Why does DMARC authentication fail when SPF and DKIM pass, and how can it be fixed?

Key findings

• Alignment requirement: DMARC mandates that either the SPF-authenticated domain or the DKIM-signed domain (or both) must align with the From: header domain.
• SPF alignment: For SPF, alignment means the envelope-from (or MailFrom) domain must match or be a subdomain of the From: header domain.
• DKIM alignment: For DKIM, alignment means the domain specified in the d= tag of the DKIM signature must match or be a subdomain of the From: header domain.
• Email forwarding: Forwarding services often rewrite the envelope-from address, which breaks SPF alignment and can cause DMARC to fail for legitimately forwarded emails.
• Third-party senders: Many email service providers (ESPs) or third-party sending services might sign emails with their own domain (passing DKIM) or use their own sending domain (passing SPF), but if these domains do not align with your From: header, DMARC will fail.

Key considerations

• Review DMARC reports: Regularly analyze your DMARC aggregate reports (RUA) to pinpoint the exact reasons for dmarc=fail results, particularly noting alignment failures. This data is crucial for diagnosing issues.
• Check DMARC policy: Ensure your DMARC policy is appropriate for your sending patterns. A p=reject or sp=reject policy can lead to legitimate emails being blocked if alignment is not consistently achieved.
• Proper configuration with third parties: When using third-party email senders, configure them to authenticate using your domain (e.g., set up a CNAME for DKIM or include their IPs in your SPF record), ensuring they align with your From: header domain.
• Utilize ARC (Authenticated Received Chain): If email forwarding is a common use case, implementing ARC can help preserve authentication results across intermediary hops, preventing DMARC failures due to SPF breaking. More information can be found on DMARC.org's ARC page.

Key opinions

• Visual content impact: A common observable issue from DMARC failures is the inability for images to load within emails, which severely degrades the recipient's experience and the effectiveness of marketing campaigns.
• Third-party sending complexity: Marketers frequently use ESPs and other platforms that might use their own sending domains, which can pass SPF or DKIM but still cause DMARC alignment failures for the primary brand domain.
• Forwarding dilemma: Legitimate email forwarding can inadvertently break SPF alignment, leading to DMARC failure on otherwise valid messages.
• Strict policies: Implementing a strict DMARC policy (like p=reject) without proper alignment can inadvertently block desirable email traffic, impacting email deliverability.

Key considerations

• Gradual policy implementation: Start with a DMARC policy of p=none to monitor reports and identify all legitimate sending sources before moving to quarantine or reject.
• Aligning third-party senders: Work with your ESPs to ensure they are configured to send emails that align with your brand's From: header domain for both SPF and DKIM. This may involve specific CNAME records or including their IP addresses in your SPF record.
• Consistent monitoring: Regularly review DMARC reports and run tests to catch any new or recurring alignment issues that could impact campaigns. The Kinsta blog offers more advice on how to fix DMARC fail errors.
• Subdomain policy awareness: Be mindful of your sp (subdomain policy) tag in your DMARC record, as it can be particularly impactful for complex email architectures involving multiple subdomains.

Key opinions

• Alignment over authentication: Experts emphasize that while SPF and DKIM verify the sending server or message integrity, DMARC's unique contribution is the alignment check against the From: header domain.
• Forwarding breaks SPF: Email forwarding is a notorious cause of DMARC failure because the envelope-from address changes during transit, breaking SPF alignment for the original domain.
• Complex domain interactions: A 'tossed salad of domains' within an email's authentication results indicates a convoluted sending path that is prone to DMARC failure, especially if the From: header domain is not consistently aligned.
• Subdomain policy pitfalls: A strict DMARC subdomain policy (sp=reject) can prevent legitimate email from being delivered if subdomains are not carefully managed for DMARC alignment.
• ARC's role: ARC is a crucial mechanism for preserving authentication results across mail relays, helping DMARC pass even after legitimate modifications by forwarding servers.

Key considerations

• Deep header analysis: Thoroughly inspect full email headers to understand how SPF, DKIM, and DMARC authentication results are interpreted at each hop, identifying where alignment breaks occur.
• Strategic DMARC policy adjustments: Carefully consider adjusting your DMARC policy, particularly the subdomain policy (sp), if you use complex sending architectures that involve multiple domains or forwarding.
• Sender reputation awareness: Be aware that anomalous IP sending behavior or overly strict DKIM implementations can raise red flags with receiving mail servers, contributing to DMARC failure despite passing initial checks.
• Proactive monitoring: Maintain robust DMARC report monitoring to quickly identify and address any emerging alignment issues. As eSecurity Planet explains, third-party senders often cause alignment issues.

Key findings

• RFC 7489 (DMARC) core principle: DMARC requires that an email passes either SPF or DKIM, and, critically, that the domain used for that authentication check aligns with the domain found in the email's From: header (RFC 5322.From).
• SPF alignment modes: SPF alignment can be 'strict' (exact domain match) or 'relaxed' (allows subdomains). Even if SPF passes, if the MailFrom domain does not align as per the DMARC policy, DMARC will fail.
• DKIM alignment modes: Similarly, DKIM alignment can be 'strict' or 'relaxed'. The domain in the DKIM d= tag must align with the From: header domain for DMARC to pass DKIM-based authentication.
• DMARC policy actions: The DMARC policy tags p= (for the organizational domain) and sp= (for subdomains) dictate the actions taken on emails that fail DMARC checks, ranging from 'none' to 'quarantine' or 'reject'.
• Aggregate reports (RUA): DMARC documentation specifies the format and content of aggregate reports, which are XML files providing data on authentication and alignment results for emails sent from a domain, crucial for diagnosing failures.

Key considerations

• Understanding tag meanings: Familiarize yourself with all DMARC tags and their meanings, including adkim and aspf for alignment modes, to accurately configure your policy.
• Standard compliance: Adhere strictly to the DMARC RFC (and related SPF/DKIM RFCs) when configuring your DNS records. Errors in syntax can lead to parsing failures, impacting DMARC validation.
• Role of ARC in forwarding: Documentation on ARC (Authenticated Received Chain) is critical for understanding how to maintain DMARC authentication across forwarding paths that would otherwise break SPF alignment. RFC 8617 details ARC.
• Holistic view of authentication: Documentation highlights that DMARC is not a standalone solution, but rather builds upon SPF and DKIM. A comprehensive understanding of all three is necessary to troubleshoot DMARC failures effectively.