Introduction

DMARC starts rejecting legitimate mail after a provider switch when the domain moved faster than the authentication setup. Messages may still leave the new platform, but SPF or DKIM alignment no longer matches the domain policy. This happens a lot during staged migrations where one mailbox, app, or relay still sends through the old provider. The fix is to identify every real sender and bring SPF, DKIM, and DMARC alignment back into the same state before treating the cutover as finished.

Symptoms

  • Legitimate mail begins failing with dmarc=fail after an email-provider change
  • Some messages deliver while others bounce or land in spam
  • DMARC aggregate reports show failures from known business systems
  • A strict quarantine or reject policy started causing visible mail loss after cutover
  • One provider dashboard looks healthy, but real delivery from forms or apps still breaks

Common Causes

  • SPF no longer authorizes the provider or relay that is actually sending mail
  • DKIM passes on one sender path but fails on another after the migration
  • Old systems, apps, or marketing tools still send through the previous provider
  • The DMARC policy remained too strict while the provider switch was still incomplete
  • Return-path, From domain, or signing domain alignment changed during the cutover

Step-by-Step Fix

  1. Review headers from real failed messages so you can see which sender path produced the DMARC failure and whether SPF, DKIM, or both are misaligned.
  2. Inventory every active sending source for the domain, including mailbox users, websites, forms, CRM tools, and transactional mail services.
  3. Compare the live SPF record with the providers and relays that still send mail on behalf of the domain.
  4. Verify DKIM selectors and signatures for each active provider so the signed domain aligns with the mail users actually receive.
  5. Check whether any business system still routes through the old provider even though the main mailbox cutover is complete.
  6. Temporarily relax the DMARC policy only if needed to protect delivery while you finish aligning the remaining senders.
  7. Retest each important mail path with fresh messages instead of assuming one successful mailbox test covers forms, plugins, and external platforms.
  8. Monitor DMARC aggregate reports and bounce logs after the fix so you can confirm failure volume actually drops.
  9. Keep a sender inventory and change checklist so the next provider switch does not leave DMARC protecting the wrong mail path.