DMARC glossary

What does dmarc=fail mean and how do you fix it?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

dmarc=fail in an Authentication-Results header means neither SPF nor DKIM produced an aligned pass for the domain in the visible From: header. The usual causes: forwarding broke SPF, an ESP is sending unaligned, or the mail is genuinely spoofed. The fix is alignment — not asking recipients to whitelist you.

dmarc=fail at a glance
Tagdmarc (Authentication-Results header field)
Valid valuespass · fail · none · temperror · permerror
DefaultNot a DNS tag — it's the verdict the receiving mail server stamps on each message on arrival.
Where it goesIn the Authentication-Results header, e.g. Authentication-Results: mx.google.com; dmarc=fail header.from=yourdomain.com

How dmarc=fail works

DMARC fails when no authentication result aligns with the From: domain. That covers three very different situations. Forwarding: the forwarding server becomes the new sending IP, so SPF fails — but a DKIM signature survives the trip intact unless the forwarder modified the content (mailing lists that rewrite subjects or add footers are the classic DKIM-breakers). Unaligned senders: an ESP passes SPF on its own bounce domain and signs DKIM with its own d= — real authentication, wrong domain, DMARC fail. Spoofing: someone who was never authorised at all — the fail doing exactly its job.

Diagnose by reading the full header. If dkim=pass shows a header.d= that isn't your domain, or spf=pass shows an smtp.mailfrom= on the ESP's domain, you have an alignment problem, not an authentication problem. Fix it at the source: configure the ESP with a custom return-path on your domain and custom DKIM signing with d=yourdomain.com. For forwarding-related fails, aligned DKIM on every outbound stream is the resilience play — it passes where SPF can't.

What doesn't fix it: asking recipients to whitelist you. That patches one inbox while every other receiver on earth keeps failing (and, at enforcement, rejecting) your mail. Alignment fixes it everywhere at once.

Correct record vs common mistake

Correct

Authentication-Results: mx.google.com;
  dkim=pass header.d=yourdomain.com;
  dmarc=pass header.from=yourdomain.com

The fixed state: the ESP signs with your domain as d=, so DKIM aligns and DMARC passes — even where forwarding breaks SPF.

Common mistake

Authentication-Results: mx.google.com;
  spf=pass smtp.mailfrom=bounce.espmail.com;
  dkim=pass header.d=espmail.com;
  dmarc=fail header.from=yourdomain.com

Everything 'passes' — for the ESP's domain, not yours. Nothing aligns with header.from, so DMARC fails. This is the single most common fail pattern.

Troubleshooting dmarc=fail

IssueLikely causeFix
ESP mail fails DMARC though the ESP says 'authentication is set up'The ESP authenticates on its own domain — SPF on its bounce domain, DKIM with its own d=Enable the custom return-path and custom DKIM signing features so both align with your From: domain
Mail through a mailing list fails DMARCThe list rewrote the subject or body, breaking the DKIM signature, and SPF fails on the list's IPExpected with modifying lists — lists mitigate with From: rewriting; on your side, keep aligned DKIM on all streams
Sudden spike of dmarc=fail in the aggregate reportsA new unauthorised source — either a team launched a tool without telling you, or a spoofing campaignIdentify the source IPs in the reports: align it if it's legitimate, and let the policy do its job if it's not

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Every client runs its own mix of ESPs, CRMs, and ticketing tools, and each unaligned one is a dmarc=fail stream. At p=none that's noise in the reports; the day a domain moves to enforcement, it becomes bounced invoices and an angry client. Across 50–200 tenants, finding and aligning every failing source by hand is weeks of header archaeology.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

This is Palisade's core loop: it reads each client domain's aggregate reports, separates the fixable fails (unaligned ESPs, forwarding) from the spoofing, and gets every legitimate source aligned — so domains reach reject with nothing legitimate left failing.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

The passes aren't aligned — they belong to another domain, typically your ESP's bounce or signing domain. DMARC compares them to your From: domain, and an unaligned pass counts for nothing.

It breaks SPF, because the forwarder's IP isn't in your SPF record. DKIM usually survives — unless the forwarder modifies the message, as mailing lists often do. Aligned DKIM is your defense against forwarding fails.

Use the platform's custom-domain settings: a custom return-path (bounce) domain on your domain for SPF alignment, and custom DKIM signing with d=yourdomain.com. Every major ESP supports both.

No. It patches a single recipient while every other receiver keeps failing your mail — and it trains people to bypass the very control that stops spoofing. Fix alignment instead; it fixes every inbox at once.

Whatever your published policy says: delivered normally at p=none, sent to spam at p=quarantine, refused at p=reject. The fail verdict is the trigger; the policy is the action.

Related terms

What is DMARC? Email authentication explained