Uh oh! Are you receiving email non-delivery reports (bounces or rejections) warning you of DMARC failures? If you’re scratching your head wondering what that means, you’re not alone. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a key protocol in protecting your domain from email spoofing, but when things go wrong, it can leave your legitimate emails stranded.
In simple terms, DMARC failures mean your emails aren’t passing the security checks that DMARC enforces, and as a result, they’re getting blocked or rejected. This can be frustrating, especially when trying to maintain communication with customers or partners.
But don’t worry—DMARC failures aren’t the end of the road. In this post, we’ll break down what these errors mean, why they happen, and, most importantly, what you can do to fix them. Whether you’re dealing with the occasional bounce or a more widespread issue, we have the insights to get your emails back on track. Read on to remedy your DMARC fail results.
What does DMARC failure look like?
To successfully implement DMARC to protect your email domains against phishing and spoofing, you must authenticate all the legitimate emails you send. This means configuring either (or both) DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) email authentication protocols to ensure that all of the email messages that your company sends – 1:1 email, transactional messages, email newsletters, or email marketing – are fully and properly authenticated, proven to be legitimately utilizing your email domain name in the from address.
If you fail to configure either DKIM or SPF properly, your email message can be rejected if your DMARC policy is set to tell inbox providers to reject messages that aren’t fully authenticated.
The most common DMARC failure examples
Almost all inbox providers will send rejections back in the case of improperly authenticated email violating a domain’s DMARC policy.
- Gmail’s response: “550-5.7.26 Unauthenticated email from domain.com is not accepted due to domain’s DMARC policy. Please contact the administrator of [your] domain if this was a legitimate mail. To learn about the DMARC initiative, go to https://support.google.com/mail/?p=DmarcRejection – gsmtp.”
- Microsoft Outlook’s response: “550 5.7.509 Access denied, sending domain does not pass DMARC verification and has a DMARC policy of reject. [ABC123.namprd13.prod.outlook.com].”
- Yahoo’s response: “554 5.7.9 Message not accepted for policy reasons. See https://senders.yahooinc.com/error-codes.”
Almost always, the rejection will specifically refer to DMARC policy and indicate that a given email message is in violation of a sending domain’s DMARC policy. This almost always points to a misconfiguration in email authentication settings for some email service in use by the owner of that email domain.
How to fix DMARC failures
You’ll want to make a list of all the email sending services you utilize to send email messages using your email domain name. This could include
- Email Service Providers (ESP) or Email Newsletter Platforms like Mailchimp, Substack, or various Marketing Clouds
- Customer Relationship Management (CRM) Platforms like Insightly CRM, Salesforce or HubSpot
- Business Email Platforms for 1:1 email like Microsoft 365 or Google Workspace
If you’re a Valimail customer, our Precision Sender Intelligence functionality can help you properly identify these email services and more, helping you easily map out your full email sending universe.
After you’ve identified each of your email sending platforms, you’ll need to review their guidance and documentation on how to implement DKIM and SPF email authentication properly.
- For DKIM, almost every email send platform allows you to “configure a custom domain” or “enable email authentication” to allow you to sign messages using your domain – making sure the DKIM signature domain “aligns” (matches) the visible from domain in your email sends. DKIM “alignment” is always a best practice and almost always necessary to pass DMARC checks properly, to prevent unexpected email rejections.
- For SPF, only certain send platforms will allow you to customize the “return-path” domain to enable full “alignment” of the SPF domain to your visible from domain. Be sure to read their documentation and follow their guidance. And if they encourage you to focus only on DKIM; that’s generally going to be okay.
After confirming that you’ve implemented or corrected the email authentication configuration for a given email send platform, test it using our new Email Analyzer Report, available free to users of Valimail Monitor.
Common DMARC record mistakes to check for
If you’re running into this very specific and unique “554 5.7.5 Permanent Error Evaluating DMARC Policy” error message, a rejection received back when trying to send email messages to specific domains, this error message is warning you that your domain’s DMARC record is misconfigured; some part of it may have extra characters, be missing characters, or have bits of settings configured incorrectly.
Errors in your DMARC configuration can include:
- More than one DMARC DNS TXT record for a given domain (only one is allowed)
- Missing or extra periods in various places in the DNS TXT record
- Missing “mailto:” in the email address section of the RUA (aggregate reporting address) or RUF (forensic reporting address) in the DNS
- Typo or misspelling of a setting or option in the DNS TXT record, such as policy= instead of p= or p=noone instead of p=none
Visit the Valimail DMARC Domain Checker to see if our free tool can help you troubleshoot issues with your DMARC record.
Get expert DMARC help
Need help getting it right with DMARC? You’re in the right place.
Valimail provides the expertise and tools you need to automate your DMARC and protect your domains from phishing attacks with plug-and-play integration—no code necessary. See for yourself. Schedule a demo with one of our experts to see how Valimail can protect your brand.
