DMARC issues

Troubleshooting the common DMARC issues 

ByBrad Slavin
Troubleshooting the common DMARC issues 
Troubleshooting the common DMARC issues 
/

Over the last year or so, DMARC adoption has increased manifold, primarily due to email authentication-related announcements and requirements. Starting Feb 1, 2024, Gmail and Yahoo began requiring bulk email senders (defined as domains sending over 5,000 emails per day to their services) to implement SPF, DKIM, and DMARC while also maintaining a spam complaint rate below ~0.3%. 

Then, in March 2025, came the PCI DSS v4.0’s compliance framing requirements that didn’t explicitly mandate DMARC, but required ‘automated phishing protection mechanisms.’ This was followed by Microsoft Outlook enforcing DMARC for bulk senders, starting May 5, 2025. 

PCI DSS v4.0’s

All these proactive steps by the leading mailbox providers and regulatory frameworks have led to a substantial increase in the global DMARC adoption rate.

But many domain owners have just deployed DMARC for the sake of compliance. What we mean here is that their DMARC settings are not configured adequately enough to prevent phishing and spoofing. Such improper configurations trigger different kinds of DMARC issues, which ultimately mess up your email deliverability and jeopardize your brand’s integrity

In this blog, we’ll talk about the common DMARC issues and how to fix them.

DMARC authentication

Potential causes for failed DMARC authentication

If DMARC is causing trouble, check if there is any issue with DNS records. If that’s not the case, then these are the potential causes stemming from misalignment or overlooked nuances-

Improper DMARC alignment mode

There are two DMARC alignment modes: relaxed and strict. In the ‘relaxed’ DMARC alignment mode, subdomain alignment is allowed (for example, mail.example.com aligning with example.com). In strict mode, the exact domain must match. Some domain owners unknowingly set strict alignment in their DMARC policy, which then causes legitimate third-party senders to fail authentication. 

So, it’s important that you pay attention to the alignment mode and choose the one that reflects your actual sending sources to avoid blocking your own emails.

DMARC alignment failure

While most domain owners and CISOs know that DMARC is based on SPF and DKIM, what they don’t know is that it also depends on domain alignment. This simply means that the authenticated domain from SPF or DKIM must be the same as the ‘From’ address domain. 

domain alignment

So, if SPF check for your outgoing emails passes via a subdomain or third-party sender, but that particular domain isn’t the same as the one in the visible ‘From’ address, DMARC will fail.

DMARC alignment can be strict or relaxed, but many failures occur because it was never appropriately enforced. 

Missing DKIM signature

Another surprisingly common cause of DMARC failure is that the email simply isn’t DKIM-signed at all. This happens when third-party platforms (like marketing tools or CRMs) aren’t configured to sign on your domain’s behalf. Even if SPF passes, if the DKIM signature is missing and SPF fails alignment, DMARC has no valid identifier to fall back on—and fails. Regularly auditing all sending services and ensuring they’re signing with your domain’s private DKIM key is crucial to avoid silent rejections or dips in deliverability.

CRMs

Fixing DMARC issues 

DMARC is a sensitive protocol, which means even the slightest misconfiguration can upset the whole system and disrupt email deliverability. Now this essentially means that you need to be on top of the potential causes shared above so that you don’t run into DMARC issues. What it also means is that you need to ensure you explore the following solutions for DMARC to function smoothly and efficiently-

1. Ensure SPF and DKIM are configured correctly

DMARC builds on SPF and DKIM results. So, it’s vital to ensure these two authentication protocols are set up correctly. For DKIM, if you don’t create your own signature, your email provider (like Gmail) will usually use a default one. For example, Gmail might use something like d=domain.gappssmtp.com. The problem is that the domain doesn’t match the one in your email’s “From” address, and this mismatch can cause trust issues with email filters.

To avoid that, make sure your SPF and DKIM records are set up correctly in your domain’s DNS settings. Here’s what they typically look like:

email deliverability

SPF record:

v=spf1 include:_spf.google.com ~all

DKIM record:

v=DKIM1; k=rsa; p=[your public key goes here]

After these are added, you can move on to setting up DMARC with this TXT record:

DMARC record:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:postmaster@example.com

Just replace example.com with your real domain name. If you’re unsure where to add these records, your DNS provider (like GoDaddy, Namecheap, or Cloudflare) should have a help guide. You can also contact their support to walk you through it.

2. Adjust your DMARC policies

When an email fails DMARC, there are three possible outcomes: it can be completely rejected, sent to the spam folder, or delivered normally. If your DMARC policy is set to “none”, the email will go through to the inbox even if it fails the DMARC checks.

spam folder

So, one quick fix could be to change your DMARC policy to “none“. To do that, just add this TXT record to your DNS:

v=DMARC1; p=none; sp=quarantine; rua=mailto:postmaster@example.com

(Please remember to replace the email address with your own domain’s reporting email.)

Now, a little heads-up: setting your policy to “none” isn’t the most secure option; it’s more like putting DMARC in watch mode. So, it’s best used as a temporary workaround, not a long-term solution.

3. Authenticate your domain

If you’re using a service like Mailchimp to send emails from your domain, you’ll need to update your DNS settings so that Mailchimp is allowed to send on your behalf.

The first step is verifying your domain. This only works if the domain actually belongs to you or your business. You can’t do this if you’re using a free Gmail or Yahoo address. Once verified, Mailchimp (or whichever tool you’re using) will give you a few records to add—usually CNAMEs or TXT entries. Just copy and paste them into your domain’s DNS settings. If you’re not sure how to do that, your domain host should have clear instructions.

protection against spoofing

If you’re still setting things up and want to monitor your email traffic without blocking anything, you can start with a relaxed DMARC policy. That means adding a TXT record like this to your DNS:

v=DMARC1; p=none; sp=quarantine; rua=mailto:postmaster@example.com

Make sure to replace the email with one from your domain. Just keep in mind that using “p=none” doesn’t provide real protection against spoofing. It’s more of a soft launch. Once you’re sure everything’s working, you’ll want to switch to a stricter policy for better security.

Setting this up can take a few minutes, and once it’s done, your DMARC will start functioning efficiently. 

If you’re having trouble with your email authentication, we’re here to help

Similar Posts

How Do You Configure Third-Party Vendors to Be DMARC Compliant?

How Do You Configure Third-Party Vendors to Be DMARC Compliant?

ByBrad Slavin

According to the How Businesses Hire Agencies Study by Semrush, nearly 94% of businesses outsource some or all of their marketing activities, including sending emails on their behalf. With such outsourcing comes the risk of opening up new gateways for malicious actors to access, intercept, and exploit your technical and non-technical resources.  So, deploying SPF,…

DMARC Adoption Amongst US Education Sector

DMARC Adoption Amongst US Education Sector

ByBrad Slavin

DMARC works by allowing organizations to define how their email domains should be authenticated and to receive reports on how their emails are being handled by other mail servers — protecting them against unauthorized email spoofing, phishing attempts, and cybercriminals seeking to impersonate their domain.  However, despite its effectiveness, DMARC adoption in the US education…

Yahoo Japan rings in the new year with DMARC adoption

Yahoo Japan rings in the new year with DMARC adoption

ByBrad Slavin

It’s 2025, and email authentication is more than just a ‘good-to-have’ aspect for any organization trying to thrive in this digital world riddled with cyberattacks!  Not only organizations but even email service providers recognize this and understand the importance of implementing security measures to protect their users from phishing, spoofing, and domain impersonation. Perhaps this…

How to Add HubSpot SPF, DMARC, and DKIM for Email Authentication

How to Add HubSpot SPF, DMARC, and DKIM for Email Authentication

ByBrad Slavin

Email authentication might sound like a technical term reserved for IT professionals, but it’s something we all need to consider if we want our messages to land safely in inboxes rather than get lost in spam folders. In an age where trust is hard-won and easily lost, knowing how to implement protocols like SPF, DKIM,…

Reasons Why You Aren’t Receiving DMARC XML Reports

Reasons Why You Aren’t Receiving DMARC XML Reports

ByBrad Slavin

Once you have created a DMARC record, the job is not over; the real work of monitoring begins after that. Domain owners or administrators have to assess XML reports to understand if someone is sending unauthorized emails from your domain.  But what if you don’t receive these reports in the first place? You won’t get…