sfw/fix
dmarc=fail high

DMARC fail (p=reject / p=quarantine) — message rejected or sent to spam

Mail failed DMARC because neither SPF nor DKIM passed with alignment to the From: domain, so the receiver bounced or spam-foldered it.

What you see

Authentication-Results: mx.google.com;
 dkim=fail (...) [email protected];
 spf=pass (...) smtp.mailfrom=mail.sender.net;
 dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=example.com

What’s actually happening

Your mail bounces or lands in spam, and the recipient's headers show dmarc=fail. The catch: SPF or DKIM can show pass on their own and DMARC still fails. DMARC requires alignment — at least one of them must pass for a domain that matches your visible From: domain. With the published policy at p=reject the receiver bounces it; at p=quarantine it routes to the spam folder.

Common causes

  • SPF passes but for the return-path domain (e.g. a relay's domain), which doesn't align with the From: domain — so DMARC ignores it
  • DKIM isn't signing at all, or signs with a d= domain that doesn't match the From: domain
  • You send through a third party (ESP, CRM, help desk) that isn't authorized in your SPF record and doesn't DKIM-sign as your domain
  • No DKIM key is published in DNS, or the selector record is missing/typo'd
  • Strict alignment (aspf=s / adkim=s) is set, so an exact-match subdomain isn't treated as aligned

How to fix it

  1. Read a real header to see what failedSend to Gmail, open Show original, and look at the Authentication-Results line. Note whether spf and dkim each pass, and crucially whether smtp.mailfrom (SPF) and header.i / d= (DKIM) match header.from. DMARC needs one of those to both pass AND align — that diagnosis drives everything else.
  2. Align SPF via the return-pathMake the envelope-from (return-path) use a domain that matches or is a subdomain of your From: domain, and list every legitimate sending source in one SPF TXT record. SPF passing for a relay's own domain does nothing for DMARC alignment.
  3. Set up DKIM signing on your own domainGenerate a DKIM key for each sending service, publish the selector._domainkey TXT record in your DNS, and confirm the signature's d= equals your From: domain. DKIM survives forwarding where SPF breaks, so aligned DKIM is the more durable of the two.
  4. Authorize third-party senders explicitlyFor every tool that mails as your domain (Mailchimp, Zendesk, Google Workspace), add its SPF include and publish its DKIM record per that vendor's instructions. An unlisted sender is exactly what DMARC is designed to reject.
  5. Roll the policy out graduallyStart at p=none with a rua= reporting address, read the aggregate reports until all your legitimate sources pass aligned, then tighten to p=quarantine and finally p=reject. Jumping straight to p=reject before alignment is clean will bounce your own mail.

Stop it recurring

Align both SPF (return-path) and DKIM (d=) to your visible From: domain, and move to p=reject only after DMARC reports show every legitimate sender passing.

Related errors

550 5.7.1 Message rejected by policy (DMARC/SPF/DKIM or blocklist)

high

The receiving server accepted the connection but refused the message on policy grounds — authentication failure or a bad sender reputation.

421 4.7.0 Temporary deferral / too many connections / rate limited

medium

A soft bounce: the receiving server is throttling you for sending too fast or opening too many connections, and asks you to slow down and retry.

550 5.1.1 User unknown / recipient address does not exist

medium

A hard bounce: the mailbox in the RCPT TO doesn't exist on the receiving server, so delivery permanently fails.

550 5.7.1 Unable to Relay

high

The receiving server refuses to relay your message because the connection isn't authenticated or the recipient isn't a local domain.