DMARC glossary
What does dmarc=fail mean and how do you fix it?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
dmarc=fail in an Authentication-Results header means neither SPF nor DKIM produced an aligned pass for the domain in the visible From: header. The usual causes: forwarding broke SPF, an ESP is sending unaligned, or the mail is genuinely spoofed. The fix is alignment — not asking recipients to whitelist you.
dmarc=fail at a glance | |
|---|---|
| Tag | dmarc (Authentication-Results header field) |
| Valid values | pass · fail · none · temperror · permerror |
| Default | Not a DNS tag — it's the verdict the receiving mail server stamps on each message on arrival. |
| Where it goes | In the Authentication-Results header, e.g. Authentication-Results: mx.google.com; dmarc=fail header.from=yourdomain.com |
How dmarc=fail works
DMARC fails when no authentication result aligns with the From: domain. That covers three very different situations. Forwarding: the forwarding server becomes the new sending IP, so SPF fails — but a DKIM signature survives the trip intact unless the forwarder modified the content (mailing lists that rewrite subjects or add footers are the classic DKIM-breakers). Unaligned senders: an ESP passes SPF on its own bounce domain and signs DKIM with its own d= — real authentication, wrong domain, DMARC fail. Spoofing: someone who was never authorised at all — the fail doing exactly its job.
Diagnose by reading the full header. If dkim=pass shows a header.d= that isn't your domain, or spf=pass shows an smtp.mailfrom= on the ESP's domain, you have an alignment problem, not an authentication problem. Fix it at the source: configure the ESP with a custom return-path on your domain and custom DKIM signing with d=yourdomain.com. For forwarding-related fails, aligned DKIM on every outbound stream is the resilience play — it passes where SPF can't.
What doesn't fix it: asking recipients to whitelist you. That patches one inbox while every other receiver on earth keeps failing (and, at enforcement, rejecting) your mail. Alignment fixes it everywhere at once.
Correct record vs common mistake
Correct
Authentication-Results: mx.google.com;
dkim=pass header.d=yourdomain.com;
dmarc=pass header.from=yourdomain.comThe fixed state: the ESP signs with your domain as d=, so DKIM aligns and DMARC passes — even where forwarding breaks SPF.
Common mistake
Authentication-Results: mx.google.com;
spf=pass smtp.mailfrom=bounce.espmail.com;
dkim=pass header.d=espmail.com;
dmarc=fail header.from=yourdomain.comEverything 'passes' — for the ESP's domain, not yours. Nothing aligns with header.from, so DMARC fails. This is the single most common fail pattern.
Troubleshooting dmarc=fail
| Issue | Likely cause | Fix |
|---|---|---|
| ESP mail fails DMARC though the ESP says 'authentication is set up' | The ESP authenticates on its own domain — SPF on its bounce domain, DKIM with its own d= | Enable the custom return-path and custom DKIM signing features so both align with your From: domain |
| Mail through a mailing list fails DMARC | The list rewrote the subject or body, breaking the DKIM signature, and SPF fails on the list's IP | Expected with modifying lists — lists mitigate with From: rewriting; on your side, keep aligned DKIM on all streams |
| Sudden spike of dmarc=fail in the aggregate reports | A new unauthorised source — either a team launched a tool without telling you, or a spoofing campaign | Identify the source IPs in the reports: align it if it's legitimate, and let the policy do its job if it's not |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Every client runs its own mix of ESPs, CRMs, and ticketing tools, and each unaligned one is a dmarc=fail stream. At p=none that's noise in the reports; the day a domain moves to enforcement, it becomes bounced invoices and an angry client. Across 50–200 tenants, finding and aligning every failing source by hand is weeks of header archaeology.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
This is Palisade's core loop: it reads each client domain's aggregate reports, separates the fixable fails (unaligned ESPs, forwarding) from the spoofing, and gets every legitimate source aligned — so domains reach reject with nothing legitimate left failing.
Free 15-day trial · No credit card · Your own domain free forever (NFR)