How to troubleshoot DMARC failures

A DMARC policy is published as a TXT record under the _dmarc subdomain, for example _dmarc.example.com. If this record is missing, DMARC cannot be evaluated and receivers will fall back to SPF and DKIM without policy enforcement.

The first step in troubleshooting is to confirm that the record exists, is publicly resolvable, and is published on the correct hostname.

• DNS Pro

If no record is present, this is the root cause. DMARC failures in this case are expected because no policy or alignment evaluation can be applied.

A valid DMARC record is a structured TXT string made up of tag-value pairs. The most basic example looks like:

v=DMARC1; p=none; rua=mailto:dmarc@example.com

At minimum, the record must include the version tag v=DMARC1 and a policy tag p=. Additional tags such as rua, ruf, adkim, and aspf provide reporting and alignment behaviour.

Common formatting issues include missing semicolons, invalid tag names, or malformed email URIs. Even small syntax errors can cause the record to be ignored entirely by receiving servers.

DMARC does not directly authenticate email. Instead, it evaluates the results of SPF and DKIM and checks whether either of those passes and aligns with the visible From domain.

For DMARC to pass, at least one of the following must be true:

• SPF passes and is aligned with the From domain
• DKIM passes and is aligned with the From domain

• SPF
• DKIM

If neither SPF nor DKIM aligns correctly, DMARC will fail regardless of whether authentication technically passed.

Alignment is one of the most misunderstood aspects of DMARC. It refers to whether the domain used in SPF or DKIM matches the domain in the From header.

There are two alignment modes:

• Relaxed alignment: subdomains are allowed (default)
• Strict alignment: domains must match exactly

For example, a DKIM signature from mail.example.com aligns with example.com under relaxed mode, but would fail under strict mode.

Many DMARC failures occur because third-party services sign with their own domain or use a different envelope sender, causing alignment to break even though SPF or DKIM technically passes.

• No DMARC record published
• Invalid or malformed DMARC record
• SPF passes but is not aligned with the From domain
• DKIM passes but uses a different domain
• Both SPF and DKIM failing or misconfigured
• Third-party senders not properly authorised
• Forwarding scenarios breaking SPF
• Policy moved to enforcement before cleanup

The DMARC policy determines how receiving servers should handle failures.

• p=none means monitor only
• p=quarantine means treat as suspicious (often spam)
• p=reject means block the message entirely

When troubleshooting, it is important to distinguish between a technical failure and a delivery impact. A failure under p=none may not affect delivery, whereas the same failure under p=reject will cause messages to be blocked.

• DMARC

DMARC aggregate reports provide visibility into all sources sending email on behalf of your domain and how authentication is performing.

These reports allow you to identify legitimate senders, detect spoofing attempts, and pinpoint misconfigured systems.

• How to interpret DMARC reports

Without reviewing reports, it is very difficult to safely move to enforcement or understand the root cause of failures.

• Confirm the _dmarc record exists and is valid
• Validate syntax and required tags
• Check the current DMARC policy level
• Review Authentication-Results in message headers
• Verify SPF passes and aligns
• Verify DKIM passes and aligns
• Identify all sending sources using reports
• Fix misconfigured legitimate senders
• Retest and monitor before moving to enforcement

• How to read email headers

In most real-world environments, DMARC failures are not caused by attackers but by legitimate systems that are incorrectly configured.

Common examples include CRM systems, marketing platforms, ticketing tools, and forwarding services that send on behalf of your domain without proper SPF or DKIM alignment.

This is why a gradual rollout from monitoring to enforcement is essential. Jumping straight to reject without understanding your sending ecosystem can break legitimate email flows.