What is DMARC alignment and why is it important?

DMARC evaluates emails based on whether the authenticated domain (from SPF's Return-Path or DKIM's d= tag) aligns with the From: header domain. If SPF and DKIM pass their individual checks but fail this alignment requirement, DMARC will fail.

Can third-party email senders cause DMARC failures even if SPF/DKIM pass?

Yes, third-party email service providers are a common cause. They often use their own domains for the MAIL FROM or DKIM signing, which might not align with your From: header domain. Ensure your ESP allows for custom domain configuration for proper alignment.

How does email forwarding affect DMARC authentication?

Email forwarding can break SPF alignment because the Return-Path address can be rewritten, causing the SPF check to fail alignment with the original sending domain. DKIM is generally more resilient to forwarding.

How can I diagnose why DMARC is failing?

You should analyze DMARC aggregate reports to identify sources of non-aligned email traffic. Inspect email headers for the Authentication-Results header to see specific SPF, DKIM, and DMARC results, including alignment status.

What are the immediate steps to fix a DMARC failure?

Start by ensuring your third-party senders are configured for DMARC alignment using custom domains or CNAMEs. You can also temporarily set your DMARC policy to p=none while you troubleshoot, then gradually move to a stricter policy.

Why does DMARC authentication fail when SPF and DKIM pass, and how can it be fixed? - Technical - Email deliverability - Knowledge base

Email authentication protocols like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are foundational for email security and deliverability. They help receiving mail servers verify that an email indeed came from the domain it claims to be from, reducing spam and phishing.

However, it can be perplexing when your emails consistently pass SPF and DKIM checks, yet DMARC (Domain-based Message Authentication, Reporting, and Conformance) still fails. This scenario often leaves senders scratching their heads, wondering why their legitimate emails are being flagged or even rejected.

The key to understanding this paradox lies in the concept of DMARC alignment. DMARC doesn't just check if SPF or DKIM passed, it also verifies that the authenticated domain aligns with the From: header domain, which is the domain users actually see.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DMARC alignment

DMARC builds upon SPF and DKIM by adding a crucial layer of policy and reporting, but its core function hinges on domain alignment. For an email to pass DMARC, at least one of SPF or DKIM must not only pass authentication, but also be aligned with the domain in the RFC5322 From: header. This alignment can be either relaxed (partial match) or strict (exact match).

SPF alignment

For SPF alignment, DMARC checks if the domain in the Return-Path header (also known as the MAIL FROM or envelope from domain) matches or is a subdomain of the domain in the From: header. If these domains do not align, SPF might pass, but DMARC will fail. This often happens with third-party sending services that use their own domains for the MAIL FROM address.

DKIM alignment

For DKIM alignment, DMARC checks if the domain in the DKIM d= tag (the signing domain) matches or is a subdomain of the From: header domain. Similar to SPF, if DKIM authenticates successfully but the domains don't align, DMARC will not pass. You can learn more about this on Stack Exchange's explanation of DMARC failures.

Understanding alignment modes

DMARC allows for two types of alignment modes: relaxed and strict. Relaxed alignment permits authenticated subdomains to align with the organizational domain in the From: header. Strict alignment, on the other hand, demands an exact match.

Relaxed alignment

SPF: If MAIL FROM domain is mail.example.com and From: domain is example.com, it passes.
DKIM: If DKIM d= domain is mail.example.com and From: domain is example.com, it passes.

Strict alignment

SPF: Both MAIL FROM and From: domains must be an exact match, e.g., example.com for both.
DKIM: Both DKIM d= and From: domains must be an exact match, e.g., example.com for both.

Common scenarios leading to DMARC failure

Several common scenarios can lead to DMARC failure, even when SPF and DKIM appear to be correctly implemented and pass their individual checks. These situations often involve domain mismatches that prevent DMARC alignment.

Third-party email sending services

When you use a third-party email service provider (ESP) for marketing campaigns or transactional emails, they often send emails on your behalf. These services might use their own domain in the MAIL FROM (envelope sender) address, which SPF authenticates against. While SPF passes for their domain, it won't align with your From: header domain, causing DMARC SPF alignment to fail. Similarly, some ESPs might sign emails with their own DKIM keys, leading to DKIM alignment failures.

Email forwarding

Email forwarding is another common culprit. When an email is forwarded, the Return-Path can be rewritten by the forwarding server, breaking SPF. This is because SPF checks the original sender's IP against the Return-Path domain, which no longer matches the domain of the forwarding server's IP. While DKIM often survives forwarding, SPF alignment issues can still lead to DMARC failure. Postmark provides a good explanation of how email forwarding can break DMARC.

Incorrect subdomain policy

Your DMARC record might specify a strict policy (e.g., sp=reject) for subdomains. If you are sending emails from a subdomain, and SPF or DKIM is authenticating the root domain or a different subdomain, this strict policy can cause DMARC to fail. This is why understanding the different DMARC tags and their meanings is crucial.

Diagnosing DMARC failures

The most effective way to understand why DMARC is failing is by regularly monitoring and analyzing your DMARC reports. These reports provide invaluable insights into email authentication results and potential issues. You can also refer to Google's guide to troubleshoot DMARC issues.

Interpreting DMARC reports

DMARC reports come in two main types: aggregate (RUA) and forensic (RUF). Aggregate reports, typically XML files, provide a high-level overview of email traffic, showing how many messages passed or failed DMARC, along with the reasons for failure (e.g., SPF misalignment, DKIM misalignment). Forensic reports provide more detail for individual email failures.

When reviewing reports, pay close attention to the alignment section for both SPF and DKIM. If a source consistently shows spf_pass but spf_aligned=false, that's a clear indicator of an SPF alignment issue. The same logic applies to DKIM. This can help you diagnose DMARC failures using DMARC reports.

Examining email headers

For individual messages, you can inspect the email headers. Look for the Authentication-Results header. It will show the results for SPF, DKIM, and DMARC, including details about alignment. Here’s an example of what to look for when diagnosing a DMARC failure with passing SPF and DKIM:

Example email header showing DMARC failure despite SPF and DKIM passplaintext

Authentication-Results: mx.google.com;
       dkim=pass header.i=@registrar-servers.com;
       dkim=pass header.i=@privatewhitevc.com;
       spf=pass (google.com: domain of srs0+...@eforward3a.registrar-servers.com designates 38.101.213.204 as permitted sender) smtp.mailfrom=SRS0+...com@eforward3a.registrar-servers.com;
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=email.privatewhitevc.com

Steps to fix DMARC authentication failures

Fixing DMARC failures when SPF and DKIM pass primarily revolves around addressing the alignment issues.

Configure alignment for third-party senders

Most reputable ESPs offer options to configure custom domains for SPF and DKIM to ensure alignment. This usually involves adding CNAME records to your DNS that point to their servers. This way, the MAIL FROM domain and the DKIM signing domain can match your From: header domain. For example, Cloudflare explains how these protocols work, which is helpful for understanding alignment.

Adjust DMARC policy gradually

If you're still in the process of setting up DMARC or troubleshooting, consider starting with a relaxed DMARC policy, such as p=none. This policy monitors emails and sends reports without affecting deliverability. Once you're confident that all legitimate email streams pass DMARC alignment, you can gradually move to p=quarantine or p=reject. Microsoft also provides guidance on DMARC configuration.

Address email forwarding impact

For email forwarding scenarios, if the forwarding service doesn't support SPF rewriting (Sender Rewriting Scheme, SRS), SPF will likely fail. In such cases, DKIM becomes the sole method for DMARC to pass. Ensure your DKIM setup is robust and aligned to carry the authentication burden, as SPF alignment will almost certainly not pass. This is a common reason why legitimate email might fail DMARC.

Review subdomain policies

If you use subdomains for sending, verify that your DMARC record's sp tag (subdomain policy) is configured correctly. If you're encountering failures, you may need to adjust sp to p=none for monitoring before enforcing stricter policies.

Views from the trenches

Best practices

Always ensure SPF and DKIM authentication records align with your From: header domain.

Implement a DMARC policy gradually, starting with p=none to monitor results without impacting deliverability.

Regularly review your DMARC reports for insights into authentication failures and potential spoofing.

Use a consistent domain for all your email sending, especially for transactional and marketing emails.

Common pitfalls

Forgetting that SPF and DKIM passing is not enough, alignment with the From: domain is also required.

Overlooking issues caused by third-party email service providers using their own sending domains.

Neglecting the impact of email forwarding on SPF alignment, which can lead to DMARC failures.

Setting a DMARC policy too strictly (p=reject) too soon, resulting in legitimate emails being blocked.

Expert tips

Focus on achieving both authentication and alignment for your primary sending domains to maximize DMARC pass rates.

Consider setting up DMARC for all your subdomains, adjusting policies as needed based on their sending practices.

Leverage DMARC aggregate reports to quickly identify sources of unauthenticated email and troubleshoot issues.

When working with third-party senders, ensure they support DMARC alignment for your domain.

Expert view

Expert from Email Geeks says that DMARC often fails because DKIM and SPF pass for domains different from the From: header domain defined in the DMARC policy.

May 24, 2018 - Email Geeks

Marketer view

Marketer from Email Geeks says that sometimes emails fail DMARC due to issues with the sending IP address.

May 24, 2018 - Email Geeks

Resolving DMARC failures for consistent deliverability

The perplexing issue of DMARC failing despite SPF and DKIM passing boils down to a fundamental requirement: domain alignment. While SPF and DKIM authenticate the sender, DMARC ensures that the authenticated domains (MAIL FROM and DKIM d=) match or align with the user-visible From: header domain.

By understanding the nuances of DMARC alignment, carefully configuring third-party sending services, and diligently monitoring DMARC reports, you can overcome these challenges. Proactive management of your email authentication records is essential for maintaining strong sender reputation and ensuring your messages reach the inbox consistently, avoiding the spam folder or being put on a blocklist (or blacklist).