Follow the troubleshooting steps in this article if messages from your domain are:
- Failing DMARC
- Rejected by receiving servers
- Sent to recipients’ spam folders
Important: Organizations that get incoming email can choose to reject or quarantine certain messages, even if those messages pass DMARC checks. Read details in RFC 7489. To help prevent legitimate messages from being sent to spam, email senders should follow our best practices for sending email.
Verify your DMARC record
First, check your DMARC configuration. If your DMARC record appears to be correctly configured, continue to the troubleshooting methods in this article.
Verify messages pass authentication
Make sure SPF and DKIM are enabled for your domain
Make sure you've enabled SPF and DKIM for your domain. SPF and DKIM should be enabled for at least 48 hours before enabling DMARC. To get detailed steps for setting up SPF and DKIM, go to Help prevent spoofing, phishing & spam.
If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.
Check message headers
Email message headers contain the results for SPF, DKIM, and DMARC authentication checks. To check if messages from your domain are passing authentication checks:
- Check the headers in a message sent from your domain
- Enter headers from a message sent from your domain into Google Admin Toolbox's Message header tool.
Verify messages pass all three authentication checks: SPF, DKIM, and DMARC.
Check DMARC reports
To verify that messages pass all three authentication checks: SPF, DKIM, and DMARC, check your DMARC reports or DMARC report analysis from your third-party service.
If valid outgoing messages fail DMARC
When an outgoing message from your domain fails DMARC authentication, the person who sent the message might get this error in a bounce message:
"5.7.26" Unauthenticated email from domain-name is not accepted due to domain's DMARC policy. Please contact the administrator of domain-name domain if this was a legitimate mail. Please visit Control unauthenticated mail from your domain to learn about the DMARC initiative.
The DMARC policy for your domain is causing this issue.
Recommended steps:
- Check the SPF and DKIM settings for your domain, and make sure outgoing messages pass SPF and DKIM authentication. To pass DMARC authentication, outgoing messages must pass either SPF or DKIM.
- Check the DMARC policy and alignment settings for your domain. A DMARC policy with strict alignment increases the likelihood that messages are rejected or sent to spam.
- Check your DMARC daily reports to identify which outgoing messages don’t pass SPF, DKIM, or DMARC.
Check your mail sending practices
If your DMARC policy has enforcement set to none and messages are sent to spam, the cause might be something other than your DMARC record.
Make sure you're following the recommended guidelines for sending mail to Gmail users, especially if you send a lot of mail.
Get more information with Email Log Search
For messages sent through Google Workspace, find out more information about a specific message in Email Log Search.
Search for a specific message using the Sender IP address. Then review Email Log Search result details to read Message details, Post-delivery message details, and Recipient details.
Recommended troubleshooting steps
| Problem description | Possible causes | Troubleshooting steps |
| Message failed DKIM authentication | This message failed the DKIM check. | Check if messages sent from other allowed sources in your domain are also failing DKIM. This helps you understand if it’s just one message from one source, or if multiple sources are affected. |
| The message was modified during transit or after the DKIM signature was added to the message. | Find out if the message was routed through another server, where it might have been modified. Ask the administrator of the server to not modify messages, which can cause DKIM to fail. | |
| There's a problem with your DNS DKIM record. | Verify the DKIM key is published with the Google Admin Toolbox. Enter your domain in the Check MX page. | |
| There's a problem with the DKIM key. |
Verify your published DKIM record. For messages sent from Google Workspace, this should be the key you set up for DKIM. For messages sent by a third-party service, check the third-party documentation for steps to verify the DKIM key. |
|
| Message failed SPF authentication. | This message failed the SPF check. | Check if messages sent from other allowed sources in your domain are also failing SPF. This helps you understand if it’s just one message from one source, or if multiple sources are affected. |
| The message was sent by a server that's not in your SPF record. |
Check your SPF record to make sure it includes all IP addresses and domains that are allowed to send mail for your domain. Messages sent from servers not in your SPF record can fail authentication. Get a list of all IP addresses and domains in your SPF record with the Google Admin Toolbox. Enter your domain in the Check MX page, then check Effective SPF Address Ranges. |
|
| There's a problem with your DNS SPF record. | Verify your SPF record with the Google Admin Toolbox. Enter your domain in the Check MX page. | |
| Message failed DMARC authentication. | This message failed the DMARC check. | Check if messages sent from other allowed sources in your domain are also failing DMARC. This helps you understand if it’s just one message from one source, or if multiple sources are affected |
| The message fails other authentication checks. | Verify that the message passes either SPF or DKIM checks. | |
| The message header isn’t aligned. |
Verify the authentication method (SPF or DKIM) is aligned with the header From: address. Learn more about DMARC alignment. |
|
| There's a problem with your DMARC SPF record. | Verify your DMARC record with the Google Admin Toolbox. Enter your domain in the Check MX page. |
