How to Fix DMARC Not Working
If DMARC is not working, the problem is usually not DMARC alone.
It is often a mismatch between SPF, DKIM, DNS records, or email alignment that prevents authentication from passing.
This guide explains how to fix DMARC not working by tracing the full email authentication path, identifying the most common configuration errors, and confirming that your records are behaving as expected.
What DMARC actually checks
DMARC, or Domain-based Message Authentication, Reporting, and Conformance, sits on top of SPF and DKIM.
It tells receiving mail servers whether to trust a message based on two things: authentication results and domain alignment.
- SPF verifies whether the sending server is allowed to send mail for the domain in the envelope-from address.
- DKIM verifies whether the message was signed by an authorized domain and whether it was altered in transit.
- DMARC alignment checks whether the visible From domain matches the authenticated domain used by SPF or DKIM.
If SPF passes but alignment fails, or DKIM passes but the signing domain does not align, DMARC can still fail.
That is why fixing DMARC usually means fixing the setup around it.
Check whether DMARC is published correctly
The first step in how to fix DMARC not working is confirming that a valid DMARC record exists in DNS.
It must be published at _dmarc.yourdomain.com as a TXT record.
A basic DMARC record often looks like this:
v=DMARC1; p=none; rua=mailto:[email protected]
Common publishing mistakes include:
- Putting the record on the wrong hostname
- Using an invalid TXT value format
- Creating multiple DMARC records for the same domain
- Leaving out the required
v=DMARC1tag - Typing the policy as
rejectorquarantineincorrectly
Use a DNS lookup tool or your domain registrar’s DNS management panel to verify that the record exists and resolves publicly.
If the record is missing, malformed, or duplicated, DMARC processing may fail or become unpredictable.
Verify SPF is passing and aligned
SPF problems are one of the most common reasons DMARC appears broken.
Even if SPF passes, DMARC will still fail if the domain used for SPF does not align with the domain in the message’s From header.
To troubleshoot SPF:
- Confirm the domain has a single SPF TXT record.
- Check that all legitimate sending services are included, such as Microsoft 365, Google Workspace, Mailchimp, SendGrid, or your transactional email provider.
- Review whether the domain in the Return-Path or envelope-from matches the visible From domain closely enough for DMARC alignment.
SPF breaks frequently when organizations add too many third-party senders and exceed the DNS lookup limit of 10.
If that happens, receivers may treat SPF as a permerror or fail the record entirely.
Flattening the SPF record, removing unused senders, or using subdomains for different mail streams can resolve the issue.
Confirm DKIM signing is enabled and valid
DKIM is often the fastest way to get DMARC working because it can survive forwarding better than SPF.
But DKIM must be configured correctly in the sending platform and published in DNS.
Check the following:
- The email service is actually signing outgoing messages with DKIM
- The public DKIM key exists in DNS for the selector being used
- The selector name in DNS matches the selector in the message headers
- The DKIM signature has not been broken by a mail gateway, footer tool, or content filter
If your outgoing mail is routed through multiple platforms, make sure each platform signs with its own authorized DKIM key or is otherwise covered by a validated configuration.
Many DMARC failures happen because one sender is configured, but another hidden system sends messages without signing them.
Make sure alignment is configured correctly
Alignment is the part of DMARC that trips up many otherwise correct setups.
A message can pass SPF or DKIM and still fail DMARC if the authenticated domain is not aligned with the domain in the From header.
There are two alignment modes:
- Relaxed alignment allows organizational-domain matches, such as
mail.example.comaligning withexample.com - Strict alignment requires an exact domain match
Most organizations use relaxed alignment because it is easier to maintain across email providers and subdomains.
If your DMARC record uses strict alignment unintentionally, switching to relaxed alignment can immediately solve failures without lowering security significantly.
Inspect message headers for the real failure point
When DMARC is not working, raw email headers usually reveal the exact cause.
Look for authentication results such as spf=pass, dkim=pass, and dmarc=fail.
Key headers to review include:
- Authentication-Results for SPF, DKIM, and DMARC verdicts
- From for the visible sender domain
- Return-Path for the SPF envelope domain
- DKIM-Signature for the signing domain and selector
Compare the authenticated domains against the visible sender domain.
If the mail is coming from a third-party platform, such as Salesforce, HubSpot, Zendesk, Amazon SES, or a help desk tool, alignment may require custom domain configuration inside that service.
Review third-party senders and forwarding systems
Business email rarely comes from one system anymore.
Marketing platforms, CRMs, support desks, payroll tools, and notification systems all send messages on behalf of your domain.
Any one of them can break DMARC.
Pay special attention to:
- Marketing email services that use shared or misconfigured return-path domains
- Forwarding services that alter SPF outcomes
- Mailing lists that rewrite headers or modify content
- Applications sending through unauthenticated SMTP relays
If forwarded mail is failing DMARC, the original SPF result may no longer be valid because the forwarding server changed the path.
In these cases, DKIM usually becomes the more reliable authentication method, provided the message content remains unchanged.
Use DMARC reports to find patterns
Aggregate DMARC reports, sent to the address in the rua tag, show which senders are passing or failing authentication.
They are essential for diagnosing why DMARC is not working across your mail ecosystem.
Look for recurring patterns such as:
- An unknown sending IP address
- One vendor failing SPF while another passes DKIM
- A subdomain sending without a matching policy
- Large spikes in failure after a platform migration
DMARC reports are XML files, so many organizations use a DMARC reporting platform or analyzer to make them readable.
These tools can help map IPs, domains, selectors, and volume trends to specific sending systems.
Watch for policy and enforcement issues
Sometimes DMARC is technically working, but the policy is not doing what you expect.
A policy of none only reports; it does not block.
A policy of quarantine may send messages to spam, while reject tells receivers to refuse delivery.
If you recently changed policy and mail stopped arriving, verify whether the issue is authentication failure or policy enforcement.
A domain can have a valid DMARC record and still experience delivery problems if legitimate mail is failing under a stricter policy.
Move gradually:
- Start with
p=nonewhile monitoring reports - Fix all legitimate senders
- Shift to
p=quarantineif needed - Move to
p=rejectonly when confident in coverage
Test with a DMARC checker and live mail delivery
After making changes, test from multiple sources and inspect the results in a DMARC checker, mailbox headers, and report data.
Send mail from your main domain, subdomains, and all major third-party systems.
Validation should confirm:
- The DMARC TXT record resolves correctly
- SPF passes for approved senders
- DKIM passes and aligns
- DMARC returns a pass for normal delivery paths
- Forwarded or list-delivered mail behaves as expected
Testing is important because a fix in one system can expose another misconfigured sender.
Many teams only discover the next failure after they resolve the first.
Common reasons DMARC still fails after fixes
If you have already updated SPF, DKIM, and DNS but DMARC is still not working, the remaining issues are usually operational rather than technical.
- Old DNS caches have not fully expired
- A vendor changed its sending infrastructure without notice
- A subdomain is being used without a separate authentication plan
- Multiple departments are sending mail outside approved systems
- A signature is being altered by content rewriting or security filtering
In larger organizations, email authentication is a governance issue as much as a DNS issue.
A complete sender inventory is often the difference between persistent DMARC failures and a stable setup.
What a healthy DMARC deployment looks like
A working DMARC setup usually has one published DMARC record, at least one authenticated and aligned sending path, active monitoring through aggregate reports, and clearly documented ownership for every mail source.
Once those pieces are in place, DMARC becomes much easier to maintain and scale.
Organizations that keep DMARC healthy also standardize subdomain usage, review vendor onboarding carefully, and periodically audit SPF and DKIM records to prevent drift as tools change.