Why is DMARC failing?


Multiple times over the last few weeks folks have posted a screenshot of Google Postmaster tools showing some percentage of mail failing DMARC. They then ask why DMARC is failing. Thanks to how DMARC was designed, they don’t need to ask anyone this, they have all the data they need to work this out themselves.

A screenshot of a DMARC record v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com

The DMARC protocol contains a way to request reports when DMARC authentication fails. There are even two different kinds of reports: aggregate and per-message reports.

The major mailbox providers send aggregate DMARC reports. These reports show a summary of messages received using the domain’s from address and report all authentication failures for those messages. According to the specification aggregate reports should contain the following information:

  • The DMARC policy discovered and applied, if any
  • The selected message disposition
  • The identifier evaluated by SPF and the SPF result, if any
  • The identifier evaluated by DKIM and the DKIM result, if any
  • For both DKIM and SPF, an indication of whether the identifier was in alignment
  • Data for each Domain Owner’s subdomain separately from mail from the sender’s Organizational Domain, even if there is no explicit subdomain policy
  • Sending and receiving domains
  • The policy requested by the Domain Owner and the policy actually applied (if different)
  • The number of successful authentications
  • The counts of messages based on all messages received, even if their delivery is ultimately blocked by other filtering agents

Reports come in XML format, which is very difficult to read without some processing. But, anyone who is publishing DMARC records should have some way to read aggregate reports at a minimum. These are, to my mind, the actual useful piece of the protocol.

The other type of reports are per-message or forensic reports. These reports contain copies of the whole message. Last I heard there weren’t many providers sending forensic reports, which is fine because that has the ability to melt down servers from the sheer volume of mail.

Next time you see GPT with DMARC failures, go check your DMARC reports. That will tell you what’s failing and from where. If there’s a problem you’ll be able to tell and address it. No need to go ask anyone outside your organization or DMARC processor for help.

About the author


This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • You, as the person publishing DMARC, get to designate where the email goes. In the example I used in the blog post they go to addresses at the domains rua.agari.com and ruf.agari.com.

  • I’m not in charge of publishing DMARC by myself as I’m only supervising Google Postmasters. I know that DMARC by itself sends the report and I get them, but I’m still a little bit confused if Google sends separate ones from Postmasters as I’ve never got them, but as I said, I’m not a Google Apps admin. Am I following right that DMARC reports and Postmasters reports are separate ones (in DMARC rep I don’t have any info concerning the campaign that causes troubles)?

  • sorry: If DMARC sends separate from Postmasters, as I’ve never got reports from Postmasters.

  • Google will send email reports to the addresses that are in your DMARC record. They will also report the percentage of messages passing / failing DMARC in the google postmaster tools. You can get the DMARC reporting address by going to tools.wordtothewise.com/authentication and putting the domain in the DMARC box. It will tell you what addresses are receiving DMARC reports.

    If you’re using a third party to collect reports (such as dmarcian or agari or valimail) then you may see the reports coming from a third party. I don’t know what domain you’re talking about or what your reporting setup so I cannot answer your question more specifically than that (see the blog post “https://wordtothewise.com/2019/10/details-matter/”)

By laura

Recent Posts


Follow Us