Troubleshoot email authentication problems with step-by-step solutions for the most common issues.
Your domain does not have a DMARC record, leaving it vulnerable to email spoofing.
Start with monitoring: v=DMARC1; p=none; rua=mailto:[email protected]
Add at hostname: _dmarc.yourdomain.com
Allow 15-30 minutes for changes to take effect
Use our checker tool to confirm setup
More than one DMARC record exists for your domain, which makes DMARC invalid.
Check your DNS for all TXT records at _dmarc.yourdomain.com
Determine which DMARC policy you want to enforce
Remove all but one DMARC record from DNS
Confirm only one DMARC record remains
Your SPF record requires more than 10 DNS lookups, causing it to fail validation.
Count all include:, a:, mx:, exists:, and redirect: mechanisms
Replace includes with direct IP addresses where possible
Eliminate unused mail service providers
Use macros to reduce lookup count for complex setups
Your domain lacks an SPF record, allowing anyone to spoof your domain.
List all IPs and services that send email for your domain
Format: v=spf1 include:_spf.google.com -all
Add at your root domain (yourdomain.com)
Check that record is properly formatted and accessible
The DKIM selector being used by your mail server is not published in DNS.
Check your email headers for the DKIM selector being used
Obtain the public key from your mail server/provider
Add TXT record at selector._domainkey.yourdomain.com
Send a test email and check DKIM validation passes
Your DMARC policy is p=none, providing monitoring only without enforcement.
Analyze 2-4 weeks of reports to identify all legitimate senders
Ensure all legitimate email sources pass SPF or DKIM
Change policy to p=quarantine for testing
After confirming no legitimate email blocked, set p=reject
Use our free checker tool to identify problems with your email authentication setup.
Check Your Domain Now