Why is DMARC failing when using 'on behalf of' sending, and how can I fix it?
Matthew Whittaker
Co-founder & CTO, Suped
Published 9 Jun 2025
Updated 16 Aug 2025
8 min read
Dealing with DMARC failures can be a frustrating experience, especially when you're sending emails on behalf of another domain. Many assume that if SPF and DKIM pass their respective authentication checks, DMARC will automatically follow suit. However, this isn't always the case. I've seen situations where an email service provider (ESP) correctly sets up SPF and DKIM, but the emails still bounce due to a DMARC policy violation on the customer's domain.
A common scenario involves an ESP sending emails for a client. The client updates their SPF record to include the ESP's sending infrastructure, and the ESP signs the emails with its own DKIM key. The From: header of the email will then typically look something like 'customer@domain.com on behalf of marketing.partnerdomain.com'. While SPF and DKIM might technically pass, the crucial element often missing is DMARC alignment.
The core problem usually boils down to DMARC's stringent alignment requirements. DMARC necessitates that either the domain used for SPF authentication (the Return-Path or Mail-From) or the domain used for DKIM authentication (the d= tag in the DKIM signature) must align with the visible From: header domain. If neither aligns, DMARC fails, regardless of whether SPF or DKIM individually pass. This guide will explore why this happens and how you can resolve it.
DMARC is built upon SPF and DKIM, but it adds an extra layer of validation known as alignment. For DMARC to pass, at least one of these authentication methods (SPF or DKIM) must be aligned with the From: domain, which is the email address visible to the recipient. This is a critical distinction, as SPF and DKIM can pass authentication checks without necessarily aligning with the From: domain.
SPF alignment, also known as RFC5321.MailFrom or the Return-Path domain, requires that the domain in the Return-Path header (often hidden from the end user) matches the From: header domain. If the Return-Path domain is the ESP's domain, but the From: header is the customer's domain, then SPF will not align. This is a common issue that causes a DMARC failure even if SPF passes.
DKIM alignment requires that the domain specified in the DKIM signature's d= tag matches the From: header domain. If the ESP signs emails with its own domain (e.g., d=espsending.com) while the From: header shows customerdomain.com, DKIM will not align. This is a common scenario for DMARC failure, even if DKIM authentication itself passes. For DMARC to pass, only one of SPF or DKIM needs to achieve alignment. This is detailed in our simple guide to DMARC, SPF, and DKIM.
Authentication Method
Authentication Check
DMARC Alignment Check
SPF
The sending IP is authorized by the Return-Path domain's SPF record.
The Return-Path domain matches the From: header domain.
DKIM
The email's signature is valid and matches the public key in the d= domain.
The d= domain in the DKIM signature matches the From: header domain.
Common scenarios leading to 'on behalf of' DMARC failures
The most frequent reason for DMARC failures in on behalf of sending is a misalignment of the domains. Even if an ESP allows a customer to add their IP addresses to an SPF record, the ESP's Return-Path domain will often be used, not the customer's. This means SPF won't align. Similarly, if the ESP signs the email with its own DKIM key (using d=espsending.com), and the customer hasn't set up a custom DKIM record with the ESP, DKIM also won't align with the customer's From: domain. This leads to DMARC failure. You can learn more about general DMARC failures and their impact on email deliverability here.
I've observed that some customers use dynamic SPF services, which can add another layer of complexity. While these services help manage the 10-lookup limit for SPF records, they don't inherently solve the alignment issue. The domain that ultimately handles the SPF check still needs to match the From: header for DMARC SPF alignment. If SPF is not aligning, the fallback is to ensure DKIM alignment.
When a domain has a DMARC policy set to p=reject, emails that fail DMARC alignment will be rejected outright by recipient mail servers. This makes troubleshooting extremely difficult, as you won't see the messages in quarantine or the inbox. This stringent policy is why it's crucial to ensure proper alignment, especially when third parties are sending on your behalf. Kinsta provides a helpful article explaining how to fix DMARC errors in general, which touches upon some of these concepts.
The impact of p=reject
Email rejection: Emails failing DMARC will not be delivered to the recipient's inbox or spam folder.
Troubleshooting difficulty: Without seeing the email in the recipient's mailbox or quarantine, diagnosing the exact cause of failure can be challenging.
Lost legitimate emails: Important communications can be lost, impacting business operations or customer relations.
Diagnosing and troubleshooting DMARC issues
When facing DMARC failures, the first step is always to analyze your DMARC reports. These XML reports provide valuable insights into which emails are passing or failing DMARC, and for what reasons. If your DMARC policy is currently set to p=none, you'll receive reports without affecting email delivery, allowing for safe diagnosis. You can find more information on understanding and troubleshooting DMARC reports in our dedicated guide.
Beyond reports, inspecting the full email headers of a failed message is crucial. Look for the Authentication-Results header, which explicitly states the pass/fail status for SPF, DKIM, and DMARC, along with alignment details. This will quickly show you if SPF or DKIM alignment is the culprit. You can sometimes send a test email to a non-blocking test address provided by a DMARC analysis service to get detailed insights.
A common bounce message you might see for a DMARC failure on a p=reject policy looks like this:
Example DMARC Failure Bounce Message
smtp550: 5.7.26 Unauthenticated mail from domain.com is not accepted due to domain.com's DMARC policy (reject)
Strategies for resolving 'on behalf of' DMARC failures
The most effective way to fix DMARC failures when sending on behalf of is to ensure alignment. The ideal solution for an ESP sending on a customer's behalf is to implement a custom DKIM signature for the customer's domain. This means the ESP will sign the email with a DKIM key associated with the customer's domain, ensuring DKIM alignment with the From: address. Since DMARC only requires one of SPF or DKIM to align, this approach is often simpler than trying to align SPF, especially with dynamic SPF services involved.
Some ESPs might also offer options to align the Return-Path (or Mail-From) domain with the Header From domain. This would ensure SPF alignment. Another strategy is to send from a subdomain of the customer's domain (e.g., marketing.customerdomain.com) and configure SPF and DKIM for that subdomain. This allows for clear delegation of sending authority.
In rare cases, if full alignment isn't feasible and you face immediate delivery issues, a temporary solution might involve relaxing the DMARC policy for specific senders or moving the customer's DMARC policy from p=reject to p=quarantine or p=none while you work on a permanent solution. This should only be a short-term measure, as it reduces security. Google provides detailed guidance on setting up DMARC that can assist in proper configuration.
Recommended solution: custom DKIM alignment
How it works: The ESP provides DNS records for the customer to add a DKIM key (and signature) for their specific domain, ensuring the d= tag in the DKIM signature matches the From: header domain.
Benefits: Strongest authentication for on behalf of sending, simplifies DMARC compliance, and improves deliverability. DKIM alignment is generally more robust than SPF alignment for delegated sending.
Implementation: Requires the customer to add a CNAME record provided by the ESP to their DNS, delegating DKIM signing authority.
Alternative approaches
Aligning Return-Path/Mail-From: Some ESPs allow you to configure the Return-Path to match your From: domain. This can be complex with aggregate reporting.
Using a subdomain: Send emails from a subdomain (e.g., marketing.yourdomain.com) and apply SPF/DKIM directly to it. This segregates reputation and simplifies alignment.
Relaxing DMARC policy: Set your DMARC policy to p=noneduring troubleshooting or for specific senders. This is not recommended long-term due to reduced security, but can offer temporary relief.
Summary of DMARC alignment
Understanding why DMARC fails in on behalf of sending scenarios boils down to DMARC alignment. SPF and DKIM might authenticate, but if their respective domains don't match the From: header, DMARC will trigger a failure.
Proactive steps like setting up custom DKIM for your customers, ensuring proper Return-Path alignment, or utilizing subdomains can prevent these issues. It's about ensuring that the visible sending domain is properly authorized through aligned SPF or DKIM, which is central to maintaining trust and deliverability.
By addressing DMARC alignment directly, you can ensure that emails sent on behalf of your clients (or by third-party vendors for your domain) are reliably delivered to the inbox, enhancing both security and reputation. Remember that continuous monitoring of your DMARC reports is key to early detection and resolution of any potential failures.
Views from the trenches
Best practices
Always prioritize DKIM alignment for delegated sending, as it provides a robust authentication method.
Ensure third-party senders (ESPs) can sign emails with your domain's DKIM key for proper alignment.
Utilize DMARC reports to identify authentication and alignment failures promptly, even with a p=none policy.
Consider sending from a dedicated subdomain when using third-party services to better manage reputation and alignment.
Collaborate closely with your ESP to understand their capabilities for DMARC alignment and configuration.
Common pitfalls
Assuming DMARC passes if SPF and DKIM records are merely present, without checking for domain alignment.
Not having a custom DKIM setup for your domain when using a third-party sender, leading to DMARC failure.
Setting a p=reject DMARC policy too early without proper monitoring and alignment for all legitimate senders.
Overlooking the Return-Path domain in SPF alignment, especially when ESPs use their own domains for bounces.
Failing to regularly analyze DMARC reports, missing critical insights into email authentication issues.
Expert tips
Start with DMARC's p=none policy to gather data and identify all legitimate sending sources before moving to stricter policies.
For complex setups, consider engaging with a DMARC professional to ensure all your email streams are compliant.
Educate your team on DMARC basics, so they understand why certain sending configurations are necessary.
When troubleshooting, check the Authentication-Results header in bounced emails to pinpoint the exact failure reason (SPF, DKIM, or alignment).
Be aware of how email forwarding can break DMARC, and communicate this to recipients or adjust policies as needed.
Expert view
Expert from Email Geeks says SPF and DKIM might pass authentication, but DMARC will fail if there's no alignment between the sending domain and the From: domain in the header.
2021-12-20 - Email Geeks
Expert view
Expert from Email Geeks says the best course of action is to sign DKIM with the customer's domain in addition to the ESP's own DKIM signature, which ensures DMARC passes.
Return-Path domain's SPF record.
The d= domain in the DKIM signature matches the From: header domain.
Google provides detailed guidance on setting up DMARC that can assist in proper configuration.
