DMARC Errors and Fixes: Alignment, Reporting, Policy Issues

June 20, 2026 • InboxGreenEmail Team

DMARC controls what happens when SPF or DKIM fail.

Without a DMARC record your domain is open to spoofing and forged-sender abuse. Run the scan to check your current policy.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

DMARC is the protocol that ties SPF and DKIM together and tells receivers what to do when neither passes. When DMARC fails, the consequences range from spam folder placement to outright rejection. Most problems come from alignment issues, syntax mistakes, or misreading what DMARC reports are actually telling you.

Check your DMARC record first: use the DMARC Lookup tool to see what is published, or run the full InboxGreen.email check to see SPF, DKIM, and DMARC together.

INBOXGREEN RESEARCH · JUNE 2026 · 186 DOMAINS SCANNED

15.1%

stuck at p=none
(monitoring only)

3.2%

no DMARC record
at all

Combined, nearly 1 in 5 domains had weak or missing DMARC enforcement. A domain at p=none is monitored but not protected. A domain with no record is fully exposed to spoofing. Full report.

ProblemWhat you seeWhere to start
Alignment failureDMARC fail despite SPF/DKIM passSet up DKIM with your own domain at your ESP
No aggregate reportsEmpty rua= inboxVerify the address, check cross-domain auth
Syntax errorPermError, policy not appliedDMARC Lookup to validate syntax
Jumped to p=reject too fastLegitimate mail bouncingRoll back to p=quarantine, fix alignment first
DMARC passes, still in spamSpam folder despite passFull check -- reputation, not auth

1. DMARC fails even though SPF and DKIM both pass

This is the most common and most misunderstood DMARC problem. SPF passing and DKIM passing are not the same as DMARC passing. DMARC requires alignment.

Alignment means:

  • SPF alignment: the domain in the envelope sender (the Return-Path: address) must match the From: domain
  • DKIM alignment: the domain in the DKIM d= tag must match the From: domain

DMARC only requires one to align. If DKIM alignment passes, DMARC passes even if SPF alignment fails (and vice versa).

The typical scenario: you send through an ESP. SPF passes because the ESP's IP is covered by their own SPF record. DKIM passes because the ESP signs the message. But the ESP signed with d=mailgunapp.com, and your From: is [email protected]. DKIM passes, alignment fails.

DMARC ALIGNMENT IN EMAIL HEADERS  ·  Gmail: More → Show original

DMARC FAIL (d= tag doesn't match From: domain)

From: hello@yourdomain.com
DKIM-Signature: d=mailgunapp.com; ...
Authentication-Results: mx.google.com;
  dkim=pass header.i=@mailgunapp.com;
  dmarc=fail (p=REJECT) header.from=yourdomain.com

DMARC PASS (d= tag matches From: domain)

From: hello@yourdomain.com
DKIM-Signature: d=yourdomain.com; ...
Authentication-Results: mx.google.com;
  dkim=pass header.i=@yourdomain.com;
  dmarc=pass (p=REJECT) header.from=yourdomain.com

Fix: Configure custom domain sending at your ESP so messages are signed with d=yourdomain.com. This is standard practice at every major ESP. See the Email Authentication Guides for provider-specific steps.

For email forwarding scenarios: SPF alignment breaks when a message is forwarded (the envelope sender changes). DKIM alignment survives forwarding as long as the body is not modified. If you have users who forward mail, DKIM alignment is what keeps DMARC passing for them.

2. No DMARC aggregate reports arriving

DMARC aggregate reports (rua=) should start arriving within 24 to 48 hours of publishing your DMARC record. If you are not receiving them, check these in order:

The rua= address is wrong or unreachable:

The address in rua=mailto:[email protected] must be a working mailbox. Test it by sending a message to that address manually.

Cross-domain reporting authorization is missing:

If your rua= address is at a different domain than the one you are monitoring (for example, monitoring yourdomain.com but sending reports to [email protected]), the reporting domain must publish a special TXT record authorizing this: 

yourdomain.com._report._dmarc.reportingservice.com  IN TXT  "v=DMARC1"

Without this record, Gmail and others will refuse to send reports to third-party addresses.

Receiving volume is too low:

Major providers only send DMARC reports if they processed a meaningful volume of messages from your domain during the reporting period. New senders or domains with low volume may not get reports for several days.

Reports go to spam:

Check the spam folder on the rua= mailbox. DMARC reports arrive as XML attachments from [email protected], [email protected], and others.

3. DMARC PermError (syntax error in the record)

A DMARC record with a syntax error causes receivers to return PermError, which is treated as a missing DMARC record. The policy is not applied. Common syntax mistakes:

  • Missing v=DMARC1 as the first tag
  • Using the wrong separator: DMARC tags are separated by semicolons (;), not commas or spaces
  • Invalid tag values: p=reject; is correct, p=REJECT; is also accepted, but p=rejected; is not
  • Two DMARC TXT records on the same _dmarc subdomain (only one is allowed)
  • Spaces inside tag values where they are not allowed

BROKEN — syntax errors

v=DMARC1, p=none, rua=mailto:[email protected]

Wrong separator (comma instead of semicolon) → PermError, policy not applied

CORRECT — valid minimal record

v=DMARC1; p=none; rua=mailto:[email protected];

Semicolons as separators, v=DMARC1 first → parsed correctly

Check your syntax with the DMARC Lookup tool. It will show you the parsed tags if the record is valid, or an error if it is not.

4. Moving from p=none to p=quarantine to p=reject

The policy value in your DMARC record controls what happens to messages that fail alignment:

p=none

MONITOR ONLY

v=DMARC1; p=none;
rua=mailto:[email protected];
  • Failing mail: delivered normally
  • Aggregate reports: sent to rua=
  • Protection: none

Start here. Collect reports for 2-4 weeks before moving forward.

p=quarantine

SPAM FOLDER

v=DMARC1; p=quarantine; pct=10;
rua=mailto:[email protected];
  • Failing mail: sent to spam
  • pct=10 to roll out gradually
  • Protection: partial

Move here once reports show all legitimate sources aligned.

p=reject

BLOCKED AT SMTP

v=DMARC1; p=reject; pct=100;
rua=mailto:[email protected];
  • Failing mail: refused outright
  • Full spoofing protection
  • Protection: maximum

Final goal. Only move here when all sources pass alignment.

Moving too fast to p=reject is the most common self-inflicted DMARC problem. If any legitimate sending source is not properly authenticated, those messages start bouncing with no warning to recipients.

The safe progression:

  1. Start at p=none with a rua= address. Wait at least two weeks. Review the aggregate reports to see which sources are sending on behalf of your domain and whether they pass alignment.
  2. Fix alignment issues for every legitimate source. DKIM alignment at your ESP, SPF records for bulk senders, CNAME records for marketing tools. Do not move forward until aggregate reports show close to 100% alignment for all legitimate sources.
  3. Move to p=quarantine with pct=10 first. Monitor for a week. Increase gradually.
  4. Move to p=reject only when you are confident every legitimate sending source is aligned. Set pct=100 at this stage.

Google and Yahoo now require at least p=none for bulk senders. p=reject is the long-term goal for most domains.

5. DMARC passes but emails still go to spam

DMARC passing means your authentication is in order. It does not guarantee inbox placement. Spam filters use dozens of signals beyond authentication:

  • Sender reputation: how Gmail and Outlook score your domain based on past complaints, bounce rates, and engagement
  • IP reputation: shared IPs at ESPs inherit reputation from other senders on the same pool
  • Engagement history: low open rates and high delete rates train filters to route you to spam
  • List quality: sending to invalid addresses or unengaged contacts increases bounce rate and complaint rate
  • Content signals: certain phrases, excessive images, broken HTML, and URL patterns increase spam scoring

Authentication (SPF, DKIM, DMARC) is the baseline. It prevents your domain from being spoofed and establishes accountability. Inbox placement on top of that comes from reputation and engagement.

Run the full deliverability check to see your complete authentication status, then work through the reputation and content signals from there.

DMARC Tools

DMARC Lookup

See your live DMARC record, validate syntax, and check policy and reporting settings.

DMARC Generator

Build a valid DMARC record with the right policy, pct, and rua settings for your stage.

DMARC Analyzer

Analyze a DMARC record string to understand what each tag does and catch errors.

DMARC Policy Tester

Test how your current DMARC policy would treat a specific email scenario.

Related Guides

SPF Errors and Fixes

PermError, multiple records, softfail vs hardfail, and SPF alignment.

DKIM Errors and Fixes

Selector not found, body hash mismatch, key length, and DKIM alignment.

Provider Setup Guides

Complete SPF, DKIM, and DMARC setup for Google Workspace, Microsoft 365, SendGrid, and more.

DMARC failing or stuck at p=none? Ready to fix it?

The FixKit includes a step-by-step DMARC progression guide: from publishing your first record to reaching p=reject safely, with alignment fixes for every major ESP.

Get the FixKit Run the Free Check

Common Questions About DMARC

Why does DMARC fail when SPF and DKIM both pass?

DMARC requires alignment, not just a pass. SPF alignment means the envelope sender domain must match your From: domain. DKIM alignment means the d= tag must match your From: domain. If your ESP uses its own domain for either, the pass does not count for DMARC. Set up custom domain authentication at your ESP so DKIM is signed with your own domain.

Why am I not receiving DMARC aggregate reports?

The most common reasons: the rua= address is unreachable, the reporting domain requires cross-domain authorization (a _dmarc TXT record at the reporting address's domain), your sending volume is too low for major providers to bother, or reports are landing in spam. Check all four before assuming the record is misconfigured.

How long should I stay at p=none before moving to p=quarantine?

At least two weeks, ideally four. You need enough aggregate reports to see every source sending email on behalf of your domain. Review the reports to confirm that all legitimate sources pass SPF or DKIM alignment before tightening the policy. Moving too fast to p=reject is the most common self-inflicted DMARC problem.

What does DMARC PermError mean?

PermError means the DMARC record has a syntax error and receivers cannot parse it. The policy is not applied at all. Common causes: missing v=DMARC1 as the first tag, wrong separator (comma instead of semicolon), or two DMARC records on the same _dmarc subdomain. Use the DMARC Lookup tool to validate syntax.

Do I need both SPF and DKIM to pass DMARC?

No. DMARC only requires one to align. If DKIM alignment passes, DMARC passes even if SPF alignment fails. In practice, setting up both is still important: SPF protects against unauthorized senders on your domain, and DKIM provides authentication that survives forwarding (where SPF alignment always breaks).

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.