Summary
Even with correct SPF and DKIM, DMARC failures can occur due to a variety of reasons including email forwarding, mailing list modifications, DNS issues, and misalignment of the 'From:' address with SPF/DKIM domains. Intermediate server handling and ARC validation failures also contribute. Troubleshooting involves monitoring DMARC reports, validating configurations with testing tools, ensuring DNS health, and configuring mailing lists properly. A small percentage of failures is considered normal.
Key findings
- Email Forwarding: Forwarding can cause SPF failures as the email's origin changes, and DKIM failures if content is modified.
- Mailing List Modifications: Mailing lists often rewrite headers, breaking DKIM signatures even if SPF passes.
- DNS Issues: DNS propagation delays, outages, rate limiting, or exceeding SPF include limits can cause failures.
- Alignment Problems: DMARC requires alignment between the 'From:' domain and the domains used in SPF/DKIM; mismatches lead to failures.
- Intermediate Server Handling: Improper handling by intermediate servers, especially ARC validation failures, can disrupt authentication.
- Normal Failures: A small percentage of DMARC failures is considered normal, even with correct configurations.
Key considerations
- DMARC Reports: Use DMARC reports to identify failure sources and unauthorized senders.
- Configuration Validation: Validate configurations with testing tools to ensure correct setup.
- DNS Health: Ensure DNS resolvers are fast and reliable; check for rate limiting and sync nameservers.
- Mailing List Configuration: Configure mailing lists to rewrite the 'From:' address or re-sign messages to maintain authentication.
- Subdomain Configuration: Ensure all subdomains sending email are configured with correct SPF/DKIM or use wildcard DMARC records.
- DMARC Monitoring: Set up DMARC monitoring to track authentication results over time and identify trends.
- Feedback Loops: Set up DMARC feedback loops to receive reports and improve authentication practices.
What email marketers say
11 marketer opinions
Even when SPF and DKIM pass, DMARC checks can fail for several reasons. Common causes include email forwarding, modifications by mailing lists, and DNS issues. DMARC also requires 'alignment,' meaning the 'From:' domain must match the domains used in SPF and DKIM. Tools like DMARC reports and online testing platforms can help troubleshoot these failures by identifying their sources and validating configurations.
Key opinions
- Mailing List Modifications: Mailing lists often modify email headers, breaking DKIM signatures. Even if SPF passes, the DKIM failure will cause DMARC to fail.
- Email Forwarding: Email forwarding can break SPF and DKIM if the forwarder is not authorized or modifies the message content.
- Alignment Issues: DMARC requires SPF and DKIM to align with the 'From:' domain. If there is a mismatch, DMARC will fail.
- DNS Problems: DNS issues like propagation delays, outages, or exceeding SPF 'include:' limits can cause intermittent or permanent DMARC failures.
- Subdomain Configuration: If subdomains send emails without proper SPF and DKIM, DMARC failures will occur. Wildcard DMARC records can address this.
- Rate Limiting: DNS rate limiting can cause intermittent failures, especially if not using Route53.
Key considerations
- DMARC Reports: Use DMARC reports to identify the source of DMARC failures and unauthorized sending sources.
- Testing Tools: Validate DMARC configuration using online testing tools to ensure records are correctly set up.
- DMARC Monitoring: Set up DMARC monitoring to track SPF, DKIM, and DMARC results from various ISPs over time.
- Aggregate Report Analysis: Analyze DMARC aggregate reports to gain insights into email sources and authentication results.
- List Server Configuration: Configure mailing lists to rewrite the 'From:' address to align with SPF or re-sign messages.
- DNS Reliability: Ensure DNS records are correct and DNS servers are reliable to avoid propagation issues and outages.
Marketer view
Email marketer from StackOverflow explains that one possible cause of SPF failures is having too many 'include:' mechanisms in your SPF record, exceeding the 10 DNS lookup limit. This can cause SPF to return a 'permerror' result, leading to DMARC failure.
1 Mar 2023 - StackOverflow
Marketer view
Email marketer from SuperUser notes that if DMARC is set up for the main domain, but subdomains are sending emails without proper SPF and DKIM records, then DMARC failures are likely to occur. Ensure that all subdomains sending emails are correctly configured or use a wildcard DMARC record.
27 Oct 2021 - SuperUser
What the experts say
4 expert opinions
DMARC failures can occur even with proper SPF and DKIM due to various factors, including list server modifications, DNS issues, and email forwarding. A small percentage of failures is normal, but it's important to troubleshoot recurring issues by ensuring nameservers are in sync and DNS entries are correct. Setting up DMARC feedback loops is crucial to monitor and address these failures effectively.
Key opinions
- Normal DMARC Failures: A small percentage of emails failing DMARC is expected, even with correct SPF and DKIM configurations.
- List Server Modifications: List servers often rewrite email headers, breaking DKIM signatures and leading to DMARC failures.
- DNS Issues: DNS issues, such as out-of-sync nameservers and slow DNS resolvers, can cause DMARC failures due to UDP's lack of error correction.
- Email Forwarding: Email forwarding can alter email headers, resulting in SPF and DKIM failures and subsequent DMARC failure.
Key considerations
- DNS Synchronization: Ensure that all nameservers are in sync and DNS entries are correct to avoid DNS-related DMARC failures.
- DNS Resolver Speed: Ensure that DNS resolvers are responding quickly to prevent timing-related DMARC failures.
- List Server Configuration: List owners should re-sign messages to preserve DKIM signatures and prevent DMARC failures due to list server modifications.
- DMARC Feedback Loops: Set up DMARC feedback loops to monitor and address DMARC failures effectively by receiving reports on authentication results.
Expert view
Expert from Email Geeks suggests checking that all nameservers are in sync, DNS entries are correct, and DNS resolvers are responding quickly. DNS failures can occur due to UDP's lack of error correction.
16 Aug 2022 - Email Geeks
Expert view
Expert from Email Geeks explains that a small percentage of emails failing DMARC is not unexpected and is part of how DMARC works, even if everything is configured correctly.
29 Jul 2022 - Email Geeks
What the documentation says
3 technical articles
Even with correct SPF and DKIM, DMARC failures can occur due to email forwarding that breaks SPF/DKIM, 'From:' address mismatch with SPF/DKIM domains, or mishandling of email authentication by intermediate servers, especially if ARC validation fails.
Key findings
- Forwarding Issues: Email forwarding can cause SPF failures because the email is no longer coming from an authorized server, and DKIM failures if the content is modified.
- Address Mismatch: DMARC can fail if the 'From:' address does not match the domain used for SPF and DKIM, even if SPF and DKIM pass individually.
- Intermediate Server Handling: DMARC failures can arise if intermediate mail servers improperly handle email authentication, particularly if ARC validation fails, impacting the preservation of authentication results.
Key considerations
- Forwarding Policies: Implement policies to minimize email forwarding or ensure forwarders maintain authentication integrity.
- Address Alignment: Ensure proper alignment between the 'From:' address and the domains used for SPF and DKIM.
- ARC Implementation: Evaluate and ensure that intermediate mail servers properly support and validate ARC to maintain email authentication across multiple hops.
Technical article
Documentation from Google Workspace Admin Help explains that forwarding can cause DMARC failures. When an email is forwarded, the SPF record will fail because the email is no longer coming from an authorized server. If the forwarder also modifies the message content, the DKIM signature will fail as well. This can happen even if the original email passed DMARC checks.
10 Jul 2024 - Google Workspace Admin Help
Technical article
Documentation from Microsoft highlights that DMARC failures can occur even with valid SPF and DKIM when intermediate mail servers don't properly handle email authentication. ARC (Authenticated Received Chain) helps preserve email authentication results across multiple hops, but if ARC validation fails, DMARC can also fail.
19 Apr 2023 - Microsoft
Can email signatures, especially via Exclaimer, cause SPF or DKIM failures and impact email delivery?
Does unaligned SPF affect Gmail performance and domain reputation?
How can I troubleshoot DMARC failures and identify the cause of authentication issues?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I properly set up DMARC records and reporting for email authentication?
How do I troubleshoot DMARC failures and potential DKIM replay attacks affecting email deliverability?
