DMARC Failures: Causes, Diagnostics, and Fixes That Actually Work
A DMARC failure does not always mean you are under attack. More often it means a DNS typo, a forgotten SaaS sender, or SPF lookup exhaustion. The fix is systematic: read reports, map senders, then enforce.
What a DMARC failure looks like
Receivers evaluate the From domain against SPF and DKIM. If neither aligns (and policy is quarantine/reject), the message is filtered or refused. Aggregate reports to your rua address show which IPs and services failed.
Top causes on Workspace domains
- Broken DMARC syntax — missing
v=DMARC1, bad semicolons, or the record on the wrong host (must be_dmarc.domain.com). - Multiple SPF records — DNS returns two TXT SPF strings; receivers treat that as fail.
- SPF too many lookups — more than 10 mechanisms that require DNS.
- Unauthorized tools — billing, CRM, or support apps sending as your domain without SPF/DKIM.
- Forwarding — some forwarders break SPF; DKIM alignment becomes critical.
Diagnostic workflow (30 minutes)
- Confirm one SPF, one DMARC, and a valid DKIM TXT with a DNS lookup tool.
- Send a test to Gmail → open “Show original” → check SPF/DKIM/DMARC lines.
- Open a week of aggregate reports (or a DMARC analyzer) and list every source IP.
- For each unknown source: authorize it properly or stop it from using your From domain.
Fix order that avoids outages
- Keep
p=noneuntil unknown sources are gone. - Add missing includes or DKIM for approved vendors.
- Move to
quarantinewith a percentage ramp. - Finish at
rejectonce reports are clean for 7–14 days.
Prevention with MailJuke
Most DMARC pain starts at domain launch. MailJuke’s domain + Workspace flow publishes authentication records up front so you are not reverse-engineering failures after customers complain that invoices vanished into spam.