What information does it contain?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've pulled up an email header and spotted the Authentication-Results header. Now what? The header is essentially a score card. Each receiving server logs what it checked, what it found, and whether your email passed or failed. Here's how to read it.
The three main things it reports on are SPF, DKIM, and DMARC. Each one gets its own result, and each result comes with a status word you'll recognize quickly once you know what they mean.
SPF results tell you whether the sending server was allowed to send on behalf of your domain. You'll see one of these:
- pass. The server is authorized. All good.
- fail. The server is explicitly not authorized. A hard stop.
- softfail. The server probably isn't authorized, but the domain owner didn't want a hard block. Often a sign your SPF record needs updating.
- neutral. The domain owner made no claim either way. Uncommon, but not alarming on its own.
- none. No SPF record was found for the domain at all.
DKIM results tell you whether the email's cryptographic signature checked out. You'll see pass if the signature verified correctly, fail if something didn't match (the message may have been altered in transit, or the key is misconfigured), and none if no signature was present.
DMARC results layer on top of SPF and DKIM. It checks whether at least one of them passed AND that the authenticated domain aligns with the From address. A DMARC fail doesn't always mean your email gets blocked. It depends on what policy you've set (none, quarantine, or reject). But it does mean your email isn't fully authenticated.
Beyond the pass/fail statuses, the header also tells you which domain was checked, which server ran the evaluation, and sometimes a reason code for failures. "Signature mismatch" under DKIM usually means the email body or headers were modified after signing. "Alignment failure" under DMARC means SPF or DKIM passed, but the authenticated domain didn't match your From address (common when you're sending through a third-party ESP without proper setup).
One more thing worth knowing: a single email can carry multiple Authentication-Results headers. Each server it passes through in the delivery chain adds its own. Read from the bottom up. The first entry added is at the bottom, the most recent is at the top.
So if you're staring at a failure and want to decode exactly what went wrong, our free Email Header Analyzer can parse it for you. Or if something's broken and you're not sure where to start, the SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.