and vendor coordination to identify the root cause.
The good news: most DMARC failures trace back to a handful of fixable configuration issues. Alignment mismatches, DNS syntax errors, and third-party sender problems account for the majority of authentication failures. Understanding how to debug each failure type turns vague "DMARC not working" issues into specific, actionable fixes.
Security teams managing email authentication need systematic debugging approaches that quickly isolate problems, whether they stem from internal DNS records, third-party marketing platforms, or email forwarding configurations. This guide covers the practical debugging steps that get emails authenticating and delivering reliably.
Table of contents
- What are DMARC failures?
- SPF and DKIM alignment fixes
- Interpreting DMARC reports
- Correcting DNS record errors
- Handling forwarding and third-party senders
- Implementing ARC for better results
- Reducing DMARC failures: best practices
- Continuous monitoring and improvement
- FAQs about debugging DMARC failures
What are DMARC failures?
DMARC failures occur when emails fail alignment checks, even if SPF or DKIM authentication passes individually. The DMARC protocol requires that either SPF or DKIM aligns with the domain in the From header. Alignment means the authenticated domain matches the visible sender domain users see.
Common misalignment scenario:
Marketing newsletters land in spam despite SPF passing for mailserver.vendor.com and valid DKIM signatures. The From header shows marketing@company.com, but authentication passed for vendor.com domains—creating an alignment failure.
Fix: Configure your marketing platform to use company.com in both the Return-Path and DKIM signature d= parameter. Once alignment is established, DMARC passes and deliverability returns to normal.
DMARC evaluates two types of alignment
Alignment type | What it compares | Results needed |
SPF alignment | Return-Path domain vs. From header domain | Domains must match |
DKIM alignment | DKIM d= parameter vs. From header domain | Domains must match |
DMARC pass | Either SPF or DKIM alignment | Only one needs to pass |
An email from marketing@company.com authenticated by mailserver.vendor.com fails DMARC because the domains don't align. The SPF check might pass for the vendor domain, but DMARC requires alignment with company.com.
Authentication failures appear in aggregate reports as failed SPF alignment, failed DKIM alignment, or both. Receiving mail servers send these XML reports daily to the email address specified in your DMARC record.
SPF and DKIM alignment fixes
SPF alignment failures stem from Return-Path domain mismatches. When emails originate from third-party services, the Return-Path often uses the vendor's domain instead of yours. The SPF and DKIM guide explains how these protocols authenticate sender identity.
Alignment mode decision guide
Your sending configuration | Recommended mode | Reason |
All emails from primary domain only | Strict (aspf=s) | Maximum security, no subdomain complexity |
Marketing uses news.example.com | Relaxed (aspf=r) | Allows subdomain alignment |
Multiple third-party services | Relaxed (aspf=r) | Easier vendor configuration |
Learn how to fix SPF and DKIM alignment issues
Interpreting DMARC reports
DMARC aggregate reports arrive as compressed XML files attached to daily emails [4]. Each report contains authentication results grouped by sending source, showing pass/fail counts for SPF and DKIM alignment.
The source IP address identifies each sending system. Cross-reference IPs with known internal mail servers, third-party marketing platforms, and SaaS applications. Unknown IPs require investigation to determine if they represent legitimate services or unauthorized senders.
Make interpretation easy with Red Sift OnDMARC
Report analysis decision tree
Scenario | Volume | Authentication | Action required |
Known sender | High | Pass | Monitor for changes |
Known sender | High | Fail | Immediate fix needed |
Known sender | Low | Pass | Continue monitoring |
Known sender | Low | Fail | Investigate: test messages or edge cases |
Unknown IP | Any | Fail | Priority investigation: potential spoofing |
When both SPF and DKIM fail, examine specific alignment issues. Failed SPF indicates Return-Path problems; failed DKIM suggests signature issues or missing records.
Prioritize debugging this way: High-volume failures first, then unknown IPs, then low-volume issues.
Correcting DNS record errors
DNS syntax fundamentals:
SPF records must start with v=spf1 and end with -all or ~all. The -all directive fails unauthorized senders while ~all soft-fails them. Use DMARC checker tools to validate syntax before publishing.
DNS validation commands:
- DMARC: dig _dmarc.yourdomain.com TXT
- SPF: dig yourdomain.com TXT
- DKIM: dig selector._domainkey.yourdomain.com TXT
- Propagation: nslookup -type=TXT _dmarc.yourdomain.com 8.8.8.8
- Syntax check: redsift.com/tools/investigate
Common DNS configuration errors
Error | Symptom | Fix | Validation |
Missing v=spf1 tag | SPF fails for all mail | Add v=spf1 at record start | dig yourdomain.com TXT |
Exceeded 10 DNS lookups | Intermittent SPF failures | Flatten includes to IP addresses, or use a Dynamic SPF with Red Sift OnDMARC | Count include: statements |
Wrong DKIM selector | DKIM fails despite valid key | Match selector in DNS to mail server | Check mail headers for s= value |
DMARC record on wrong subdomain | No DMARC enforcement | Place at _dmarc.yourdomain.com | dig _dmarc.yourdomain.com TXT |
Missing rua= address | No aggregate reports received | Add rua=mailto:address@domain.com | Wait 24 hours for reports |
Pro Tip: Most SPF failures trace to lookup limits or selector mismatches. Focus debugging efforts on these two areas first for faster resolution.
Handling forwarding and third-party senders
Email forwarding breaks SPF authentication because forwarded messages originate from intermediate mail servers not listed in SPF records. When user@company.com forwards messages to personal@gmail.com, Gmail sees the forwarding server's IP, not the original sender's authorized IP.
How email forwarding breaks authentication:
Before forwarding: Original sender IP: 192.0.2.1 (authorized in SPF) → Return-Path: sender@company.com → From: sender@company.com → Passes SPF ✓ → Passes DMARC ✓
After forwarding through personal mail: Forwarding server IP: 203.0.113.5 (NOT in SPF) → Return-Path: sender@company.com (unchanged) → From: sender@company.com → Fails SPF ✗ → Fails DMARC ✗
SPF fails because the envelope sender (Return-Path) still references the original domain, but the sending IP changed to the forwarding server. DKIM signatures sometimes survive forwarding if messages remain unmodified.
Third-party sender configuration:
- Use subdomain sending - news.yourdomain.com instead of yourdomain.com
- Publish SPF records for all subdomains - Subdomains inherit nothing from parent domains
- Configure custom Return-Path domains - Preserves SPF alignment while vendors manage infrastructure
- Update when vendors change - Service providers add servers without notification
Implementing ARC for better results
Authenticated Received Chain (ARC) preserves authentication results through email forwarding and mailing list modifications. When messages pass through intermediaries, ARC creates a chain of authentication results that receiving servers can validate [1].
ARC header structure
ARC header | Purpose |
ARC-Authentication-Results | Records original authentication status |
ARC-Message-Signature | Provides cryptographic signature |
ARC-Seal | Creates tamper-evident seal |
Each intermediary adds its own ARC headers, building an auditable authentication chain.
Implementation options:
- Google Workspace / Microsoft 365 - Automatic ARC headers (zero configuration)
- Postfix / Sendmail - Self-hosted via OpenARC modules
- OnDMARC - Commercial platform with ARC validation
Important: ARC doesn't replace SPF or DKIM. It supplements them by preserving authentication results when forwarding would otherwise break DMARC alignment. Receiving servers that support ARC can validate the chain and trust messages that originally passed authentication.
Reducing DMARC failures: best practices
Document all authorized sending sources before implementing DMARC policies. Query employees about email-sending tools they use. Common shadow IT sources include support platforms (Zendesk), marketing tools (HubSpot, Mailchimp), CRM systems (SalesForce), and survey platforms.
Self-assessment: is your DMARC configuration at risk?
- Running p=quarantine/p=reject without 2+ weeks at p=none
- Authentication pass rate below 95% for legitimate senders
- Third-party services send without SPF/DKIM setup
- No weekly review process for aggregate reports
- DNS records not audited in 6+ months
- Team members can add email tools without IT approval
If you checked 3+: Address these gaps before progressing to enforcement policies.
Start with p=none and collect reports for two weeks. Analyze to identify all sending sources and authentication status. Progress to p=quarantine at 25% using the pct= tag, then gradually increase to pct=100 before moving to p=reject.
The DMARC enforcement guide walks through policy progression decision points. Move to p=reject only after achieving 95%+ authentication pass rates for at least one month.
Continuous monitoring and improvement
DMARC requires ongoing management, not one-time configuration. Third-party vendors change sending infrastructure, new applications send email without IT approval, and DNS records occasionally lapse during domain renewals.
Monitoring best practices
Task | Frequency | Action trigger |
Review aggregate reports | Weekly | Authentication rate drop >5% |
Update SPF records | Quarterly | New vendors or infrastructure changes |
Audit DNS configurations | Every 6 months | Policy or domain changes |
Track authentication pass rates by sending source. A marketing platform achieving 99% pass rates that suddenly drops to 85% signals immediate investigation.
Aggregate reports reveal attempted spoofing through unauthorized IPs. Forensic reports (ruf=) provide message samples for debugging but contain email content—use temporarily for active debugging only.
OnDMARC provides real-time alerts when authentication rates drop, automatically identifies new sending sources, and tracks policy compliance across multiple domains.
References
[1] Wikipedia contributors. "Authenticated Received Chain." Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/wiki/Authenticated_Received_Chain
[2] InfraForge. "Why DMARC Fails When SPF and DKIM Pass." InfraForge AI Blog. https://www.infraforge.ai/blog/why-dmarc-fails-when-spf-and-dkim-pass
[3] Kitterman, S. "RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1." Internet Engineering Task Force (IETF). April 2014. https://datatracker.ietf.org/doc/html/rfc7208
[4] Kucherawy, M. and Zwicky, E. "RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)." Internet Engineering Task Force (IETF). March 2015. https://datatracker.ietf.org/doc/html/rfc7489