Why is DMARC failing on my .fr domain despite passing SPF and DKIM?
Matthew Whittaker
Co-founder & CTO, Suped
Published 5 Jul 2025
Updated 16 Aug 2025
8 min read
It can be frustrating when your DMARC is failing on a .fr domain, even when SPF and DKIM records appear to pass. This scenario is more common than you might think, and it often points to a misunderstanding of how DMARC (Domain-based Message Authentication, Reporting, and Conformance) truly works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
The core issue isn't whether SPF or DKIM pass the technical checks, but whether they pass with alignment. DMARC requires that the domain in the "From" header (the one your recipients see) matches the domain that passed either SPF or DKIM. If these domains don't align, DMARC will fail, regardless of individual SPF or DKIM passes.
This guide will explore the nuances of DMARC alignment, common reasons for failures on .fr domains, and practical steps to troubleshoot and resolve these issues to ensure your emails reliably reach their intended inboxes.
DMARC acts as an overarching policy that leverages SPF and DKIM. For a DMARC check to pass, at least one of SPF or DKIM must not only pass their respective authentication checks but also achieve domain alignment with the email's "From" header domain.
For SPF, alignment means the domain in the RFC5322.From header (the visible sender) must match or be a subdomain of the domain in the RFC5321.MailFrom (the envelope sender, often known as the return-path or bounce address). For DKIM, the domain in the RFC5322.From header must match or be a subdomain of the domain in the DKIM-Signature header's "d=" tag. If this alignment, also known as identifier alignment, is missing, DMARC will fail, leading to emails being rejected or quarantined, even if SPF or DKIM technically passed their checks. This is a common reason why DMARC fails when SPF and DKIM pass.
Many reporting tools might show SPF and DKIM as "passing," which simply means the authentication mechanisms themselves are correctly configured and valid. However, this "pass" status does not automatically imply DMARC alignment. You need to verify that the domains are indeed aligned according to DMARC's requirements. This distinction is crucial for effective DMARC troubleshooting.
The true meaning of SPF/DKIM 'pass'
It's a common misconception that if SPF and DKIM records are correctly set up and pass validation, DMARC will automatically follow suit. The reality is that SPF and DKIM passing simply means your sending infrastructure is authenticated per those protocols. DMARC adds an additional layer, requiring that the authenticated domain aligns with the email's human-readable "From" header. Without this alignment, DMARC will still fail.
Investigating common causes for .fr domain failures
When facing DMARC failures on a .fr domain, specific factors related to how email service providers (ESPs) handle sending for these domains, or even local regulations, might be at play. While the fundamental principles of DMARC alignment remain universal, certain regional or provider-specific configurations can complicate matters.
One common pitfall is the use of different sending domains by your ESP. Many ESPs use their own domains in the MailFrom (SPF) or DKIM d= tag, rather than your actual sending domain. If your ESP is not configured to send with your .fr domain in an aligned way (e.g., using a subdomain of your .fr domain for sending), then DMARC will fail for that reason. This issue is often seen when sending via third-party services, where the envelope sender might not match your "From" domain, leading to an SPF alignment failure.
Additionally, a recent change in your DNS provider could be a factor. If DNS records, particularly CNAMEs for DKIM or specific SPF includes, were not migrated correctly or have propagated inconsistently, it could cause intermittent or complete DMARC failures. It's crucial to confirm that all necessary DNS records for your .fr domain are correctly published and propagated across the globe.
Strict DMARC alignment (as)
Requirement: The organizational domain in the "From" header must exactly match the domain that passed SPF or DKIM. Subdomains are not considered aligned.
Use case: Provides the highest level of protection against spoofing. Often used by organizations with very tight control over their sending infrastructure.
Relaxed DMARC alignment (ad)
Requirement: The organizational domain in the "From" header must match or be a subdomain of the domain that passed SPF or DKIM. For example, if your "From" header is marketing.yourdomain.fr, and SPF passes for yourdomain.fr, it would align under relaxed mode.
Use case: More flexible and commonly used, especially when sending through third-party services that use subdomains for authentication.
Troubleshooting and resolving DMARC failures
The first step in diagnosing DMARC failures, especially when SPF and DKIM report as passing, is to examine the email headers in detail. These headers contain the full authentication results and will explicitly show whether SPF and DKIM passed, and crucially, whether alignment was achieved for either. Look for the Authentication-Results header, which should include entries for DMARC, SPF, and DKIM, along with their alignment status. If your current DMARC reporting solution isn't providing sufficient detail, consider manually checking headers of emails sent from the problematic .fr domain.
Once you identify which alignment is failing (SPF, DKIM, or both), you can pinpoint the exact cause. For SPF alignment failures, you'll need to ensure your email service provider uses a MailFrom domain that aligns with your "From" header domain. If they use a different domain, you might need to enable a custom return-path or bounce domain feature within your ESP. For DKIM alignment failures, verify that the d= tag in your DKIM signature is your organizational domain or a valid subdomain of it. Your ESP should provide options for this configuration. A good resource for understanding common DMARC issues is why DMARC fails when SPF and DKIM pass.
Remember, DMARC reports (RUA and RUF) are invaluable for diagnosing these issues at scale. Even if your current reporting setup isn't showing a clear problem, it's worth reviewing the raw DMARC aggregate reports (RUA) yourself, as some interfaces might simplify data or omit critical details. Look for statistics on disposition (none, quarantine, reject) and alignment results (pass/fail for SPF and DKIM alignment). This raw data provides the clearest picture of what mailbox providers are seeing.
Example email header with DMARC failure due to SPF alignment
In the example above, DKIM is aligned because the d= tag (yourdomain.fr) matches the From header. However, SPF is failing alignment because bounces@your-esp.com does not align with yourdomain.fr. Since DMARC requires at least one of SPF or DKIM to pass and be aligned, and only DKIM passed alignment here, the email still passed DMARC. If both failed alignment, DMARC would fail. This illustrates why understanding SPF and DKIM alignment is critical.
Revisiting DMARC policy and reporting
If your .fr domain is currently at a DMARC policy of p=quarantine or p=reject and you're experiencing delivery issues, the most prudent immediate step is to temporarily reduce your DMARC policy to p=none. This policy tells receiving mail servers not to enforce any action on emails that fail DMARC, allowing them to be delivered to the inbox while you troubleshoot. This is a crucial step to prevent legitimate emails from being blocked or sent to spam folders, particularly for a critical domain like a country code top-level domain.
While at p=none, diligently monitor your DMARC aggregate reports. These reports, sent to the email address specified in your DMARC record, provide a comprehensive overview of your email traffic, including authentication and alignment results. They will show you exactly which sending sources are failing DMARC and why, helping you identify misconfigurations or unauthorized senders. Pay close attention to the `spf_aligned` and `dkim_aligned` fields in the reports.
Once you've identified and corrected the alignment issues, you can gradually move your DMARC policy back to p=quarantine and then p=reject, monitoring reports at each stage to ensure no legitimate emails are negatively impacted. This phased approach to DMARC policy implementation minimizes risks while maximizing security.
Check
Description
Impact on .fr domain
Email headers
Verify SPF, DKIM, and DMARC authentication and alignment results in headers for a problematic email. Look for Authentication-Results and X-DMARC-Auth-Results.
Reveals if the domain in the "From" header (e.g., your .fr domain) aligns with SPF's MailFrom or DKIM's d= domain. Often the primary source of failure.
DNS records
Double-check your SPF, DKIM, and DMARC DNS records for your .fr domain for any typos, incorrect values, or propagation issues, especially after a DNS provider change.
Incorrect records, particularly for DKIM CNAMEs used by some ESPs, will lead to authentication failures, thereby DMARC failure.
Email service provider (ESP) settings
Ensure your ESP is configured to send emails with your .fr domain in the SPF MailFrom and DKIM d= tag, or that you've enabled custom domain features for alignment.
Many ESPs default to using their own domains, which will result in SPF and DKIM passing but failing DMARC alignment.
Subdomain configuration
If you're using a subdomain of your .fr domain for sending (e.g., news.yourdomain.fr), ensure it has its own explicit DMARC record or is covered by your organizational domain's record with a relaxed policy.
DMARC failures can occur if a subdomain's emails are not explicitly aligned or if the overall domain's policy is too strict for subdomain sending.
Views from the trenches
Best practices
Adopt a phased DMARC rollout, starting with p=none to gather data before enforcing quarantine or reject policies.
Ensure SPF and DKIM domains align with your "From" header domain, using relaxed alignment if necessary for third-party senders.
Regularly monitor DMARC aggregate reports to promptly identify authentication and alignment issues for all sending sources.
Common pitfalls
Assuming SPF and DKIM "pass" automatically implies DMARC alignment, leading to unaddressed delivery failures.
Implementing p=quarantine or p=reject policies prematurely, causing legitimate emails to be blocked or sent to spam.
Overlooking subdomain DMARC policy inheritance, resulting in unexpected failures for emails sent from subdomains.
Expert tips
For complex DMARC setups, especially with multiple sending platforms or unique domain configurations, consider consulting an email deliverability specialist. Their expertise can uncover hidden issues and optimize your DMARC implementation.
If you're using a custom domain for your email links (tracking domain), ensure that it's also properly configured for DKIM to maintain alignment throughout the email's journey, even if it's not directly the From header domain. This can influence overall sender reputation.
When troubleshooting, use online email header analysis tools. These tools often provide a clear breakdown of all authentication results, including DMARC, SPF, and DKIM, and visually highlight alignment statuses, which can be more intuitive than raw headers.
Expert view
Expert from Email Geeks says an alignment issue or a problem with body hashing could be the cause.
June 8, 2021 - Email Geeks
Marketer view
Marketer from Email Geeks says that SPF and DKIM reported as 'passing' by user interfaces does not automatically mean they are aligned for DMARC. It only confirms they are not broken.
June 8, 2021 - Email Geeks
Key takeaways for DMARC success
DMARC failing on your .fr domain despite SPF and DKIM passing is almost always an alignment issue. The key is to shift focus from merely passing SPF and DKIM checks to ensuring the domains used for authentication align with your "From" header domain.
By diligently checking email headers, adjusting ESP settings for proper domain alignment, and carefully reviewing DMARC reports (even at a p=none policy), you can diagnose and resolve these complex issues. This strategic approach ensures your emails are authenticated correctly and delivered reliably, maintaining trust and improving your overall email deliverability.
