Quick Answer
DMARC failures happen when email fails both SPF alignment and DKIM alignment checks simultaneously. The most common causes: sending through a third-party service without DKIM signing configured, multiple SPF records, SPF exceeding 10 DNS lookups, or wrong From: domain. Fix the alignment issue, monitor via aggregate reports, then graduate from p=none to p=reject incrementally.
What DMARC checks
DMARC passes if either SPF or DKIM passes with proper alignment to the From: header domain. Both can fail only if neither authentication method passes alignment.
- SPF alignment: SMTP envelope MAIL FROM domain must match the From: header domain (relaxed = organisational domain match; strict = exact match)
- DKIM alignment: The d= domain in the DKIM signature must match the From: header domain
Common failure causes and fixes
1. Third-party sender without DKIM
Symptom: Reports show SPF passing on the ESP domain, DKIM failing. DMARC fails because the SPF is aligned to the ESP domain, not yours.
Fix: Configure DKIM signing using your domain in the ESP dashboard. NexusProMail provides a DKIM CNAME record you add to your DNS — once added, all sends from NexusProMail are DKIM-signed with your domain.
2. Multiple SPF records (PermError)
Symptom: SPF always fails with PermError. DMARC fails on SPF.
Fix: You can only have one SPF TXT record per domain. Merge all includes into one:
# Wrong — two separate records
v=spf1 include:esp1.com ~all
v=spf1 include:esp2.com ~all
# Correct — one merged record
v=spf1 include:esp1.com include:esp2.com ~all3. SPF exceeds 10 DNS lookups
Symptom: SPF returns PermError about too many lookups.
Fix: Each include:, a:, and mx: counts as a lookup. Audit and remove unused includes, or use SPF flattening to resolve includes to IPs at publish time.
4. Forwarded email failing DMARC
Symptom: Legitimate forwarded email (mailing lists, aliases) fails DMARC.
Fix: Forwarding breaks SPF (changes sending IP) and sometimes breaks DKIM (modifies body). Use relaxed DKIM alignment (adkim=r). Consider that some forwarded email will always fail — this is a known DMARC limitation, not a configuration error on your part.
5. Subdomain From: with strict alignment
Symptom: Email from mail.yourdomain.com fails DMARC when policy is on yourdomain.com with strict alignment.
Fix: Use relaxed alignment (adkim=r, aspf=r) which allows subdomain matches, or add a separate DMARC record for the subdomain.
Reading aggregate reports (RUA)
DMARC sends daily XML reports to your rua= address. They are not human-readable — use a parser:
- Google Postmaster Tools — free, Gmail-specific authentication data
- dmarcian — parses aggregate reports, free tier available
- MXToolbox DMARC analyser — quick syntax checks
Key fields in each report row:
source_ip— who sent this emailcount— how many messages from this sourcedisposition— what happened (none/quarantine/reject)dkim/spf— pass or fail per mechanismheader_from— the From: domain
Unexpected source IPs in your report = either an unconfigured third-party sender or domain spoofing in progress.
Graduating from p=none to p=reject safely
- p=none (2-4 weeks) — monitoring only. Set up RUA. Collect reports. Identify all legitimate senders. Fix every DMARC failure.
- p=quarantine (2-4 weeks) — failing email goes to spam. Monitor for unexpected failures. Fix remaining issues. Use pct= to apply gradually:
p=quarantine; pct=10 - p=reject — only when reports show near-100% pass rates for legitimate senders. Failing email is blocked at the receiving server.
Diagnostic commands
# Check DMARC record is present
dig TXT _dmarc.yourdomain.com
# Check DKIM record
dig TXT selector._domainkey.yourdomain.com
# Check SPF record
dig TXT yourdomain.com | grep spfFor the full authentication setup process, see the DMARC, DKIM, SPF setup guide. For ongoing deliverability monitoring after authentication is configured, see how to monitor email deliverability and the email deliverability guide.