DMARC glossary

What does dmarc=pass mean in an email header?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

dmarc=pass in an email's Authentication-Results header means the message passed DMARC: at least one of SPF or DKIM passed *and* aligned with the domain in the visible From: header. It proves the sender wasn't spoofing that domain — it does not mean the message isn't spam.

dmarc=pass at a glance
Tagdmarc (Authentication-Results header field)
Valid valuespass · fail · none · temperror · permerror
DefaultNot a DNS tag — it's a verdict the receiving mail server stamps on each message when it arrives.
Where it goesIn the Authentication-Results header, e.g. Authentication-Results: mx.google.com; dmarc=pass header.from=yourdomain.com

How dmarc=pass works

When a mail server receives a message, it runs SPF and DKIM, checks whether either result aligns with the From: domain, and writes the verdict into an Authentication-Results header. dmarc=pass is the good outcome: the domain the recipient sees in From: was genuinely authorised to send this message. The header usually includes context too — header.from= names the domain evaluated, and many receivers annotate the domain's policy, like (p=REJECT).

To see it, open the raw message: in Gmail it's Show original in the message's three-dot menu; in Outlook, open the message and look under View message source or message details. Search the raw text for Authentication-Results and read the dmarc= result alongside the spf= and dkim= lines above it.

Know what a pass doesn't promise. It says the From: domain wasn't forged — nothing more. Spam sent from a domain the spammer legitimately controls gets dmarc=pass. So does phishing from a lookalike domain (yourdornain.com), which passes *its own* DMARC. And only trust the Authentication-Results header your own receiving server stamped — headers further down the chain could have been inserted by anyone.

Correct record vs common mistake

Correct

Authentication-Results: mx.google.com;
  dkim=pass header.d=yourdomain.com;
  spf=pass smtp.mailfrom=yourdomain.com;
  dmarc=pass header.from=yourdomain.com

Both mechanisms pass on the same domain the recipient sees in From: — a fully aligned pass, stamped by the receiving server.

Common mistake

Authentication-Results: unknown-relay.example;
  dmarc=pass header.from=yourdomain.com

A pass stamped by a server that isn't your receiving server proves nothing — anyone can insert an Authentication-Results header earlier in the chain. Trust only the topmost header added by your own mail infrastructure.

Troubleshooting dmarc=pass

IssueLikely causeFix
A phishing message shows dmarc=passIt was sent from a lookalike domain, or a domain the attacker legitimately controlsRead the actual header.from domain character by character — DMARC validates the domain shown, not the domain you expected
Same sender passes at some recipients, fails at othersReceivers evaluate independently; forwarding hops or DNS propagation can differ per pathCheck the aggregate reports to see per-receiver results, and verify DKIM signing on every outbound path
dmarc=pass but the message still landed in spamDMARC is one input to spam filtering, not an override — content and reputation still countAuthentication is table stakes; investigate sending reputation and content separately

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Helpdesk techs triaging phishing tickets across 50–200 tenants routinely misread dmarc=pass as 'not phishing' — and close tickets on lookalike-domain attacks that pass their own DMARC perfectly. The verdict tells you the From: domain is real; a human still has to check it's the *right* domain.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Every legitimate message stamping dmarc=pass is the visible outcome of alignment work — and that work is what Palisade automates per client domain: aligning each sender so real mail passes everywhere, and enforcement can be switched on without casualties.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

No. It means the From: domain wasn't spoofed. Spam from a spammer's own domain passes DMARC, and so does phishing from a lookalike domain. Treat it as one signal, not a verdict on the message.

Open the raw message — 'Show original' in Gmail, 'View message source' in Outlook — and search for Authentication-Results. The dmarc= result sits alongside the spf= and dkim= lines.

The header can be — anyone can insert an Authentication-Results line before your server receives the message. The evaluation itself can't be faked without controlling the domain's DNS or DKIM keys. Trust only the header your own receiving server stamped.

The message passed DMARC, and the annotation shows the sending domain's published policy is p=none. The pass is a pass either way — the policy only matters for messages that fail.

No — one aligned pass is enough. A message can fail SPF entirely (say, after forwarding) and still get dmarc=pass from an aligned DKIM signature.

Related terms

What is DMARC? Email authentication explained