Why is my DMARC failing?

What causes DMARC failure

DMARC fails when neither SPF nor DKIM passes with alignment to the From: header domain.

The three main causes are:

SPF alignment failure. SPF passes at the envelope level but the MAIL FROM domain does not align with the From: header domain.

DKIM alignment failure. DKIM passes signature verification but the d= domain in the DKIM-Signature does not align with the From: domain.

Both SPF and DKIM fail entirely. No authentication mechanism passes, so DMARC has nothing to align against.

SPF alignment failures

SPF alignment requires that the MAIL FROM domain (the envelope sender used in the SMTP session) matches the domain in the visible From: header.

With relaxed alignment (the default), organisational domain matches are accepted. mail.example.com aligns with example.com.

With strict alignment, an exact domain match is required. mail.example.com does not align with example.com.

SPF alignment also breaks during email forwarding. When a message is forwarded, the forwarding server replaces the MAIL FROM with its own address, breaking SPF alignment with the original From: domain.

DKIM alignment failures

DKIM alignment requires that the d= domain in the DKIM-Signature header matches the domain in the visible From: header.

With relaxed alignment, d=mail.example.com aligns with example.com.

With strict alignment, d= must exactly match the From: domain.

Common DKIM alignment failures include: signing with a d= domain that does not match the From: domain, missing DKIM setup for a specific sending service, or a DKIM selector that no longer exists in DNS.

Unlike SPF, DKIM alignment survives email forwarding because the signature is attached to the message itself.

DMARC passes even if SPF fails

DMARC does not require both SPF and DKIM to pass. DMARC passes if at least one of them passes with alignment.

If SPF fails because of forwarding but DKIM passes with alignment, DMARC still passes. This is why configuring both SPF and DKIM makes DMARC more resilient.

This also means DMARC can fail even when SPF passes: SPF passing at the envelope level is not enough. The MAIL FROM domain must also align with the From: header domain.

Common DMARC misconfigurations

p=none with no enforcement. Many domains stop at p=none, believing they are protected. p=none is monitoring only — receivers take no action on failing messages.

Missing rua report address. Without a rua= tag, you receive no aggregate reports and cannot see alignment failures.

Subdomain policy not set. Without an sp= tag, subdomains inherit the root domain policy, which may be weaker than intended.

Third-party sender not aligned. Email sent through a third-party provider may not sign with DKIM or may use a MAIL FROM domain that does not align with the From: domain.

How to read DMARC aggregate reports

DMARC aggregate reports (rua:) are sent as XML files by receiving mail servers. Each report shows:

The source IP address of the sending server.

The SPF result and whether it aligned with the From: domain.

The DKIM result and the d= domain used for signing.

Whether DMARC passed or failed for each combination.

Reviewing these reports is the most reliable way to identify which senders are failing alignment and what is causing DMARC failures.

How to fix DMARC failures

Identify all sources sending email on behalf of your domain by reviewing DMARC aggregate reports.

Ensure each sender configures DKIM signing with a d= domain that aligns with your From: domain.

Ensure each sender uses a MAIL FROM domain that aligns with your From: domain, or rely on DKIM alignment instead.

Once all legitimate senders pass alignment, move DMARC policy from p=none to p=quarantine and then p=reject for full enforcement.

How to check DMARC

Use MXFend's DMARC Checker to verify your DMARC record exists, check the policy level, and identify missing or weak configurations.

Run the MXFend Email Security Score for a complete audit covering DMARC, SPF, DKIM, blacklists, SMTP TLS, and more.