DMARC Fail

A DMARC fail means no SPF- or DKIM-authenticated domain aligned with your From: address. Learn the real causes (forwarding, unaligned DKIM) and how to fix it.

Updated Jul 1, 2026

The short answer

A DMARC fail means the domain in your visible From: header did not match (align with) any domain that passed SPF or DKIM, so the receiver could not confirm you authorized the message. Per RFC 9989, DMARC passes only when at least one of SPF or DKIM passes AND is aligned with the From domain. Fix it by setting up domain-aligned DKIM signing and correcting alignment.

A DMARC fail is not an SMTP reply code — it is a verdict produced by the receiving mail server when it evaluates your message against the DMARC policy published in your domain's DNS. It appears in Authentication-Results headers (dmarc=fail) and in the aggregate (RUA) reports receivers send back.

What does "DMARC fail" mean?

Per RFC 9989 §4.2, a message passes DMARC only when at least one of SPF or DKIM (1) produces a pass result and (2) does so for an identifier that is in alignment with the domain in the visible From: header (RFC5322.From). If neither mechanism is both passing and aligned, the result is dmarc=fail. RFC 9989 is the current Standards-Track specification, having obsoleted the original informational RFC 7489 (together with companion RFCs 9990 and 9991) as of the 2026 "DMARCbis" update.

The key insight that trips most people up: SPF and DKIM can each pass and DMARC can still fail. This is because DMARC checks alignment, not just authentication. SPF authenticates the envelope MAIL FROM (Return-Path) domain, and DKIM authenticates the d= signing domain — but DMARC requires one of those to match the From: domain your recipient actually sees (RFC 9989 §3.1).

What causes a DMARC fail?

  • DKIM not signing with your domain (most common, fixable cause). If your sending platform signs with its own domain (e.g. d=sendgrid.net) instead of yours, DKIM is authenticated but unaligned, so it does not satisfy DMARC.
  • No DKIM signature at all. With DKIM absent, DMARC leans entirely on SPF alignment, which is fragile (see forwarding).
  • Forwarding breaks SPF. When a message is forwarded, the forwarding server's IP is not in your SPF record, so SPF fails. DKIM normally survives forwarding — which is why an aligned DKIM signature is the reliable path to DMARC pass (RFC 9989).
  • Alignment mode too strict. aspf=s / adkim=s require an exact domain match; r (relaxed, the default) allows the same Organizational Domain, so mail.example.com aligns with example.com (RFC 9989 §3.1.1–3.1.2).
  • An unauthorized sender — a third-party tool you forgot to authorize, or a genuine spoof/forgery. DMARC working as intended.

How do I fix a DMARC fail?

  1. Read your DMARC reports. Failures are diagnosed from RUA aggregate reports, not guesswork. They show which sending IP, which SPF/DKIM result, and whether each was aligned.
  2. Set up domain-aligned DKIM on every sending source. This is the durable fix. In SendGrid, enable Domain Authentication, which adds CNAME records so Twilio manages DKIM signing for your domain. Verify it in your ESP dashboard or by inspecting the DKIM-Signature header for a d= value matching your sending domain.
  3. Fix SPF alignment by sending from a Return-Path/subdomain under your Organizational Domain, and keep aspf=r (relaxed) unless you have a specific reason for strict.
  4. Authorize every legitimate sender in SPF/DKIM before tightening policy.
  5. Stage your policy. Start at p=none (monitor only), confirm legitimate mail authenticates and aligns in reports, then move to p=quarantine and finally p=reject (RFC 9989 §6.3). Use the sp= tag to set a separate subdomain policy.

A minimal monitoring record:

_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r"

If the failing mail is a forgery rather than your own traffic, a p=reject policy is the correct outcome — those messages should fail.

FAQ

Common questions

Because DMARC also requires alignment. SPF authenticates the Return-Path domain and DKIM authenticates the d= signing domain; if neither matches the From: header domain (under relaxed or strict rules), DMARC fails even though both mechanisms individually passed (RFC 9989 §4.2).

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 9989 §4.2, §3.1 (obsoletes RFC 7489). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.