Skip to main content
DMARC

DMARC Failure Diagnoser

Seeing DMARC failures in your reports or bounce messages? Enter your domain and get the most likely causes ranked by impact — with the exact fix for each one. Covers missing record, p=none silent failure, SPF misalignment, DKIM gaps, and forwarding-induced breaks.

"DMARC failed" — what just happened?

DMARC failure shows up in three places: aggregate (rua) reports sent daily by every major receiver, forensic (ruf) reports sent on-demand for individual failed messages, and bounce messages with strings like "550 5.7.1 DMARC verification failed" or "550 5.7.15 access denied, sending domain DOMAIN does not pass DMARC verification" (the Microsoft Outlook variant since 5 May 2025).

DMARC fails when neither SPF nor DKIM passes aligned against the From-header domain. The tool above scans your domain's posture and lists the most likely root causes — ranked by impact — so you can act on the most-broken thing first.

The five common causes

  1. No DMARC record at all. Less common in 2026 but still happens. The fix is publishing a starter monitoring policy and waiting 48 hours for reports.
  2. DMARC at p=none, real failures buried in the reports. The most common cause overall. The record exists, the policy is monitoring-only, the failures are silent. Migrate to p=quarantine then p=reject — the p=none Escape Plan walks the migration over 4 weeks with the DNS records at every step.
  3. SPF missing or unaligned. SPF passes for the bounce address but the From header is a different organisational domain. DMARC sees the misalignment and fails. The SPF Checker confirms record presence; the DMARC Report Analyzer shows which specific senders are unaligned.
  4. DKIM missing on a sender. Most DMARC failures we see in the wild are DKIM-unaligned. An ESP added last week was not enrolled with DKIM. Many ESPs publish DKIM via CNAME — the DKIM CNAME Validator walks the chain and verifies the terminal key.
  5. Forwarding broke SPF. Mailing lists and aliases re-emit the message, breaking SPF on the new envelope. DMARC then needs DKIM alone — if DKIM is also broken or unaligned, DMARC fails. The ARC Chain Analyzer shows whether the forwarder preserved authentication state for downstream receivers.

Tools that pair with this one

  • DMARC Report Analyzer — upload an aggregate (rua) XML file and see exactly which senders are failing alignment.
  • Email Header Analyzer — paste the full headers from a failing message and see the SPF, DKIM, and DMARC results the receiver actually computed.
  • DMARC Record Checker — deep inspection of every DMARC tag and what it means.

When the diagnoser cannot help

DNS scans cannot prove DKIM presence (no selector visible) and cannot show actual per-message authentication results. If your DMARC posture looks clean above but the rua reports still show failures, the cause is almost certainly a specific sender — the report analyzer is the next step. If the failures only happen when messages are forwarded, ARC is the diagnostic layer; if they only happen on outbound to Microsoft, the Microsoft 550 5.7.15 Diagnostic drills into Outlook-specific bulk-sender requirements.

Read the complete DMARC guide to learn more.

Related Tools

DMARC DMARC Report Analyzer Upload an aggregate XML to see which specific senders are failing. Email Email Header Analyzer Paste a failing message header to see the SPF/DKIM/DMARC results. Migration p=none Escape Plan Migrate from monitoring to enforcement in a guided 4-week plan.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free