Common authentication failures
Email authentication breaks in predictable ways. An SPF record hits its lookup limit. A mailing list rewrites your message body and invalidates the DKIM signature. A subdomain sends mail without its own DMARC record, and alignment fails silently.
These guides walk through each failure category with the exact symptoms you will see in your DMARC aggregate reports, the diagnostic commands to pinpoint the cause, and tested fixes you can apply right now. Every guide follows the same structure: symptom, diagnosis, solution, prevention.
SPF errors
Diagnose and fix SPF record problems including the 10 DNS lookup limit, permerror, softfail vs fail, void lookups, and syntax errors. Includes dig and nslookup commands.
Read guideDKIM failures
Resolve DKIM verification failures caused by message modification in transit, expired signatures, wrong selectors, short RSA keys, and key rotation mistakes.
Read guideDMARC alignment issues
Fix DMARC alignment failures between the visible From header and SPF/DKIM identifiers. Covers relaxed vs strict mode, subdomain policies, and RFC 5321 vs 5322 addresses.
Read guideEmail forwarding, mailing lists, and ARC
Understand why email forwarding breaks SPF and mailing lists break DKIM. Learn how ARC (RFC 8617) preserves authentication results across intermediaries.
Read guideDMARC policy migration
Step-by-step guide to tightening your DMARC policy. Learn how long to stay at each stage, how to read aggregate reports, and how to roll back safely if something breaks.
Read guideMTA-STS policy fetch failures
Fix the most common MTA-STS error. Diagnose sts-policy-fetch-error from TLS-RPT reports caused by wrong paths, HTTP redirects, Cloudflare blocking, GitHub Pages 404, and expired certificates.
Read guideMTA-STS MX and certificate mismatches
Fix mx-mismatch and certificate-host-mismatch errors in TLS-RPT reports. Covers Microsoft 365 wildcard patterns, Google Workspace dual MX families, incomplete certificate chains, and backup MX servers missing STARTTLS.
Read guideMTA-STS enforce mode
Avoid breaking inbound email when enabling MTA-STS enforce mode. Covers the three-point sync rule, emergency rollback procedure, max_age cache traps, policy ID versioning, and Microsoft NDR error codes.
Read guideTLS-RPT reports
Understand TLS-RPT (RFC 8460) reports. Fix missing reports, decode failure types like certificate-expired and sts-policy-fetch-error, learn which providers send reports, and avoid common misunderstandings.
Read guideHow to use these guides
Each guide is structured for fast, practical troubleshooting:
- Symptom. What you see in your DMARC aggregate reports, email headers, or bounce logs.
- Diagnosis. The specific DNS queries and header inspections to identify the root cause.
- Solution. Step-by-step instructions to fix the problem, with copy-paste DNS records and commands.
- Prevention. Monitoring and configuration practices to stop the issue from recurring.
Before you start
You will need access to your DNS provider and your DMARC aggregate reports. If you do not have a DMARC monitoring tool yet, create a free DMARCTrust account to start receiving reports within 24 to 48 hours.
For diagnostic commands in these guides, we use dig (Linux/macOS) and nslookup (Windows). Both are available by default on most systems. You can also use our
free DMARC checker for a quick visual overview of your domain's authentication status.