Troubleshoot DMARC issues

Follow the troubleshooting steps in this article if messages from your domain are:

  • Failing DMARC
  • Rejected by receiving servers
  • Sent to recipients’ spam folders

Important: Organizations that get incoming email can choose to quarantine or reject certain messages, even if those messages pass DMARC checks. Read details in RFC 7489. To help prevent legitimate messages from being sent to spam, email senders should follow these guidelines.

Verify your DMARC record

First, check your DMARC set up. If your DMARC record appears to be correctly configured, continue to the troubleshooting methods in this article.

Verify messages pass authentication

Make sure SPF and DKIM are set up

Make sure you've set up SPF and DKIM for your domain. SPF and DKIM should be enabled for at least 48 hours before enabling DMARC. To get detailed steps for setting up SPF and DKIM, go to Help prevent spoofing, phishing & spam.

If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.

Check message headers

Email message headers contain the results for SPF, DKIM, and DMARC authentication checks. To check if messages from your domain are passing authentication checks:

Verify messages pass all three authentication checks: SPF, DKIM, and DMARC.

Check DMARC reports

To verify that messages pass all three authentication checks: SPF, DKIM, and DMARC, check your DMARC reports or DMARC report analysis from your third-party service.

If valid outgoing messages fail DMARC

When an outgoing message from your domain fails DMARC authentication, the person who sent the message might get this error in a bounce message:

"5.7.26" Unauthenticated email from domain-name is not accepted due to domain's DMARC policy. Please contact the administrator of domain-name domain if this was a legitimate mail. Please visit Control unauthenticated mail from your domain to learn about the DMARC initiative.

The DMARC policy for your domain is causing this issue.

Recommended steps:

  • Check the SPF and DKIM settings for your domain, and make sure outgoing messages pass SPF and DKIM authentication. To pass DMARC authentication, outgoing messages must pass either SPF or DKIM.
  • Check the DMARC policy and alignment settings for your domain. A DMARC policy with strict alignment increases the likelihood that messages are rejected or sent to spam.
  • Check your DMARC daily reports to identify which outgoing messages don’t pass SPF, DKIM, or DMARC.

Check your mail sending practices

If your DMARC policy has enforcement set to none and messages are sent to spam, the cause might be something other than your DMARC record.

Make sure you're following the recommended guidelines for sending mail to Gmail users, especially if you send a lot of mail.

Get more information with Email Log Search

For messages sent through Google Workspace, find out more information about a specific message in Email Log Search.

Search for a specific message using the Sender IP address. Then review Email Log Search result details to read Message details, Post-delivery message details, and Recipient details.

Recommended troubleshooting steps

Problem description Possible causes Troubleshooting steps
Message failed DKIM authentication This message failed the DKIM check. Check if messages sent from other allowed sources in your domain are also failing DKIM. This helps you understand if it’s just one message from one source, or if multiple sources are affected.
The message was modified during transit or after the DKIM signature was added to the message. Find out if the message was routed through another server, where it might have been modified. Ask the administrator of the server to not modify messages, which can cause DKIM to fail.
There's a problem with your DKIM TXT record. Verify the DKIM key is published with the Google Admin Toolbox. Enter your domain in the Check MX page.
There's a problem with the DKIM key.

Verify your published DKIM record. For messages sent from Google Workspace, this should be the DKIM key you added to your domain.

For messages sent by a third-party service, check the third-party documentation for steps to verify the DKIM key.

Message failed SPF authentication. This message failed the SPF check. Check if messages sent from other allowed sources in your domain are also failing SPF. This helps you understand if it’s just one message from one source, or if multiple sources are affected.
The message was sent by a server that's not in your SPF record.

Check your SPF record to make sure it includes all IP addresses and domains that are allowed to send mail for your domain. Messages sent from servers not in your SPF record can fail authentication.

Get a list of all IP addresses and domains in your SPF record with the Google Admin Toolbox. Enter your domain in the Check MX page, then check Effective SPF Address Ranges.

There's a problem with your DNS SPF record. Verify your SPF record with the Google Admin Toolbox. Enter your domain in the Check MX page.
Message failed DMARC authentication. This message failed the DMARC check. Check if messages sent from other allowed sources in your domain are also failing DMARC. This helps you understand if it’s just one message from one source, or if multiple sources are affected
The message fails other authentication checks. Verify that the message passes either SPF or DKIM checks.
The message header isn’t aligned.

Verify the authentication method (SPF or DKIM) is aligned with the header From: address.

Learn more about DMARC alignment.

There's a problem with your DMARC SPF record.

Verify your DMARC record with the Google Admin Toolbox. Enter your domain in the Check MX page.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
313440544643245531
true
Search Help Center
true
true
true
true
true
73010
false
false