What are authentication-related bounces?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You sent an email, and it bounced with a message like "5.7.1 Not authorized" or "Message failed DMARC policy." No bad address, no full mailbox. The receiving server is saying something more pointed: "We can't verify you are who you claim to be." That's an authentication bounce.

Authentication bounces happen when the receiving server checks your identity credentials and something doesn't line up. Every major inbox provider now checks at least one of these three signals before accepting a message: SPF, DKIM, and DMARC. Fail them the wrong way and the email doesn't just go to spam. It gets rejected outright.

Here's what each failure actually means:

SPF failure means the server your email was sent from isn't listed as an authorized sender in your domain's SPF record. You might see "SPF check failed" or "sending IP not authorized" in the bounce message. The fix is updating your SPF record to include every IP or service you actually send from.

DKIM failure means the cryptographic signature attached to your message is either missing or didn't verify correctly. This can happen if your DKIM key was rotated and the DNS record wasn't updated, or if something in the sending chain is modifying the message after it's signed. The bounce usually says "DKIM signature verification failed."

DMARC failure is what happens when neither SPF nor DKIM passes and aligns with the From address your recipient sees. If your DMARC policy is set to p=reject, receiving servers will refuse the message entirely. You'll see codes like 5.7.26 or a bounce note that says "Message failed DMARC policy." This one tends to surprise senders because the message fails even when SPF and DKIM seem fine individually. Alignment is what catches people off guard (your authenticated domain needs to actually match your visible From domain).

The typical bounce codes to watch for are 550 and 554 with an authentication reference in the message, plus the 5.7.x family. The specific sub-codes 5.7.23, 5.7.25, and 5.7.26 are Gmail's DMARC-specific rejection codes, so if you're bouncing at Gmail in particular, those are worth knowing.

Now when you hit authentication bounces, the next step is to understand what a DMARC or SPF-fail rejection actually looks like in practice. And if you want to verify your current SPF record is correct, you can run a quick check with our free SPF tool. No signup needed.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Diagnose my authentication bounce

I'm getting authentication-related bounces. Here's what I know about my setup: 1. What bounce message or error code are you seeing? (e.g. 5.7.1, 5.7.26, 'SPF check failed') 2. Which mailbox provider is rejecting your email? (Gmail, Outlook, other) 3. What does your current SPF record say? (paste it here) 4. Are you using DKIM? If yes, which domain is in the DKIM signature? 5. What is your current DMARC policy? (p=none, p=quarantine, or p=reject) With those details, I can tell you which authentication layer is failing, why alignment might be breaking it, and what to change first.

Edit the yellow boxes, then send to the AI of your choice.