What is a DMARC or SPF-fail rejection?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You sent an email, and instead of landing in the inbox it came straight back with something like "Message rejected per DMARC policy" or "SPF check failed; rejected per policy." That's a DMARC or SPF-fail rejection, and it means the receiving server followed exactly the instructions your domain (or the sending domain) published.
Here's how it works. When you send an email, the receiving server checks your SPF record to see whether the IP address that sent the message is actually allowed to send for your domain. It also checks DKIM to see whether the message carries a valid signature from your domain. Then DMARC ties both of those results together and asks one more question: do those results actually align with the From address the recipient sees?
A rejection happens when one of these two scenarios plays out:
- SPF-fail rejection. The sending IP isn't listed in your SPF record, the result comes back as "fail" (not "softfail"), and the receiving server is configured to reject on that result.
- DMARC-fail rejection. Both SPF and DKIM fail, or they pass but don't align with the From domain. The domain's DMARC policy is set to
p=reject, so the receiving server drops the message entirely.
It's worth saying clearly: this isn't the receiving server making an editorial decision. The domain owner wrote the rules by publishing those DNS records. The receiving server is just enforcing them. If you're the domain owner and your own emails are getting rejected, the records are either misconfigured or incomplete.
The most common reasons this happens:
- You added a new sending tool (a CRM, an ESP, a support platform) but never added its IP ranges or include statement to your SPF record.
- Your DKIM key wasn't set up for that sending tool at all, so the signature is missing or invalid.
- You're sending from a subdomain that doesn't inherit your parent domain's SPF or DKIM setup.
- Someone else is spoofing your domain and triggering DMARC failures you're seeing in reports.
To fix it, start by auditing every service that sends email on your behalf and make sure each one is covered in your authentication records. Then verify DKIM is configured for each sending source. Run your records through our free SPF Checker and DKIM Record Lookup to catch anything that doesn't look right. If DMARC is still showing failures, the DMARC Parser can help you read the XML reports and find exactly which sending source is misbehaving.
If you're stuck and emails are bouncing right now, our SOS hotline is free and we actually pick up.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.