Summary
A lower DMARC percentage in Google Postmaster Tools (GPT) despite passing SPF and DKIM usually stems from DMARC alignment failures. GPT shows pass rates, not alignment. DMARC requires the domain used for SPF/DKIM authentication to align with the 'From' header domain. Common issues include: email forwarding disrupting SPF/DKIM alignment, incorrect configuration with third-party ESPs, DNS misconfigurations, DKIM alignment failure where the 'd=' tag doesn't match the 'From' domain, and sometimes even incorrect setup of the DMARC record itself.
Key findings
- DMARC Alignment: DMARC alignment requires that the SPF/DKIM authentication domain matches the 'From' header domain.
- Forwarding Issues: Email forwarding can break SPF and disrupt DKIM alignment.
- Third-Party ESPs: Improper setup with ESPs can lead to alignment failures and incorrect reporting within Google Postmaster Tools.
- DNS Configuration: Incorrectly configured DNS records can disrupt SPF and DKIM alignment.
- GPT shows pass rates: Google Postmaster Tools shows pass rates not alignment rates
Key considerations
- Check DMARC Reports: Analyze DMARC reports to pinpoint alignment issues and identify failing sources.
- Verify SPF/DKIM Configuration: Ensure correct configuration of SPF and DKIM records, especially with ESPs.
- Address Forwarding: Be aware of the impact of forwarding on DMARC compliance.
- Review DNS Records: Confirm that DNS records are correctly configured.
- Setup DMARC record correctly: Ensure the DMARC record itself is setup and configured correctly
What email marketers say
12 marketer opinions
The primary reason Google Postmaster Tools (GPT) displays a lower DMARC percentage despite SPF and DKIM passing is a failure of DMARC alignment. DMARC requires that the domain used for SPF and DKIM authentication matches the domain in the 'From' header of the email. Common causes include email forwarding (which often breaks SPF and may break DKIM alignment), using third-party email services without proper configuration of the return-path or DKIM signing domain, incorrect DMARC record setup, and sending emails from servers not included in SPF records or without proper DKIM signing.
Key opinions
- DMARC Alignment: DMARC requires SPF and DKIM to align with the 'From' header domain.
- Forwarding Issues: Email forwarding often breaks SPF and can disrupt DKIM alignment.
- Third-Party Services: Incorrect configuration with third-party email services can lead to alignment failures.
- Incorrect DMARC record: The DMARC record itself may be set up incorrectly
Key considerations
- Check DMARC Reports: Review DMARC aggregate reports to identify specific alignment issues and failing sources.
- Proper Configuration: Ensure correct configuration of SPF, DKIM, and DMARC records, especially when using ESPs or multiple sending sources.
- Monitor Forwarding: Be aware that email forwarding can impact DMARC compliance; consider educating users or implementing measures to mitigate its effects.
- Verify Alignment: Confirm that the domains used for SPF and DKIM authentication align with the domain in the 'From' header.
- Setup DMARC record correctly: Ensure the DMARC record is setup and configured correctly so that reporting works correctly and emails can be authenticated.
Marketer view
Email marketer from StackExchange responds that a common reason for this is DMARC alignment failure. Even if SPF and DKIM pass, if they are not aligned with the domain in the From header, DMARC will fail. This often happens when using a third-party email service and not properly configuring the return-path or DKIM signing domain.
24 Oct 2021 - StackExchange
Marketer view
Email marketer from EasyDMARC explains that the key factor is DMARC requires both DKIM and SPF to align with the 'Header From' domain. If SPF or DKIM pass, but do not align then DMARC will fail.
18 Aug 2021 - EasyDMARC
What the experts say
5 expert opinions
Google Postmaster Tools (GPT) displays the percentage of emails passing SPF, DKIM, and DMARC checks for the registered domain, not alignment percentages. A lower DMARC percentage, despite passing SPF and DKIM, indicates an alignment issue between the authenticated domain and the 'From' header domain. Failures are detailed in DMARC reports. If SPF alignment fails and an ESP is sending emails the registered domain won't show as a pass. If DKIM alignment fails it means the domain in the 'd=' tag of the DKIM signature does not match the domain in the From: header
Key opinions
- GPT Shows Pass Rates: GPT displays the percentage of emails passing SPF, DKIM, and DMARC, not alignment percentages.
- Alignment Issues: Lower DMARC percentage indicates alignment problems between the authenticated domain and the 'From' header domain.
- DMARC Reports: DMARC failure specifics are detailed in DMARC aggregate reports.
- DKIM Alignment Failure: DKIM alignment can fail when the domain in the DKIM signature does not match the domain in the From: header.
Key considerations
- Review DMARC Reports: Analyze DMARC reports to pinpoint alignment issues and identify the sources of failing messages.
- Check Domain Alignment: Ensure the SPF and DKIM authenticated domains align with the 'From' header domain.
- GPT Limitations: GPT may not reflect correct authentication if an ESP is sending emails
Expert view
Expert from Email Geeks explains that Google Postmaster Tools (GPT) doesn't show alignment data. It shows: SPF data for the domain that is registered, DKIM data for the domain that is registered, and DMARC data for the domain that is registered. Failures will be included in the DMARC reporting. Laura also adds that the data shows a fraction of mail using the registered domain is not aligned and possible reasons include a DNS failure or unauthenticated mail. If there is no DMARC report data to review, then it could be treated as a transient failure.
10 Mar 2024 - Email Geeks
Expert view
Expert from Email Geeks clarifies that GPT shows what percentage of mail using a particular domain for authentication actually passes authentication and that isn’t alignment. Laura also explains that it is totally possible for mail to be 100% in alignment, and have a percentage of that mail fail SPF because sending mail from an IP that is not in the SPF record. GPT shows the results of authentication for the authenticated domain. It does not show alignment %.
7 Dec 2022 - Email Geeks
What the documentation says
4 technical articles
Lower DMARC percentages in Google Postmaster Tools, despite passing SPF and DKIM, are primarily due to DMARC alignment failures. DMARC mandates that the 'From' address domain aligns with the domain used for SPF or DKIM authentication. SPF alignment requires the 'Return-Path' domain to match, while DKIM alignment requires the 'd=' domain to match the 'From' address domain. Incorrect DNS record configurations and forwarding can also lead to alignment issues and DMARC failures.
Key findings
- DMARC Alignment Requirement: DMARC requires alignment between the 'From' address domain and the domain used for SPF or DKIM authentication.
- SPF Alignment: SPF alignment necessitates that the 'Return-Path' domain matches the 'From' address domain.
- DKIM Alignment: DKIM alignment mandates that the 'd=' domain matches the 'From' address domain.
- Incorrect DNS Configuration: Improper DNS record setup can disrupt SPF and DKIM alignment.
- Email Forwarding: Forwarding can cause SPF and DKIM to fail alignment requirements.
Key considerations
- Verify DMARC Alignment: Ensure the domain in the 'From' address matches the domains used for SPF and DKIM authentication.
- Check DNS Records: Confirm that SPF and DKIM records are correctly configured to support alignment.
- Address Forwarding Issues: Consider the impact of forwarding on DMARC and implement mitigation strategies if necessary.
Technical article
Documentation from Google explains that even if SPF and DKIM are passing, DMARC can fail if the domain in the 'From' address doesn't match the domain used to authenticate the email (SPF or DKIM). This is due to DMARC's alignment requirement. Forwarding can also cause issues, as it may break SPF and/or DKIM.
14 Nov 2023 - Google
Technical article
Documentation from Microsoft explains that in addition to SPF and DKIM passing checks, DMARC also requires alignment between the 'Header From' domain that users see and the domain that passed authentication. If an email passes SPF or DKIM without alignment, then DMARC can fail.
5 Jun 2023 - Microsoft
Does Google Postmaster Tools (GPT) data include Google Workspace accounts, or only Gmail.com accounts?
How accurate is the spam data shown in the new Google Postmaster Tools and how can I get data to appear?
How do I add a TXT record to a DNS configuration for Google Postmaster?
How does Google Postmaster compliance work and what are the volume thresholds for bulk senders?
How does Google Postmaster Tools track domain reputation and handle subdomains?
What are common confusions in email authentication and DMARC reporting?
