DMARC Troubleshooting

Practical guides to diagnose and fix the most common SPF, DKIM, and DMARC authentication failures. Written for sysadmins and email engineers.

Common authentication failures

Email authentication breaks in predictable ways. An SPF record hits its lookup limit. A mailing list rewrites your message body and invalidates the DKIM signature. A scanner reports DMARC policy not enabled. A sender receives 554 5.7.5 permanent error evaluating DMARC policy and needs to know whether the problem is DNS, alignment, or the recipient gateway.

These guides walk through each failure category with the exact symptoms you will see in DMARC aggregate reports, SMTP bounce logs, email headers, or TLS-RPT files. Every guide follows the same structure: the exact error, why it happens, how to diagnose it, how to fix it, and how to validate the result.

SPF errors

Diagnose and fix SPF record problems including the 10 DNS lookup limit, permerror, softfail vs fail, void lookups, and syntax errors. Includes dig and nslookup commands.

Read guide

DKIM failures

Resolve DKIM verification failures caused by message modification in transit, expired signatures, wrong selectors, short RSA keys, and key rotation mistakes.

Read guide

DMARC alignment issues

Fix DMARC alignment failures between the visible From header and SPF/DKIM identifiers. Covers relaxed vs strict mode, subdomain policies, and RFC 5321 vs 5322 addresses.

Read guide

Email forwarding, mailing lists, and ARC

Understand why email forwarding breaks SPF and mailing lists break DKIM. Learn how ARC (RFC 8617) preserves authentication results across intermediaries.

Read guide

DMARC policy migration

Step-by-step guide to tightening your DMARC policy. Learn how long to stay at each stage, how to read aggregate reports, and how to roll back safely if something breaks.

Read guide

MTA-STS policy fetch failures

Fix the most common MTA-STS error. Diagnose sts-policy-fetch-error from TLS-RPT reports caused by wrong paths, HTTP redirects, Cloudflare blocking, GitHub Pages 404, and expired certificates.

Read guide

MTA-STS MX and certificate mismatches

Fix mx-mismatch and certificate-host-mismatch errors in TLS-RPT reports. Covers Microsoft 365 wildcard patterns, Google Workspace dual MX families, incomplete certificate chains, and backup MX servers missing STARTTLS.

Read guide

MTA-STS enforce mode

Avoid breaking inbound email when enabling MTA-STS enforce mode. Covers the three-point sync rule, emergency rollback procedure, max_age cache traps, policy ID versioning, and Microsoft NDR error codes.

Read guide

TLS-RPT reports

Understand TLS-RPT (RFC 8460) reports. Fix missing reports, decode failure types like certificate-expired and sts-policy-fetch-error, learn which providers send reports, and avoid common misunderstandings.

Read guide

DMARC policy not enabled

Fix DMARC policy not enabled warnings. Covers missing records, p=none monitoring mode, quarantine/reject requirements, pct rollout, and subdomain policy gaps.

Read guide

554 5.7.5 permanent error evaluating DMARC policy

Troubleshoot SMTP bounces that say permanent error evaluating DMARC policy. Diagnose malformed records, duplicate _dmarc TXT records, DNSSEC SERVFAIL, and real DMARC rejections.

Read guide

Recipient address rejected

Diagnose recipient address rejected access denied bounces. Separate mailbox, MX, connector, and security-gateway problems from SPF, DKIM, and DMARC authentication failures.

Read guide

Multiple DKIM records

Fix multiple DKIM records errors by identifying the selector, removing duplicate TXT records, avoiding CNAME conflicts, and rotating DKIM keys without breaking mail.

Read guide

How to use these guides

Each guide is structured for fast, practical troubleshooting:

  1. Symptom. What you see in your DMARC aggregate reports, email headers, or bounce logs.
  2. Diagnosis. The specific DNS queries and header inspections to identify the root cause.
  3. Solution. Step-by-step instructions to fix the problem, with copy-paste DNS records and commands.
  4. Prevention. Monitoring and configuration practices to stop the issue from recurring.

Before you start

You will need access to your DNS provider and your DMARC aggregate reports. If you do not have a DMARC monitoring tool yet, create a free DMARCTrust account to start receiving reports within 24 to 48 hours.

For diagnostic commands in these guides, we use dig (Linux/macOS) and nslookup (Windows). Both are available by default on most systems. You can also use our free DMARC checker for a quick visual overview of your domain's authentication status.

Documentation

DMARC, SPF, DKIM, BIMI, and MTA-STS fundamentals.

DMARC checker

Analyze any domain's SPF, DKIM, and DMARC configuration.

MX lookup

Inspect inbound mail servers, priorities, IPs, and provider hints.

DMARC generator

Create a valid DMARC record for your domain in seconds.

Was this page helpful? Send us feedback

← All guides Start now

Need expert help with email deliverability?

Hire an email deliverability consultant who has shipped billions of emails. Free assessment, hands-on engagement, written quote before any work starts.

Talk to a consultant