Why does MXToolbox show errors when my ESP says everything is fine?

MXToolbox performs static DNS lookups, while ESPs check authentication in real-time during email sending. Differences can arise from SPF macros, DNS propagation delays, or how each system interprets DMARC alignment rules and subdomain policies.

What are bot unsubscribes and why are they a problem?

Bot unsubscribes occur when automated anti-spam tools or security scanners click unsubscribe links in your emails. If the link immediately removes the subscriber, bots can inadvertently deplete your list. This negatively impacts your sender reputation and list hygiene.

How can I prevent bot unsubscribes?

Implement a two-click unsubscribe process. The initial link in the email should direct users to a landing page where they must confirm their unsubscribe action with a second click. Bots typically won't complete this second step, preventing unwanted removals. Google's Manage subscriptions feature is different, as it uses the List-Unsubscribe header.

What steps should I take to troubleshoot authentication errors?

Check email headers for actual authentication results, use DNSViz.net for DNS chain issues, and ensure DMARC records are correctly applied to all sending subdomains or covered by a parent domain policy. DMARC authentication requires alignment for either SPF or DKIM to pass.

Why is MXToolbox showing email authentication errors when ESP says everything passes and how to fix bot unsubscribes? - Troubleshooting - Email deliverability - Knowledge base

It can be incredibly frustrating to check your domain's email authentication setup on a tool like MXToolbox and see a host of red flags, only to have your Email Service Provider (ESP) confidently tell you that everything is perfectly configured. This discrepancy often leads to confusion and wasted time trying to troubleshoot non-existent problems. Compounding this, many senders grapple with mysterious bot unsubscribes, where automated systems or anti-spam checkers unexpectedly remove legitimate subscribers from their lists, impacting deliverability and list health. I've seen these issues frequently, and understanding the root causes is key to effective email management.

In this guide, I'll clarify why these discrepancies occur and provide practical solutions for both email authentication errors reported by external tools and the persistent problem of bot unsubscribes. We'll dive into the nuances of how different tools evaluate your SPF, DKIM, and DMARC records, and explore strategies to protect your subscriber list from unwanted automated removals.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding authentication tools versus ESPs

When an external tool like MXToolbox reports authentication errors while your ESP says everything is fine, it's often a matter of perspective and how each system performs its checks. External tools typically perform static DNS lookups, retrieving your published records (SPF, DKIM, DMARC) directly from DNS. They then interpret these records in isolation, based on a general set of rules.

ESPs, on the other hand, verify authentication during the actual sending process. They check if the email's various From addresses align with your authentication records as the message is handed off to recipient mail servers. This real-time validation, which also considers factors like server reputation and email content, can result in a pass even if a DNS checker finds potential issues.

One common source of confusion lies in SPF macros. Some SPF records utilize dynamic mechanisms like exists:%{i}._spf.sparkpostmail.com. Many public tools struggle to interpret these macros, leading them to report a missing SPF record or other errors, even when it's correctly implemented and functioning for your ESP. I've encountered cases where users report this exact scenario, where Google validates the setup but a tool flags it. For further reading, see our article on why email deliverability tools and Postmaster tools conflict.

Common reasons for authentication discrepancies

SPF macros: External checkers might not correctly parse dynamic SPF records, leading to false negatives.
DNS propagation: Recent DNS changes might not have propagated globally, causing some checkers to see old records or no records.
Subdomain DMARC: If you're sending from a subdomain, MXToolbox might check for a specific DMARC record on that subdomain, even if your parent domain's policy covers it via inheritance. I frequently see this as a point of confusion.
Misinterpretation of alignment: Tools might not fully account for how DMARC passes based on either SPF or DKIM alignment, or how a single pass (even if one fails) means overall authentication success for DMARC.

Diagnosing authentication discrepancies

To effectively diagnose discrepancies, start by examining the full email headers of a message sent through your ESP. This provides the most accurate view of how recipient mail servers actually process and authenticate your emails. Pay close attention to the authentication results, especially the Authentication-Results header.

Check your DNS configuration for any errors, especially DNSSEC issues, which can cause intermittent problems. A tool like DNSViz.net can provide a visual representation of your DNS chain and highlight any broken links or misconfigurations. I've found this very helpful in pinpointing subtle DNS problems.

Ensure that your DMARC record correctly covers all sending domains and subdomains. If you are sending from sub.yourdomain.com, a DMARC record must exist for sub.yourdomain.com, or the primary domain's DMARC record needs a sp=rua or sp=reject (or sp=quarantine) tag that specifies the subdomain policy. This is critical for proper DMARC enforcement and consistent reporting. You can find more detail on this in our article about DMARC failure reports.

Authentication check	What it validates	Why tools might differ
SPF (Sender Policy Framework)	Verifies the sending IP address against a list of authorized IPs in your DNS record.	Some tools may not parse SPF macros (e.g., exists lookups, which are used by ESPs like SparkPost) correctly. They might also report errors for missing SPF records when one is present but complex.
DKIM (DomainKeys Identified Mail)	Authenticates the email content by using a digital signature linked to your domain's DNS record.	Errors can arise from incorrect selector names, DNS propagation delays, or if the tool is checking a different domain or subdomain than what's actually signing your emails.
DMARC (Domain-based Message Authentication, Reporting & Conformance)	Ensures the From header domain aligns with either the SPF or DKIM domain, and defines policy for authentication failures.	Tools might flag a DMARC policy not enabled error if a subdomain record is missing, even if the parent domain's DMARC covers it. They might also incorrectly report a failure if they don't see both SPF and DKIM pass, even though only one is needed for DMARC to pass (alignment is key).

Preventing bot unsubscribes

Bot unsubscribes occur when automated systems, such as anti-spam checkers or security scanners, click the unsubscribe links within your emails. This happens without human intent, leading to a frustrating loss of legitimate subscribers. These bots are often designed to scan emails for malicious content or to verify unsubscribe functionality, but their actions inadvertently harm your email list. High unsubscribe rates, even from bots, can negatively impact your sender reputation, signaling to ISPs that your emails might be unwanted.

The primary cause of bot unsubscribes is often a single-click unsubscribe link that immediately removes the subscriber upon being clicked, without any further confirmation on a landing page. If your ESP (like Iterable, as mentioned in some discussions) defaults to this behavior, it leaves you vulnerable to automated systems. A simple change can make a big difference.

The solution is to implement a two-click unsubscribe process. This means when a user or bot clicks the unsubscribe link in the email, they are directed to a landing page where they must click a second button to confirm their unsubscribe. Bots will typically click the initial link but rarely navigate or click a secondary button on a webpage. This is a standard and recommended practice that effectively mitigates bot unsubs without burdening legitimate subscribers. For more on this, check out how spam filters can trigger unsubscribes.

Single-click unsubscribe (problematic)

Process: Clicking the unsubscribe link in the email immediately removes the subscriber.
Vulnerability: Highly susceptible to automated bot clicks, leading to unintended unsubscribes.
Impact: Skews unsubscribe rates, erodes list quality, and can signal negative engagement to ISPs.

Two-click unsubscribe (recommended)

Process: User clicks link, then confirms unsubscribe on a dedicated landing page.
Protection: Filters out automated bot activity, as bots typically don't interact with landing pages.
Benefit: Ensures unsubscribes are from genuine human intent, maintaining list accuracy and improving deliverability signals.

Proactive deliverability management

Beyond addressing specific authentication and unsubscribe issues, a proactive approach to email deliverability is crucial. Regularly monitor your sender reputation and DMARC reports. These reports provide invaluable insights into how various mailbox providers are authenticating your emails and whether they are being delivered to the inbox, spam folder, or blocked entirely. I find DMARC reports to be the single most important source of truth.

Maintaining a clean and engaged email list is another cornerstone of good deliverability. Regularly remove inactive subscribers and hard bounces. This not only improves your sender reputation but also reduces the likelihood of hitting spam traps and landing on a blacklist (or blocklist). Remember, even a small percentage of issues can disproportionately impact your overall inbox placement.

For ongoing monitoring, consider using dedicated DMARC monitoring tools. These platforms can aggregate and parse complex DMARC reports, making it easier to identify authentication issues, potential abuse, and areas for improvement in your email infrastructure. Continuous vigilance is key to sustained deliverability success. Our guide to email deliverability issues covers more common problems and solutions.

Example of a DMARC record for monitoringTXT

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1;

Navigating email authentication and subscriber management

The conflicting reports from MXToolbox and your ESP, along with unexpected bot unsubscribes, are common challenges in email deliverability. The key takeaway is that external tools provide a static snapshot of your DNS, which might not always reflect the dynamic, real-time authentication checks performed by ESPs. DNSSEC issues and SPF macros are frequent culprits for tool discrepancies. Similarly, implementing a two-click unsubscribe process is a robust defense against automated bot removals, safeguarding your list health and sender reputation.

By understanding these nuances and consistently applying best practices like monitoring DMARC reports and maintaining clean lists, you can navigate these complexities. This proactive approach ensures your emails consistently reach their intended recipients, boosting the effectiveness of your email program.