Introduction

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving mail servers what to do when an email fails SPF or DKIM alignment. With p=quarantine, failing emails are placed in the spam folder. If legitimate emails are failing alignment -- due to forwarding, third-party senders not being included in SPF, or DKIM signature issues -- they end up in the spam folder, reducing email effectiveness.

Symptoms

  • Legitimate emails from your domain arrive in recipients' spam folders
  • DMARC aggregate reports show high failure rates for legitimate senders
  • Emails sent through marketing platforms (Mailchimp, SendGrid) are quarantined
  • Forwarded emails fail DMARC because forwarding breaks SPF alignment
  • Error message: dmarc=fail (p=quarantine dis=QUARANTINE) in email headers

Common Causes

  • Third-party email service not included in the domain's SPF record
  • DKIM not configured for the sending domain or service
  • Email forwarding breaking SPF alignment while DKIM is not set up
  • DMARC policy too strict (p=quarantine or p=reject) before all senders are aligned
  • Subdomain DMARC policy inheriting a strict policy from the parent domain

Step-by-Step Fix

  1. 1.Review DMARC aggregate reports: Identify which senders are failing.
  2. 2.```bash
  3. 3.# Check DMARC reports (received via email as XML)
  4. 4.# Or use a DMARC report analyzer:
  5. 5.# https://dmarcian.com/dmarc-inspector/
  6. 6.# Identify failing source IPs and domains
  7. 7.`
  8. 8.Add failing senders to the SPF record: Authorize all legitimate senders.
  9. 9.```dns
  10. 10.# Update SPF record to include all sending services
  11. 11."v=spf1 ip4:123.45.67.89 include:_spf.google.com include:sendgrid.net include:mailchimp.com ~all"
  12. 12.`
  13. 13.Configure DKIM for all sending services: Ensure all emails are signed.
  14. 14.`
  15. 15.# For each sending service:
  16. 16.# 1. Generate DKIM key pair
  17. 17.# 2. Publish public key as DNS TXT record
  18. 18.# 3. Configure the service to sign emails with the private key
  19. 19.# 4. Verify DKIM passes using email header inspection
  20. 20.`
  21. 21.Temporarily relax the DMARC policy: Reduce impact while fixing alignment.
  22. 22.```dns
  23. 23.# Change from quarantine to none temporarily
  24. 24."v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com"
  25. 25.# After all senders are aligned, change back to:
  26. 26.# "v=DMARC1; p=quarantine; ..."
  27. 27.`
  28. 28.Verify emails pass DMARC after fixes: Test end-to-end.
  29. 29.```bash
  30. 30.# Send test emails through each sending service
  31. 31.# Check headers for SPF pass, DKIM pass, and DMARC pass
  32. 32.# Use: https://www.mail-tester.com/
  33. 33.`

Prevention

  • Audit all email sending services and ensure they are in SPF and have DKIM configured
  • Start with p=none DMARC policy and monitor reports before moving to quarantine
  • Use DMARC reporting tools to continuously monitor alignment across all senders
  • Configure DKIM for all third-party email services before enforcing DMARC
  • Document the DMARC enforcement process with steps for adding new senders
  • Test email deliverability after any DNS record changes affecting SPF, DKIM, or DMARC