DMARC Failure: Authentication Policy Not Respected

DMARC combines SPF and DKIM for complete email protection. Here's how to resolve failures.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the final layer of email protection. It verifies that SPF or DKIM passes AND that the domain is aligned with the From header. When DMARC fails, your policy (none, quarantine, reject) dictates handling. A DMARC failure with p=reject means your legitimate emails are blocked. Understanding DMARC is crucial as it aggregates SPF and DKIM and generates valuable reports about who sends on your behalf.

Symptoms of DMARC Failure

  • DMARC reports (rua) show alignment failures
  • Email headers display "dmarc=fail"
  • Emails rejected or in spam despite individually valid SPF/DKIM
  • Third-party services sending on your behalf fail

Causes of DMARC Failures

  • Alignment failure: SPF/DKIM pass but validated domain doesn't match From header (strict vs relaxed alignment).
  • SPF and DKIM both fail: DMARC requires at least one to pass with alignment. If both fail = DMARC fail.
  • Unconfigured third-party service: A marketing tool sends with your From but its domain isn't aligned.

DMARC Diagnosis

  1. Check your policy: dig TXT _dmarc.example.com
  2. Analyze DMARC reports (rua) to identify failure sources.
  3. For each source, verify SPF (included?), DKIM (selector configured?), and alignment.
  4. Use dmarcanalyzer.com or similar to visualize your reports.

DMARC Monitoring with MoniTao

MoniTao monitors your DMARC configuration:

  • Alert if DMARC record changes or disappears
  • Verification of syntax and policy
  • Monitoring of entire SPF + DKIM + DMARC chain

Progressive DMARC

  • Start with p=none to collect reports without impacting traffic
  • Analyze reports and fix legitimate sources that fail
  • Progressively move to p=quarantine then p=reject
  • Configure rua for aggregate reports and ruf for forensics

FAQ - DMARC Fail

What's the difference between strict and relaxed alignment?

Strict: domains must be identical. Relaxed (default): subdomains accepted. E.g., mail.example.com aligns with example.com in relaxed.

Should I start with p=reject?

No! Start with p=none, analyze reports, then progress. Premature p=reject blocks your own emails.

How to authorize a third-party service (Mailchimp, etc.)?

Add it to SPF (include) and/or configure DKIM with their selector. One of the two must pass with alignment.

Are DMARC reports mandatory?

No but highly recommended (rua). It's the only way to know who sends on your behalf and identify problems.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing