DMARC glossary
What does dmarc=pass mean in an email header?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
dmarc=pass in an email's Authentication-Results header means the message passed DMARC: at least one of SPF or DKIM passed *and* aligned with the domain in the visible From: header. It proves the sender wasn't spoofing that domain — it does not mean the message isn't spam.
dmarc=pass at a glance | |
|---|---|
| Tag | dmarc (Authentication-Results header field) |
| Valid values | pass · fail · none · temperror · permerror |
| Default | Not a DNS tag — it's a verdict the receiving mail server stamps on each message when it arrives. |
| Where it goes | In the Authentication-Results header, e.g. Authentication-Results: mx.google.com; dmarc=pass header.from=yourdomain.com |
How dmarc=pass works
When a mail server receives a message, it runs SPF and DKIM, checks whether either result aligns with the From: domain, and writes the verdict into an Authentication-Results header. dmarc=pass is the good outcome: the domain the recipient sees in From: was genuinely authorised to send this message. The header usually includes context too — header.from= names the domain evaluated, and many receivers annotate the domain's policy, like (p=REJECT).
To see it, open the raw message: in Gmail it's Show original in the message's three-dot menu; in Outlook, open the message and look under View message source or message details. Search the raw text for Authentication-Results and read the dmarc= result alongside the spf= and dkim= lines above it.
Know what a pass doesn't promise. It says the From: domain wasn't forged — nothing more. Spam sent from a domain the spammer legitimately controls gets dmarc=pass. So does phishing from a lookalike domain (yourdornain.com), which passes *its own* DMARC. And only trust the Authentication-Results header your own receiving server stamped — headers further down the chain could have been inserted by anyone.
Correct record vs common mistake
Correct
Authentication-Results: mx.google.com;
dkim=pass header.d=yourdomain.com;
spf=pass smtp.mailfrom=yourdomain.com;
dmarc=pass header.from=yourdomain.comBoth mechanisms pass on the same domain the recipient sees in From: — a fully aligned pass, stamped by the receiving server.
Common mistake
Authentication-Results: unknown-relay.example;
dmarc=pass header.from=yourdomain.comA pass stamped by a server that isn't your receiving server proves nothing — anyone can insert an Authentication-Results header earlier in the chain. Trust only the topmost header added by your own mail infrastructure.
Troubleshooting dmarc=pass
| Issue | Likely cause | Fix |
|---|---|---|
| A phishing message shows dmarc=pass | It was sent from a lookalike domain, or a domain the attacker legitimately controls | Read the actual header.from domain character by character — DMARC validates the domain shown, not the domain you expected |
| Same sender passes at some recipients, fails at others | Receivers evaluate independently; forwarding hops or DNS propagation can differ per path | Check the aggregate reports to see per-receiver results, and verify DKIM signing on every outbound path |
| dmarc=pass but the message still landed in spam | DMARC is one input to spam filtering, not an override — content and reputation still count | Authentication is table stakes; investigate sending reputation and content separately |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Helpdesk techs triaging phishing tickets across 50–200 tenants routinely misread dmarc=pass as 'not phishing' — and close tickets on lookalike-domain attacks that pass their own DMARC perfectly. The verdict tells you the From: domain is real; a human still has to check it's the *right* domain.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
Every legitimate message stamping dmarc=pass is the visible outcome of alignment work — and that work is what Palisade automates per client domain: aligning each sender so real mail passes everywhere, and enforcement can be switched on without casualties.
Free 15-day trial · No credit card · Your own domain free forever (NFR)