How does Gmail handle unauthenticated or poorly aligned mail?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up SPF, DKIM, and DMARC. Everything looks fine. But your emails are still landing in spam, or recipients are seeing a warning banner that says the sender couldn't be verified. Sound familiar? This is often an authentication alignment problem, and Gmail does not give it a pass.

Here's what Gmail actually checks. SPF verifies that the sending server is allowed to send on behalf of a domain. DKIM adds a cryptographic signature to your email so the receiving server can confirm the message wasn't tampered with. DMARC then checks whether at least one of those two passes AND that the domain in the signature matches your From header domain. That second part is alignment.

Alignment is where a lot of senders get caught out. You can have SPF passing on a subdomain your ESP controls, and DKIM signing from a different domain entirely, and neither of those domains matches what your recipient sees as your From address. Authentication technically passed. Alignment failed. Gmail treats this with the same suspicion as an outright failure.

What Gmail actually does when it spots these issues depends on the severity.

  • Outright rejection happens most often with bulk senders who fail SPF and DKIM completely. Since Google tightened its bulk sender requirements in 2024, senders hitting 5,000 or more messages per day to Gmail addresses must have both SPF and DKIM in place, or mail gets rejected before it even reaches the spam folder.
  • Aggressive spam filtering is the middle ground. Mail that passes one check but has poor alignment, or passes both but has a weak DMARC policy, tends to end up here. Gmail's filters weigh authentication heavily alongside engagement signals, so poor alignment makes the algorithm more suspicious of everything else too.
  • Warning banners are shown inside the inbox itself when Gmail can't verify the sender. Recipients see a message like "Gmail couldn't verify that this message was actually sent by..." This lands even on mail that technically reached the inbox, and it destroys trust fast. Most recipients either delete the email or mark it as spam.

The practical fix is straightforward in principle (if a little tedious in practice). You need SPF aligned to your From domain, DKIM signing from your From domain, and a DMARC record that actually has a policy set. Starting with p=none is fine while you're monitoring, but eventually you want to move to p=quarantine or p=reject to give Gmail a clear instruction about what to do with failures.

Not sure if your alignment is actually clean? You can check your SPF record in about 30 seconds with our free SPF checker, or parse a real DMARC report with our DMARC parser to see exactly which messages are passing and failing alignment. If the results look confusing, our SOS hotline is free (and we actually pick up).

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my Gmail authentication setup

I'm sending from your domain and I'm seeing Gmail deliverability issues. Walk me through whether my SPF, DKIM, and DMARC are set up correctly. Check my alignment (do the domains in my SPF and DKIM match my From address?), flag any gaps, and tell me what policy I should have on my DMARC record right now.

Edit the yellow boxes, then send to the AI of your choice.