Why does Google Postmaster Tools show 0% SPF success rate when SPF, DKIM, and DMARC pass?

Key findings

• Alignment focus: Google Postmaster Tools primarily reports on SPF alignment, not just whether the SPF check itself passed. The SPF domain (MailFrom or Return-Path) needs to align with the From domain (header From address) for GPMT to count it as a success.
• DMARC flexibility: DMARC only requires either SPF or DKIM to pass and align for the overall DMARC authentication to succeed. If DKIM is aligned and passing, DMARC will pass regardless of SPF alignment.
• Email service providers (ESPs): Many ESPs use their own domains for the MailFrom (Return-Path) address, which SPF checks. If this domain doesn't match your visible From domain, SPF will pass the check, but fail alignment, leading to a 0% SPF success rate in GPMT.

Key considerations

• Review email headers: Always check the original email headers in Gmail by selecting 'Show original' to see the detailed SPF, DKIM, and DMARC results, including specific domain alignments.
• Understand alignment rules: Familiarize yourself with how SPF, DKIM, and DMARC require domain alignment for a message to be fully authenticated and counted positively by GPMT. Remember, DMARC's pass-through is key.
• DMARC's importance: As long as DMARC is passing (via either SPF or DKIM alignment), your emails are still considered authenticated and are unlikely to be blocked or blacklisted due to this specific SPF anomaly.
• Legacy SPF checks: While not technically required for DMARC to pass, some older filters might still check SPF on the visible From domain. This is a remnant of SPF2.0 (SenderID), but generally, it is not the primary concern if DMARC passes.

Key opinions

• Initial confusion: Many marketers are surprised by the 0% SPF rate in GPMT, particularly when they've diligently set up SPF records and email headers confirm a pass result.
• Alignment as the culprit: The prevailing understanding among marketers is that GPMT is reporting on SPF alignment, not just the raw SPF pass/fail.
• Header review is key: Marketers often rely on checking Show Original in Gmail to confirm individual authentication passes, which can contrast with GPMT data.
• ESP practices: Many ESPs manage SPF via their own return-path domains, which means the SPF record on the sender's main domain might not be directly used for alignment, contributing to the GPMT discrepancy.

Key considerations

• Prioritize DMARC pass: If DMARC and DKIM are consistently passing at 100%, the 0% SPF rate in GPMT is often not a critical issue for deliverability, as DMARC covers authentication through either method.
• Understand GPMT nuances: Marketers should understand that GPMT's SPF metric is specifically about aligned SPF, rather than a simple pass/fail of the SPF record itself.
• Mailed-by vs. signed-by: In Gmail, Mailed-by signifies SPF alignment, while Signed-by indicates DKIM alignment. Both must exist and pass for these indicators to appear.
• SPF record deployment: Even if SPF is handled by a third-party via the return-path, having a correct SPF record on your main sending domain (your From domain) is still a good belt and suspenders approach to help with divergent SPF processing by some servers.

Key opinions

• Alignment is paramount: The 0% SPF in GPMT specifically indicates a lack of SPF alignment, meaning the MailFrom domain does not align with the From domain, even if SPF passes for the MailFrom domain itself.
• DMARC's single pass rule: DMARC's design allows it to pass if either SPF or DKIM is successfully authenticated and aligned, making the 0% SPF rate less critical if DKIM and DMARC are passing.
• HELO domain implications: Experts point out the significance of the HELO domain matching the PTR of the sending IP. While not directly tied to GPMT's SPF alignment metric, it is crucial for avoiding blocklisting on certain blocklists (like SpamHaus).
• SPF for visible From is legacy: SPF checking the visible From domain is a remnant of SPF2.0 (SenderID), a Microsoft initiative that was later abandoned. However, some legacy filters might still perform this check.

Key considerations

• Focus on DMARC health: If your DMARC authentication rate is high, the 0% SPF rate is generally not a cause for alarm, as DMARC ensures your emails are still properly authenticated.
• Header analysis is crucial: Deep-diving into raw email headers for SPF, DKIM, and DMARC results provides the most accurate picture of your authentication status.
• Don't over-optimize SPF for From: While it doesn't hurt, dedicating extensive efforts to make SPF align with the From domain specifically for GPMT's SPF metric might be unnecessary if DMARC passes via DKIM.

Key findings

• Authentication dashboard metrics: Documentation confirms that GPMT's Authentication dashboard displays the percentage of your emails that successfully pass SPF, DKIM, and DMARC authentication.
• DMARC reliance on alignment: Official guides explain that DMARC success hinges on either SPF or DKIM passing alignment, where the authenticated domain matches the header From domain.
• Domain association: Postmaster Tools reports primarily on messages that are successfully associated with a verified domain via SPF or DKIM. If this association, including alignment, is not met for SPF, it won't be counted towards the SPF success rate.
• SPF and Return-Path: SPF generally checks the domain found in the Return-Path (or MailFrom) header. For SPF alignment, this domain must match the From header's domain.

Key considerations

• Configure for DMARC pass: Ensure your email setup prioritizes DMARC compliance, which means at least one of SPF or DKIM must pass alignment. If DKIM is consistently aligned, a 0% SPF rate in GPMT is often benign.
• Understand GPMT's scope: Documentation implies GPMT is an aggregate tool reflecting Google's view of your domain's health. It's not a real-time header debugger, and its metrics are based on aligned authentication.
• Verify DNS records: Consistently check your SPF and DKIM DNS records. Even if an ESP manages SPF for you, understanding what's published for your own domain (e.g., in your DMARC tags) can prevent unexpected issues.
• Header vs. aggregate: Recognize the difference between a single email's header results and the aggregated data presented in GPMT. They serve different purposes and may highlight different aspects of authentication.