Troubleshoot DMARC issues

Follow the troubleshooting steps in this article if messages from your domain are:

  • Failing DMARC
  • Rejected by receiving servers
  • Sent to recipients’ spam folders

First, verify your DMARC configuration. If your DMARC record seems to be correctly configured, continue to the troubleshooting methods in this article.

Verify messages pass authentication

Make sure SPF and DKIM are enabled for your domain

Make sure you've enabled SPF and DKIM for your domain. SPF and DKIM should be enabled for at least 48 hours before enabling DMARC. Read detailed steps in Help prevent spoofing, phishing & spam.

If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.

Check message headers

Email message headers contain the results for SPF, DKIM, and DMARC authentication checks. To check if messages from your domain are passing authentication checks:

Verify messages pass all three authentication checks: SPF, DKIM, and DMARC.

Check DMARC reports

To verify that messages pass all three authentication checks: SPF, DKIM, and DMARC, check your DMARC reports or DMARC report analysis from your third-party service.

Check your mail sending practices

If your DMARC policy has enforcement set to none and messages are sent to spam, the cause might be something other than your DMARC record.

Make sure you're following the recommended guidelines for sending mail to Gmail users, especially if you send a lot of mail.

Get more information with Email Log Search

For messages sent through G Suite, find out more information about a specific message in Email Log Search.

Search for a specific message using the Sender IP address. Then review Email Log Search result details to read Message details, Post-delivery message details, and Recipient details.

Recommended troubleshooting steps

Problem description Possible causes Troubleshooting steps
Message failed DKIM authentication This message failed the DKIM check. Check if messages sent from other allowed sources in your domain are also failing DKIM. This helps you understand if it’s just one message from one source, or if multiple sources are affected.
The message was modified during transit or after the DKIM signature was added to the message. Find out if the message was routed through another server, where it might have been modified. Ask the administrator of the server to not modify messages, which can cause DKIM to fail.
There's a problem with your DNS DKIM record. Verify the DKIM key is published with the G Suite Toolbox. Enter your domain in the Check MX page.
There's a problem with the DKIM key.

Verify your published DKIM record. For messages sent from G Suite, this should be the key you set up for DKIM.

For messages sent by a third-party service, check the third-party documentation for steps to verify the DKIM key.

Message failed SPF authentication. This message failed the SPF check. Check if messages sent from other allowed sources in your domain are also failing SPF. This helps you understand if it’s just one message from one source, or if multiple sources are affected.
The message was sent by a server that's not in your SPF record.

Check your SPF record to make sure it includes all IP addresses and domains that are allowed to send mail for your domain. Messages sent from servers not in your SPF record can fail authentication.

Get a list of all IP addresses and domains in your SPF record with the G Suite Toolbox. Enter your domain in the Check MX page, then check Effective SPF Address Ranges.

There's a problem with your DNS SPF record. Verify your SPF record with the G Suite Toolbox. Enter your domain in the Check MX page.
Message failed DMARC authentication. This message failed the DMARC check. Check if messages sent from other allowed sources in your domain are also failing DMARC. This helps you understand if it’s just one message from one source, or if multiple sources are affected
The message fails other authentication checks. Verify that the message passes either SPF or DKIM checks.
The message header isn’t aligned.

Verify the authentication method (SPF or DKIM) is aligned with the header From: address.

Learn more about DMARC alignment.

There's a problem with your DMARC SPF record. Verify your DMARC record with the G Suite Toolbox. Enter your domain in the Check MX page.
Was this helpful?
How can we improve it?