What "DMARC fail" actually means
DMARC does not run its own check. It passes when either SPF or DKIM passes and aligns with the domain in the visible From address. If neither passes with alignment, DMARC fails. That single rule explains most surprises:
- Passing SPF is not enough. SPF authenticates the envelope (Return-Path) domain. If that domain does not align with your From domain, the SPF result does not count for DMARC.
- Passing DKIM is not enough. The DKIM signature must be signed by a domain that aligns with your From domain. A third party signing with its own
d=domain does not help you. - You only need one aligned pass. Aligned SPF or aligned DKIM is enough. This is why fixing DKIM often rescues forwarded mail that SPF alone cannot.
For the underlying mechanics, see what is DMARC and SPF vs DKIM vs DMARC.
The common causes of a DMARC failure
1. SPF passes but does not align
- Symptom
- Your reports show
spf=passbutdmarc=fail, usually for a marketing or SaaS platform. - Diagnosis
- The platform sends with its own Return-Path (envelope) domain, so SPF passes for their domain, not yours. Because the envelope domain does not match your From domain, SPF alignment fails and the pass does not count for DMARC.
- Fix
- Configure the service to use a custom Return-Path / bounce domain on a subdomain of yours (many ESPs call this "custom MAIL FROM" or "custom bounce domain"), or rely on aligned DKIM for that sender instead.
2. DKIM is missing, broken, or signed by the wrong domain
- Symptom
- Reports show
dkim=noneordkim=failfor a sender that should be signing. - Diagnosis
- Either DKIM is not configured at all, the published public key does not match the selector the sender uses, the message body was altered after signing, or the signature's
d=domain is the provider's rather than yours (so it cannot align). - Fix
- Set up DKIM for the sender on your own domain and publish the selector's public key in DNS. Confirm with the DKIM Checker. See DKIM setup by provider.
3. Forwarding and mailing lists
- Symptom
- Mail to forwarded addresses or discussion lists fails DMARC even though it is genuine.
- Diagnosis
- Forwarding breaks SPF because the forwarding server's IP is not in your SPF record. Mailing lists often also break DKIM by modifying the subject or body (adding a footer or
[list]tag), which invalidates the signature. - Fix
- You cannot control other people's forwarders, so make sure your own DKIM is solid: aligned DKIM survives plain forwarding. For lists, this is expected breakage; keep it in mind before moving to
p=rejectif your users rely on lists.
4. An unauthorised or forgotten third-party sender
- Symptom
- A sending IP you do not recognise appears in reports failing both SPF and DKIM.
- Diagnosis
- Either a legitimate service (invoicing, CRM, ticketing, a survey tool) was never authorised, or it is a genuine spoofing attempt. The reports tell you which by showing the source IP and volume.
- Fix
- If it is legitimate, authorise it: add it to SPF and enable DKIM. If it is spoofing, that is DMARC doing its job — once you reach enforcement it will be blocked. The reports guide explains how to tell them apart.
5. Strict alignment is too tight
- Symptom
- Subdomain senders (e.g. mail from
news.example.com) fail DMARC even though SPF and DKIM pass. - Diagnosis
- Your record uses strict alignment (
adkim=soraspf=s), which demands an exact domain match. A subdomain that would pass under relaxed alignment fails under strict. - Fix
- Unless you specifically need strict alignment, use the relaxed default (
adkim=r,aspf=r), which treats subdomains as aligned with the organisational domain.
6. A broken SPF record (permerror)
- Symptom
- SPF fails for mail you know is authorised, or reports show
spf=permerror. - Diagnosis
- Your SPF record exceeds the 10 DNS lookup limit, or the domain has more than one
v=spf1record. Either makes receivers treat SPF as broken, so it cannot pass. - Fix
- Merge duplicate records into one and flatten includes with the SPF Flattener. See fixing SPF too many DNS lookups.
How to find out which one it is
You do not have to guess. Two free tools tell you exactly what is failing:
- The DMARC Checker validates your record and flags misconfigured alignment,
sp=, and policy settings. - Your aggregate reports are the ground truth: every sending IP, whether SPF and DKIM passed, and whether each aligned. If you have a report to hand, drop it into the DMARC Report Viewer, or read understanding DMARC reports to interpret the fields.
Reading individual reports works for one sender, but across many domains and services it gets unmanageable fast. ShieldMarc ingests your reports, classifies every failing source, and tells you which of the causes above applies — and whether a failure is a misconfigured legitimate sender or a genuine spoofing attempt.
Does a DMARC failure mean the email was blocked?
Not on its own. What happens to a failing message depends on your policy: p=none delivers it and only reports, p=quarantine sends it to junk, and p=reject blocks it. A failure at p=none is a warning to fix a sender beforeyou enforce, not yet a delivery problem. That is exactly why you fix failures at none, then advance — see quarantine vs reject.
Frequently asked questions
Why did my email fail DMARC?
An email fails DMARC when it does not pass either SPF or DKIM with alignment to the From domain. The most common cause is alignment: the message passes SPF or DKIM for a different domain (often a third-party sender's own domain) that does not match the From address. Other causes are missing or broken DKIM, forwarding that breaks SPF, an unauthorised sender, or a broken SPF record.
Can an email pass SPF and DKIM but still fail DMARC?
Yes. DMARC requires not just that SPF or DKIM passes, but that the passing domain aligns with the domain in the visible From address. A message can pass SPF for the sender's own bounce domain and pass DKIM signed by a third party, yet still fail DMARC because neither aligned domain matches your From domain.
Why does my email pass SPF but fail DMARC?
Because SPF checks the envelope (Return-Path) domain, not the From address. When a third-party service sends with its own Return-Path, SPF passes for that service's domain but does not align with your From domain, so DMARC's SPF check fails. Fix it by giving the service an aligned Return-Path on your own subdomain, or by relying on aligned DKIM.
How do I fix a DMARC failure?
Read your DMARC aggregate reports to see which sending source and which check (SPF or DKIM, and alignment) is failing, then fix that source: add it to SPF, configure DKIM signing on your own domain, or switch it to an aligned Return-Path. Use the free DMARC Checker to confirm your record.
Does a DMARC failure mean my email was rejected?
Not necessarily. What happens to a failing message depends on your policy: p=none delivers it normally and only reports, p=quarantine sends it to junk, and p=reject blocks it. A failure under p=none is a signal to fix a sender before you enforce, not a delivery problem yet.
Stop guessing which sender is failing
Check your record now with the free DMARC Checker. For continuous monitoring that classifies every failing source and flags genuine spoofing, create a free ShieldMarc account and monitor your first domain in minutes.