NetDigLearnEmail
Email6 min read

DMARC Fail — Causes and Fixes

A DMARC failure means your email didn't pass authentication checks aligned with your domain's From address. Here's every cause and how to fix it.

What DMARC Actually Checks

DMARC doesn't run its own authentication — it uses SPF and DKIM results. Specifically, it checks alignment: the domain that passed SPF or DKIM must match the domain in the email's visible From: header.

A DMARC pass requires at least one of:

  • SPF pass and the SPF domain aligns with the From: domain
  • DKIM pass and the DKIM signing domain aligns with the From: domain

Cause 1: Sending Through a Third-Party Without DKIM

This is the most common cause. You're sending email through Mailchimp, SendGrid, HubSpot, or another ESP. The ESP's servers pass SPF — but the SPF domain is the ESP's domain (e.g., sendgrid.net), not your domain. That fails DMARC alignment.

Fix: Enable DKIM signing through the ESP using your own domain. Most ESPs support this in their authentication settings. When DKIM is set up with your own domain as the signing domain, it will align with your From: header and DMARC will pass.

Cause 2: Sending From a Subdomain

You're sending from from@mail.yourdomain.com but your DMARC record is on yourdomain.com. With strict DMARC alignment, subdomains must pass using the exact same domain. With relaxed alignment (the default), the organizational domain just needs to match.

Fix: Make sure you're using relaxed alignment (aspf=r; adkim=r in your DMARC record, which is the default). Or add a separate DMARC record for the subdomain at _dmarc.mail.yourdomain.com.

Cause 3: Forwarded Email

When email is forwarded, the sending IP changes. The new sending server isn't in the original domain's SPF record, so SPF fails. DKIM usually still passes (the signature travels with the email). This is why having DKIM is critical — it survives forwarding while SPF doesn't.

This is also why DMARC only requires one of SPF or DKIM to pass — forwarding would break everything if both were required.

Cause 4: Misconfigured DKIM Signature

DKIM signs specific headers and the body. If any signed header is modified in transit (e.g., by a mailing list adding headers), the DKIM signature becomes invalid. Some SMTP relays also modify the From: header, which breaks DKIM if it was in the signed headers list.

Diagnosing Your Specific Failure

The fastest way to diagnose a DMARC failure is to look at the headers of a failing email:

  1. Get the raw headers from a bounced or filtered email
  2. Paste them into the Email Header Analyzer
  3. Check the Authentication-Results section for the exact SPF, DKIM, and DMARC results and failure reasons

Also review your DMARC aggregate reports. They show every sending source and authentication result for your domain — invaluable for finding which service is failing.

It means the email failed both SPF alignment and DKIM alignment checks. The sending server wasn't authorized by SPF for your From: domain, and either DKIM wasn't present or the signing domain didn't match your From: domain.

Yes. SPF passing for the envelope sender domain doesn't help DMARC if that domain doesn't align with the From: header domain. DMARC requires alignment, not just passing.

Yes. DMARC pass is a significant positive signal for inbox placement. Google and Yahoo now require DMARC for bulk senders.