How can I use this header to troubleshoot authentication?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

First, you need to actually see the Authentication-Results header. In Gmail, click the three-dot menu and select "Show original." In Outlook, find "View > View Source" in the desktop client or "View message source" on the web. It's a bit hidden, but once you find it, you're looking at the raw truth about whether your email passed authentication checks.

Now look for the Authentication-Results header itself. It'll show you a list of checks like this: spf=pass, dkim=pass, dmarc=pass (or any combination of pass/fail). Here's what each one means:

  • SPF=pass means your sending IP is authorized in your SPF record. SPF=fail means it's not. That's your first red flag.
  • DKIM=pass means the message signature validated. DKIM=fail usually means either your DKIM signing is misconfigured or the message got modified in transit (which breaks the signature).
  • DMARC=pass means at least one of SPF or DKIM passed AND the domain aligned correctly. DMARC=fail means alignment didn't work, even if individual checks passed.

Here's where it gets useful: compare what you're seeing in those headers against your DNS records. If you see "dkim=fail" but you know you've got DKIM signing set up, something's wrong in your configuration. If "spf=fail" shows an IP that definitely should be authorized, your SPF record is out of date. Mismatch equals misconfiguration.

Not sure what you're looking at? Use the Review My Emails Header Analyzer to parse it automatically. If you're still stuck after checking your configuration, don't spin your wheels. The Review My Emails SOS hotline can walk you through it. Next step: pull a header from an email that bounced and diagnose which check is failing.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Diagnose and fix your DKIM, SPF, or DMARC failures.

My Authentication-Results header shows DKIM=fail. I have DKIM signing configured, so why is it failing? Walk me through checking my DKIM setup, and tell me if a modified message could cause this.

Edit the yellow boxes, then send to the AI of your choice.