What is the Authentication-Results header?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You open an email header to figure out why a message landed in spam, and there it is: a block of text starting with Authentication-Results. It looks cryptic at first, but it's actually one of the most useful things in the entire header.

The Authentication-Results header is added by the receiving mail server after it checks the incoming message. It records whether SPF, DKIM, and DMARC passed or failed, and it stores that verdict right in the message so you (or any downstream system) can read it later.

A typical entry looks something like this:

spf=pass smtp.mailfrom=harborpost.net;
dkim=pass header.d=harborpost.net;
dmarc=pass header.from=harborpost.net

Each line names the check and its result. "Pass" means the check cleared. "Fail" means it didn't. You'll also see "softfail", "neutral", "none", "permerror", and "temperror" depending on what went wrong (or wasn't configured at all).

And the header also identifies which server ran the checks. That matters when a message passes through multiple systems before it reaches the inbox, because each hop can add its own Authentication-Results line. The one that counts is the one added by the final receiving server, not an intermediate one.

Why does this header exist at all? Because the checks themselves are invisible. SPF, DKIM, and DMARC run in the background when the message arrives. Without Authentication-Results, there'd be no record of what happened. When you're troubleshooting a delivery problem, this header tells you exactly where things broke down.

You can read Authentication-Results in any email client that exposes raw headers. In Gmail, open a message, click the three-dot menu, and choose "Show original". In Outlook, look under File > Properties. The header will be near the top of the raw source. If you'd rather not parse it manually, our free Email Header Analyzer reads it for you and flags any auth failures in plain English.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Ask about SPF, DKIM, and DMARC

I just read about the Authentication-Results header and how it records SPF, DKIM, and DMARC results. Can you explain in plain language what each of those three checks is actually looking for, and why receiving servers need all three instead of just one?

Edit the yellow boxes, then send to the AI of your choice.