Summary
Experts, documentation, and email marketers agree that DMARC failures, even with passing SPF and DKIM, are primarily due to alignment issues. Alignment means the domain used for SPF or DKIM authentication must match the domain in the 'From' header. DMARC acts as a policy layer on top of SPF and DKIM, and it's designed to prevent phishing and spam. Other potential issues include email forwarding and incorrect subdomain reporting. While less common, problems with body hashing can also cause signature failures.
Key findings
- Alignment is the Top Reason: Lack of alignment between the authenticated domain (SPF or DKIM) and the 'From' domain is the most common cause of DMARC failure.
- SPF/DKIM Passing Not Enough: Passing SPF and DKIM are necessary but not sufficient conditions for DMARC to pass. Alignment is also required.
- DMARC as Policy Layer: DMARC functions as a policy layer on top of SPF and DKIM, allowing domain owners to specify how email receivers should handle messages that fail authentication.
- Forwarding Breaks DMARC: Email forwarding can disrupt SPF and DKIM alignment, leading to DMARC failures.
- Subdomain Reporting is Key: Check DMARC reports specifically for the sending subdomain, as policies may differ from the parent domain.
Key considerations
- Check SPF/DKIM Alignment: Carefully verify that the domain used for SPF (MAIL FROM) and DKIM (d= tag) matches the domain in the 'From' header.
- Review DMARC Reports Regularly: Analyze DMARC reports to identify alignment issues and potential spoofing activity.
- Implement Forwarding Solutions: Consider solutions for email forwarding, such as SRS (Sender Rewriting Scheme) or DKIM signing by the forwarding server.
- Correctly Configure Subdomains: If using subdomains for sending, ensure their DMARC records are properly configured.
- Look for DMARC-Non Compliant tabs: Some services may segment data under DMARC Non-Compliant tabs, which states there's an issue.
What email marketers say
13 marketer opinions
DMARC failures, despite passing SPF and DKIM, primarily stem from alignment issues. This means that the domain used for SPF or DKIM authentication doesn't match the domain presented in the 'From' header. Forwarding can also disrupt DMARC. DMARC builds on SPF and DKIM by adding a policy layer. Checking subdomain versus organizational domain reporting is important. DMARC helps to validate email authenticity and protect against spoofing and phishing.
Key opinions
- Alignment is Key: DMARC relies on alignment between the authenticated domain (SPF or DKIM) and the 'From' domain. If these don't match, DMARC fails.
- Passing SPF/DKIM is Insufficient: Simply passing SPF and DKIM isn't enough; alignment is a separate requirement for DMARC compliance.
- Subdomain Reporting: Ensure you're reviewing DMARC reports for the correct subdomain, as it might have a different policy than the organizational domain.
- Forwarding Issues: Email forwarding can break SPF and DKIM alignment, leading to DMARC failures.
- DMARC Policy: DMARC has instructions for handling emails that fail authentication checks (SPF and DKIM). The email will still fail the DMARC check, according to the policy of the domain owner.
Key considerations
- Check Alignment: Verify that the SPF 'MAIL FROM' domain and the DKIM 'd=' tag domain match the 'From' header domain.
- Review DMARC Reports: Analyze DMARC reports to identify alignment failures and potential spoofing activity.
- Address Forwarding: Implement solutions to handle forwarding scenarios, such as DKIM signing by the forwarding server.
- Configure SPF and DKIM: Make sure you configure SPF and DKIM to use the same domain as the 'From' address.
- Review Organizational Mismatch: DMARC checks the domain of the 'From' header against the authentication results. If these don't align, DMARC will fail, leading to deliverability issues.
Marketer view
Email marketer from Email Marketing Forum responds that even if SPF and DKIM records pass, a DMARC failure can occur if there's an organizational mismatch. DMARC checks the domain of the 'From' header against the authentication results. If these don't align, DMARC will fail, leading to deliverability issues.
21 Aug 2024 - Email Marketing Forum
Marketer view
Email marketer from Email Geeks explains that UIs saying 'passing' for SPF and DKIM is not the same as 'aligned' in the DMARC sense and it just means that they are not broken.
14 Aug 2023 - Email Geeks
What the experts say
4 expert opinions
The experts agree that the primary reason for DMARC failing despite passing SPF and DKIM is an alignment issue. This means the domain used for authenticating the email (via SPF or DKIM) doesn't match the domain in the 'From' header. While other issues like body hashing could contribute, alignment is the most common culprit.
Key opinions
- Alignment is Key: DMARC requires alignment between the SPF/DKIM authenticated domain and the 'From' domain.
- Passing is Not Enough: Valid SPF and DKIM records are necessary but not sufficient for DMARC to pass; they must also align.
- Domain Consistency: The domains used in SPF and DKIM values, ideally, should be the same as the '.fr' domain in the 'From' header.
- Possible Body Hashing Issues: While less common, problems with body hashing can also cause signature failures and DMARC issues.
Key considerations
- Verify Alignment: Ensure the domains used for SPF and DKIM authentication fully match the 'From' header domain.
- Check Domain Configuration: Confirm that the '.fr' domain is correctly configured in both SPF and DKIM records.
- Investigate Body Hashing: If alignment is correct, examine the email for potential body hashing issues that might be invalidating the DKIM signature.
Expert view
Expert from Email Geeks suggests the DMARC failure might stem from an alignment issue or a problem with body hashing causing signature failure.
18 Feb 2024 - Email Geeks
Expert view
Expert from Email Geeks clarifies a DMARC alignment issue means one of the domains in the SPF and DKIM value has to be the .fr domain, ideally both.
10 Jan 2025 - Email Geeks
What the documentation says
4 technical articles
The documentation highlights that DMARC failures, despite passing SPF and DKIM, are typically due to alignment issues. The domain used for SPF or DKIM verification must match the domain in the 'From' header. DMARC builds upon SPF and DKIM by adding a policy layer that enables domain owners to dictate how email receivers should handle messages failing SPF and DKIM checks, protecting against unauthorized use, phishing, and spam.
Key findings
- Alignment is Crucial: DMARC mandates alignment between the domain used for SPF or DKIM authentication and the domain present in the 'From' header.
- SPF/DKIM Alone Insufficient: Passing SPF and DKIM is not enough to ensure DMARC compliance; alignment is a separate and essential requirement.
- DMARC as a Policy Layer: DMARC functions as a policy layer built upon SPF and DKIM, allowing domain owners to specify how email receivers should handle authentication failures.
- Protection Against Abuse: DMARC is designed to safeguard email domains from unauthorized use, including phishing and spam attacks.
Key considerations
- Verify Alignment Settings: Ensure that SPF alignment (MAIL FROM domain matching From domain) or DKIM alignment (d domain in DKIM signature matching From domain) is correctly configured.
- Configure DMARC Records: Set up a TXT record in the DNS settings of your domain to specify how email receivers should handle messages that fail DMARC checks.
- Address Unauthorized Use: Implement DMARC to protect your domain from phishing, spam, and other unauthorized activities.
Technical article
Documentation from Microsoft explains that DMARC is designed to protect email domains from being used for unauthorized purposes, such as phishing and spam. DMARC is set up by creating a TXT record in the DNS settings for your domain, which specifies how email receivers should handle emails that fail DMARC checks.
10 Feb 2023 - Microsoft
Technical article
Documentation from RFC explains that DMARC builds on top of SPF and DKIM by adding a policy layer. It allows domain owners to specify how email receivers should handle messages that fail SPF and DKIM checks, addressing the problem of unauthorized use of their domains.
11 Apr 2022 - RFC 6376
Can email signatures, especially via Exclaimer, cause SPF or DKIM failures and impact email delivery?
How can I troubleshoot DMARC failures and identify the cause of authentication issues?
How do I troubleshoot and fix SPF and DMARC settings for email deliverability issues?
How do I troubleshoot DMARC failures and potential DKIM replay attacks affecting email deliverability?
How to deal with a failing DMARC email authentication protocol?
What are common confusions in email authentication and DMARC reporting?
