How do authentication failures appear in headers or Postmaster Tools?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Something feels off with your deliverability, but you're not sure which authentication protocol is the culprit. The fastest way to find out is to look in two places: the email headers on a message you've already sent, and Gmail's Postmaster Tools. Here's how to read both.

Finding authentication results in email headers

Every email that passes through a mail server picks up a header called Authentication-Results. It's stamped there by the receiving server and records whether your SPF, DKIM, and DMARC checks passed or failed. Think of it as the receiving server's verdict, written right into the message.

To find it, you need to view the raw headers of an email you sent. Here's how to do that in the most common clients:

  • Gmail: Open the email, click the three-dot menu in the top-right corner, and choose "Show original". The full headers open in a new tab. Search the page for Authentication-Results.
  • Outlook: Open the email, go to File, then Properties. The headers appear in the "Internet headers" box at the bottom.
  • Apple Mail: Open the email and go to View, then Message, then All Headers. Or press Shift + Cmd + H.

Once you're looking at the raw headers, find the Authentication-Results line. It'll look something like this:

Authentication-Results: mx.google.com;
  spf=pass (google.com: domain of hello@harborpost.net designates 203.0.113.5 as permitted sender)
  dkim=fail (bad signature)
  dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=harborpost.net

Here's what the status values mean for each protocol:

  • SPF. pass means the sending IP is authorized. fail means it isn't. softfail means the IP is discouraged but not hard-blocked. permerror usually means your SPF record has a syntax problem or too many DNS lookups.
  • DKIM. pass means the signature matched. fail means the signature didn't verify (could be a key mismatch, record missing, or the message was altered in transit). none means no DKIM signature was attached at all.
  • DMARC. pass means at least one of SPF or DKIM passed AND the domain aligned with your From address. fail means neither aligned. This is the one that triggers quarantine or rejection if your policy is set to enforce.

And if you want to dig into the raw source without hunting through an email client, our free Email Header Analyzer parses it all in one view.

Reading authentication failures in Gmail Postmaster Tools

Headers show you one email at a time. Postmaster Tools shows you your whole sending program over time, which is where patterns become obvious.

And once you're in Postmaster Tools for your domain, go to the Authentication section in the left sidebar. You'll see three graphs, one for SPF, one for DKIM, and one for DMARC, each showing the percentage of your emails that passed over the last 30 days.

What to look for:

  • A sudden drop on one graph usually means something changed. A new sending tool got added, a DNS record got accidentally edited, or an IP changed. The date of the drop is your best clue for what to investigate.
  • DKIM consistently lower than SPF often points to a forwarding issue (SPF breaks on forward, DKIM usually survives) or a signing configuration problem on one of your sending streams.
  • DMARC sitting below 100% even when SPF and DKIM look fine usually means an alignment problem. SPF or DKIM passed, but the domain that passed doesn't match your From address. This is common when you send through a third-party platform without setting up a custom sending domain.
  • Numbers below 90% on any of these are worth investigating. Numbers below 75% are urgent.

Postmaster Tools doesn't tell you which specific emails failed or show you the headers. It just shows percentages. If you need to pinpoint the exact failing messages, that's where DMARC aggregate reports come in. Your DMARC reports will show which sending sources are failing and why, broken down by IP address and domain.

Quick diagnostic checklist

If you spot a failure, here's how to read what it's telling you:

  • SPF fail. The sending IP isn't listed in your SPF record. Check whether a new tool or ESP was added without updating your DNS.
  • DKIM fail. The signature didn't verify. Possible causes are a missing DKIM record, a key rotation that didn't finish, or the message being modified after signing (some mailing lists do this).
  • DMARC fail with SPF and DKIM both passing. Alignment is the issue. The domain in your SPF or DKIM result doesn't match your From header domain.
  • permerror on SPF. Your SPF record has a syntax error or has exceeded the 10 DNS lookup limit. Our free SPF Checker will catch both.

If you're still not sure what the headers are telling you, our Email Header Analyzer walks through the output in plain language. And if something is actively broken right now, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your Authentication-Results header and get a plain-language diagnosis

My domain is domain and I'm seeing authentication failures but I'm not sure which protocol is broken or why. I've found the Authentication-Results header in a failed email and it shows paste the header here. Can you walk me through what each line means, which failure is most likely hurting my deliverability, and what I should fix first?

Edit the yellow boxes, then send to the AI of your choice.