DMARC Troubleshooting

Practical guides to diagnose and fix the most common SPF, DKIM, and DMARC authentication failures. Written for sysadmins and email engineers.

Common authentication failures

Email authentication breaks in predictable ways. An SPF record hits its lookup limit. A mailing list rewrites your message body and invalidates the DKIM signature. A subdomain sends mail without its own DMARC record, and alignment fails silently.

These guides walk through each failure category with the exact symptoms you will see in your DMARC aggregate reports, the diagnostic commands to pinpoint the cause, and tested fixes you can apply right now. Every guide follows the same structure: symptom, diagnosis, solution, prevention.

SPF errors

Diagnose and fix SPF record problems including the 10 DNS lookup limit, permerror, softfail vs fail, void lookups, and syntax errors. Includes dig and nslookup commands.

Read guide

DKIM failures

Resolve DKIM verification failures caused by message modification in transit, expired signatures, wrong selectors, short RSA keys, and key rotation mistakes.

Read guide

DMARC alignment issues

Fix DMARC alignment failures between the visible From header and SPF/DKIM identifiers. Covers relaxed vs strict mode, subdomain policies, and RFC 5321 vs 5322 addresses.

Read guide

Email forwarding, mailing lists, and ARC

Understand why email forwarding breaks SPF and mailing lists break DKIM. Learn how ARC (RFC 8617) preserves authentication results across intermediaries.

Read guide

DMARC policy migration

Step-by-step guide to tightening your DMARC policy. Learn how long to stay at each stage, how to read aggregate reports, and how to roll back safely if something breaks.

Read guide

How to use these guides

Each guide is structured for fast, practical troubleshooting:

  1. Symptom. What you see in your DMARC aggregate reports, email headers, or bounce logs.
  2. Diagnosis. The specific DNS queries and header inspections to identify the root cause.
  3. Solution. Step-by-step instructions to fix the problem, with copy-paste DNS records and commands.
  4. Prevention. Monitoring and configuration practices to stop the issue from recurring.

Before you start

You will need access to your DNS provider and your DMARC aggregate reports. If you do not have a DMARC monitoring tool yet, create a free DMARCTrust account to start receiving reports within 24 to 48 hours.

For diagnostic commands in these guides, we use dig (Linux/macOS) and nslookup (Windows). Both are available by default on most systems. You can also use our free DMARC checker for a quick visual overview of your domain's authentication status.

Documentation

DMARC, SPF, DKIM, BIMI, and MTA-STS fundamentals.

DMARC checker

Analyze any domain's SPF, DKIM, and DMARC configuration.

DMARC generator

Create a valid DMARC record for your domain in seconds.

Was this page helpful? Send us feedback

← All guides Start now