A DMARC fail means no SPF- or DKIM-authenticated domain aligned with your From: address. Learn the real causes (forwarding, unaligned DKIM) and how to fix it.
Updated Jul 1, 2026
The short answer
A DMARC fail means the domain in your visible From: header did not match (align with) any domain that passed SPF or DKIM, so the receiver could not confirm you authorized the message. Per RFC 9989, DMARC passes only when at least one of SPF or DKIM passes AND is aligned with the From domain. Fix it by setting up domain-aligned DKIM signing and correcting alignment.
A DMARC fail is not an SMTP reply code — it is a verdict produced by the receiving mail server when it evaluates your message against the DMARC policy published in your domain's DNS. It appears in Authentication-Results headers (dmarc=fail) and in the aggregate (RUA) reports receivers send back.
Per RFC 9989 §4.2, a message passes DMARC only when at least one of SPF or DKIM (1) produces a pass result and (2) does so for an identifier that is in alignment with the domain in the visible From: header (RFC5322.From). If neither mechanism is both passing and aligned, the result is dmarc=fail. RFC 9989 is the current Standards-Track specification, having obsoleted the original informational RFC 7489 (together with companion RFCs 9990 and 9991) as of the 2026 "DMARCbis" update.
The key insight that trips most people up: SPF and DKIM can each pass and DMARC can still fail. This is because DMARC checks alignment, not just authentication. SPF authenticates the envelope MAIL FROM (Return-Path) domain, and DKIM authenticates the d= signing domain — but DMARC requires one of those to match the From: domain your recipient actually sees (RFC 9989 §3.1).
d=sendgrid.net) instead of yours, DKIM is authenticated but unaligned, so it does not satisfy DMARC.aspf=s / adkim=s require an exact domain match; r (relaxed, the default) allows the same Organizational Domain, so mail.example.com aligns with example.com (RFC 9989 §3.1.1–3.1.2).DKIM-Signature header for a d= value matching your sending domain.aspf=r (relaxed) unless you have a specific reason for strict.p=none (monitor only), confirm legitimate mail authenticates and aligns in reports, then move to p=quarantine and finally p=reject (RFC 9989 §6.3). Use the sp= tag to set a separate subdomain policy.A minimal monitoring record:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r"
If the failing mail is a forgery rather than your own traffic, a p=reject policy is the correct outcome — those messages should fail.
References
FAQ
Because DMARC also requires alignment. SPF authenticates the Return-Path domain and DKIM authenticates the d= signing domain; if neither matches the From: header domain (under relaxed or strict rules), DMARC fails even though both mechanisms individually passed (RFC 9989 §4.2).
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 9989 §4.2, §3.1 (obsoletes RFC 7489). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.