Blog
Email and Cloud Threats
DMARC Policy: Why DMARC Fails (and How to Fix It Fast)
DMARC Policy: Why DMARC Fails (and How to Fix It Fast)

DMARC Policy: Why DMARC Fails (and How to Fix It Fast)

Share with your network!
Craig Temple

Overview

  • DMARC helps ensure emails truly come from your domain and authorized senders, improving inbox placement and reducing impersonation risks.
  • DMARC failures typically stem from setup gaps like missing authorized senders, broken signatures, policy errors, forwarding changes, or new third‑party tools added without DNS updates.
  • To diagnose quickly, review DMARC reports for patterns, check failed messages’ headers, and confirm that your sending domains line up with the “From” address.
  • To fix issues fast, update SPF, enable and validate DKIM, move DMARC from monitoring to enforcement, addressing sender address alignment issues, and ensuring every authorized vendor sending on your behalf can pass email authentication.
  • Keep DMARC effective with continuous monitoring, subdomain policies, regular audits, team training, and support from Proofpoint tools.

———

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol that helps protect your domain from unauthorized use. DMARC failures, however, are a leading cause of deliverability problems and can expose you to phishing and spoofing.

In this blog post, we’ll explore the most common causes of DMARC failures. We’ll also recommend step-by-step troubleshooting, configurations, best practices, and tools to help strengthen your email security.

Why does DMARC matter for business?

DMARC confirms that an email claiming to come from your domain is legitimately authorized, protecting your domains from impersonation and improving deliverability. Adoption of DMARC has surged in response to rising threats, highlighting the urgency of stronger email authentication.

Most major email providers now enforce DMARC requirements, and failing to meet them can impact deliverability. Senders of more than 5,000 emails per day who do not pass SPF, DKIM, and DMARC checks may have their messages routed to Junk or rejected outright. Although these rules are aimed at bulk senders, all organizations should consider adopting DMARC, SPF, and DKIM as standard practice.

Beyond deliverability, DMARC also helps improve:

  • Security: Reduces phishing and other email‑based attacks.
  • Visibility: Provides reporting that helps admins verify whether senders using the domain are authenticated.
  • Brand protection: Blocks spoofed messages that could damage customer trust.
  • Compliance: Helps organizations meet security expectations and regulatory requirements.
  • Customer trust: Demonstrates a commitment to protecting customers and their data.

SPF and DKIM

SPF and DKIM are the underlying mechanisms DMARC relies on to authenticate emails.

  • Sender Policy Framework (SPF) allows domain owners to specify, via IP address, who is authorized to send email on their behalf. This helps prevent attackers from forging the “From” address using the organization’s domain.
  • DomainKeys Identified Mail (DKIM) attaches a cryptographic signature to each message to confirm that it genuinely comes from the stated domain and has not been tampered with in transit.

How DMARC works

Before we move on to what causes DMARC failures, let’s look briefly at how DMARC works.

For a message to pass DMARC, it must pass an SPF check or a DKIM check that aligns with the domain in the From: header. If it does not, the receiving mail server applies one of three DMARC policies:

  • None (p=none): Deliver the message but report it to the domain owner.
  • Quarantine (p=quarantine): Flag the message as suspicious/junk/spam.
  • Reject (p=reject): Block the message entirely.

Most organizations start with a DMARC "None" policy to identify all legitimate senders. Once they resolve any authentication issues, they typically update their DMARC policy to an enforcing policy of Quarantine or Reject.

A secure email gateway should enforce DMARC policy to help protect users from inbound threats.

Common reasons DMARC fails

Most DMARC failures arise from issues in SPF, DKIM, or the DMARC policy itself, but not all. Here are the most common root causes.

SPF misconfiguration or misalignment

SPF must be both correctly configured and aligned with the domain in the From: header. Common issues include:

  • Missing sending IPs or services—an authorized sender is not listed in your SPF record.
  • SPF passes, but alignment fails—the SMTP envelope‑from domain doesn’t match the visible From: domain.
  • SPF syntax errors or lookup-limit failures—the SPF record exceeds the limit of 10 DNS lookups or contains invalid syntax.

DKIM misconfiguration

DKIM issues often stem from setup errors or message modification after signing. Common breakdowns include:

  • Incorrect or missing DKIM selector—the receiving server cannot locate the correct public key.
  • Message altered after signing—mailing lists, footers, or man-in-the-middle attacks alter headers or body content.
  • Domain misalignment—the d= domain in the DKIM signature does not align with the From: domain.

Forwarding and mailing lists

Forwarding intermediaries can break authentication, even if the original sender is correctly configured. Challenges include:

  • Forwarders breaking SPF or DKIM—forwarded mail may come from an unlisted IP or lose signature integrity.
  • Mailing lists that modify messages—subject changes, footer additions, or header rewrites break DKIM signatures.

Third-party email services

Finally, DMARC can fail simply because a new service was added without updating the DNS. Common oversights include:

  • External vendors not added to SPF or DKIM—marketing, CRM, or transactional systems remain unauthorized.
  • New services onboarded without DNS updates—legitimate senders fail authentication until SPF and DKIM are updated.

DMARC policy and reporting gaps

Issues may lie within the DMARC record, but the DMARC record controls policy (what the receiver should do with failures) and reporting, not the pass/fail outcome itself. Typical issues include:

  • No DMARC record published—receivers have no policy to apply.
  • DMARC TXT syntax errors—mis-formatted records are ignored by receivers.
  • Missing subdomain policies or reporting addresses—subdomain policies (sp=none) for subdomains or rua/ruf reporting fields are not set.

How to diagnose DMARC failures 

Here's a practical workflow you can follow to quickly pinpoint where DMARC failures occur.

1. Start with DMARC reports (RUA and RUF)

DMARC reports provide a high-level overview of what’s happening with your domain’s email.

  • Aggregate reports (RUA) summarize sending sources, traffic volumes, pass/fail rates, and alignment outcomes across providers, helping you spot patterns like unknown senders, misaligned traffic, or spikes in failures.
  • Forensic reports (RUF) contain message‑level details for individual failures, making them useful for diagnosing misconfigurations or suspicious activity.

These reports are delivered as XML, so use a DMARC report parser or monitoring platform to convert them into actionable insights.

2. Analyze the message headers

Header analysis is a direct way to confirm whether a failure is due to a misconfigured DNS record, misalignment, a broken signature, or message modification.

  • Pull the raw email headers from your mail client or gateway.
  • Inspect the SPF, DKIM, and DMARC result fields, which typically show whether each check passed, failed, or produced a temporary error.

Tools like Google Admin Toolbox can highlight key authentication outcomes and pinpoint where failures occur.

3. Check alignment across SPF and DKIM

Even if SPF and DKIM both pass, DMARC will fail unless at least one of them is aligned with the domain in the message’s From: header.

To verify alignment, check:

  • Envelope MAIL FROM domain (used in SPF)
  • DKIM d= domain (used in DKIM signatures)
  • Header From: domain (visible to the recipient)

These three domains don’t have to match exactly, but they must fall under the same organizational domain according to your DMARC alignment mode (relaxed or strict). If neither SPF nor DKIM aligns with the From: domain, DMARC will fail—even if authentication succeeded.

How to fix DMARC failures step by step

1. Validate your SPF records

  • Ensure all authorized senders and services (Microsoft 365, Google Workspace, marketing tools, CRMs, SaaS providers) are included. Include only the IPs that send traffic on your behalf.
  • Use SPF lookup tools to verify syntax, confirm all mechanisms resolve properly, and check that you haven’t exceeded the 10‑lookup DNS limit.

2. Align and test DKIM settings

  • Enable DKIM signing for every domain you send from.
  • Confirm selector records are correct and ensure DKIM signatures validate properly in mail headers.

3. Tune your DMARC policy

  • Start with p=none to observe traffic and collect reports.
  • Move to p=quarantine once legitimate senders are fixed.
  • Transition to p=reject for full enforcement and set pct=100 when ready.

4. Address forwarding issues

  • Enable Authenticated Received Chain (ARC) where supported to preserve authentication through intermediaries.
  • Ensure forwarded messages retain SPF/DKIM signals whenever possible.

5. Authorize all third-party senders

  • Update SPF and DKIM settings for every email provider you use.
  • Regularly audit sending domains and vendors.

6. Test and monitor continuously

Common causes and fixes for DMARC failures

Cause Impact Fix
SPF misalignment Emails may be sent to spam or treated as suspicious Update SPF records to include all authorized senders; verify alignment with the From: domain 
DKIM failure Authentication breaks, reducing deliverability and trust  Enable DKIM signing, ensure selectors are correct, and verify signatures aren't altered in transit
Missing DMARC record No policy or enforcement; receivers can’t evaluate authenticity  Publish a valid DMARC record with appropriate policy and reporting addresses
Forwarding issues SPF/DKIM may break, causing messages to fail DMARC  Enable ARC where possible; ensure DKIM signatures are preserved 
Third‑party services Legitimate emails fail authentication due to missing DNS updates  Authorize all external senders by updating SPF and DKIM for each provider 

 

Best practices to prevent future DMARC failures

These best practices help ensure long‑term DMARC authentication health and reduce the risk of unexpected deliverability issues.

1. Set up DMARC monitoring from day one

  • Enable monitoring as soon as your domain starts sending mail to detect unauthorized activity or misconfigurations early.
  • Use a DMARC reporting platform to turn XML reports into clear dashboards and establish a baseline for normal traffic.

2. Recheck SPF, DKIM, and DMARC when you onboard a new vendor

Any time you add a marketing tool, CRM, support platform, or other new sender:

  • Add the vendor’s sending IPs or mechanisms to SPF.
  • Verify the vendor’s DKIM key and ensure signing is active.
  • Confirm your DMARC policy still aligns with your authentication strategy.

3. Use subdomain-specific policies to avoid gaps

Attackers frequently exploit unprotected subdomains, so tightening these controls helps close off an easy entry point.

  • Apply DMARC policies to subdomains individually—don’t rely on the parent domain’s policy to cover them.
  • Set explicit policies for subdomains used by third‑party services, considering quarantine or reject for added protection.

4. Schedule quarterly DNS and policy audits

Routine reviews prevent silent misconfigurations or infrastructure changes from becoming email deliverability problems. At least quarterly, review:

  • SPF records for outdated entries
  • DKIM keys, rotating them periodically
  • DMARC reports for anomalies or unauthorized senders
  • New subdomains or services requiring updated DNS records

5. Train IT and marketing teams on proper email authentication workflows

Educated teams catch issues earlier and avoid introducing misconfigurations that break authentication. Ensure teams understand:

  • How SPF, DKIM, and DMARC work together
  • Why DNS updates matter when launching new tools or campaigns
  • How to read DMARC reports
  • Best practices for vendor onboarding and domain management

How Proofpoint can help

Proofpoint offers a variety of services and resources to help you check and maintain DMARC records:

Ready to strengthen your email security and stop domain spoofing? Proofpoint can help you implement and manage DMARC with confidence.

→ Contact us to get started

Previous Blog Post