Get a Pipeline Audit
Blog
Deliverability March 23, 2026 10 min read

Email Authentication Failures: How to Diagnose and Fix Them

Fix SPF, DKIM, and DMARC email authentication failures. Step-by-step diagnosis guide for cold email senders with real troubleshooting examples.

Email Authentication Failures: How to Diagnose and Fix Them

Email authentication failures happen when SPF, DKIM, or DMARC checks fail on your outgoing email. These failures directly impact deliverability, causing your cold emails to land in spam or get rejected entirely. At Alchemail, we manage authentication across 100+ sending domains per client and catch authentication issues before they damage campaigns. This guide shows you how to diagnose and fix every common authentication failure.

If your emails are landing in spam or your open rates have dropped, authentication failures are one of the first things to check.

How to Check for Authentication Failures

Method 1: Gmail "Show Original"

The fastest way to check authentication:

  1. Send a test email to a Gmail account
  2. Open the email, click the three dots menu, select "Show Original"
  3. Look at the top of the raw message for:
SPF: PASS
DKIM: PASS
DMARC: PASS

If any of these show "FAIL" or "SOFTFAIL," you have an authentication issue.

Method 2: Email Header Analysis

Use Google's Email Header Analyzer (toolbox.googleapps.com/apps/messageheader/):

  1. Copy the full email headers from "Show Original"
  2. Paste into the analyzer
  3. Review the authentication results with detailed explanations

Method 3: MXToolbox

MXToolbox provides DNS-level authentication checks:

  • SPF Lookup: mxtoolbox.com/spf.aspx
  • DKIM Lookup: mxtoolbox.com/dkim.aspx
  • DMARC Lookup: mxtoolbox.com/dmarc.aspx

Method 4: DMARC Reports

If you have DMARC set up with reporting (rua tag), aggregate reports show authentication pass/fail rates over time. Use a DMARC report analyzer like Postmark DMARC or EasyDMARC to visualize results.

SPF Failures

What SPF Does

SPF (Sender Policy Framework) tells receiving servers which mail servers are authorized to send email on behalf of your domain. An SPF record lists the IP addresses and services allowed to send as your domain.

Common SPF Failure Causes

Cause Symptom Fix
Missing SPF record SPF: NONE Add SPF TXT record to DNS
Wrong include statement SPF: FAIL Update include to match your provider
Too many DNS lookups (>10) SPF: PERMERROR Reduce includes, use IP addresses
Multiple SPF records SPF: PERMERROR Merge into one record
Sending from unauthorized server SPF: FAIL Add the sending service to your SPF
DNS propagation delay SPF: SOFTFAIL Wait 24-48 hours

Fix: Missing or Incorrect SPF Record

For Google Workspace:

v=spf1 include:_spf.google.com ~all

For Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

For both (Google + Microsoft on same domain):

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Fix: Too Many DNS Lookups

SPF has a 10-lookup limit. Each "include" statement can trigger multiple lookups. If you exceed 10:

  1. Count your current lookups using MXToolbox SPF checker
  2. Remove any includes for services you no longer use
  3. Replace includes with direct IP addresses where possible
  4. Use SPF flattening tools if needed

Fix: Multiple SPF Records

A domain must have exactly one SPF TXT record. If you have two:

  1. Check DNS for all TXT records
  2. Merge all includes into a single SPF record
  3. Delete the duplicate record
  4. Wait for DNS propagation

DKIM Failures

What DKIM Does

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server verifies this signature against a public key published in your DNS to confirm the email was not tampered with.

Common DKIM Failure Causes

Cause Symptom Fix
DKIM not enabled DKIM: NONE Generate and publish DKIM key
Wrong DNS record DKIM: FAIL Update CNAME or TXT record
Key mismatch DKIM: FAIL Regenerate key in provider admin
DNS propagation delay DKIM: TEMPERROR Wait 24-48 hours
Message modified in transit DKIM: FAIL Check for email modifications
Selector mismatch DKIM: FAIL Verify selector in DNS matches

Fix: DKIM Not Set Up

Google Workspace:

  1. Go to Google Admin > Apps > Google Workspace > Gmail > Authenticate Email
  2. Click "Generate New Record"
  3. Copy the DKIM key value
  4. Add it as a TXT record in your DNS at the specified selector (default: google._domainkey)
  5. Return to Google Admin and click "Start Authentication"
  6. Wait 24-48 hours for propagation

Microsoft 365:

  1. Go to Microsoft 365 Admin > Exchange Admin Center
  2. Navigate to Mail Flow > DKIM
  3. Enable DKIM for your domain
  4. Add the two CNAME records Microsoft provides:
    • selector1._domainkey.yourdomain.com
    • selector2._domainkey.yourdomain.com
  5. Verify the records have propagated
  6. Enable DKIM signing

Fix: DKIM Selector Mismatch

DKIM uses "selectors" to identify which key to check. If the selector in the email header does not match a published DNS record:

  1. Check the email headers for the "d=" and "s=" tags in the DKIM signature
  2. Verify the selector (s= value) has a corresponding DNS record
  3. If not, republish the DNS record with the correct selector

Fix: DKIM Key Rotation

Some providers rotate DKIM keys periodically. When they do:

  1. The new key needs to be published in DNS before the old one is removed
  2. Both old and new keys should coexist for 48-72 hours
  3. After propagation, the old key can be removed

If your DKIM fails suddenly, check if your provider recently rotated keys and update DNS accordingly.

DMARC Failures

What DMARC Does

DMARC ties SPF and DKIM together and requires "alignment," meaning the domain in the "From" header must match the domain authenticated by SPF or DKIM.

Common DMARC Failure Causes

Cause Symptom Fix
No DMARC record DMARC: NONE Add DMARC TXT record
SPF and DKIM both failing DMARC: FAIL Fix SPF and/or DKIM first
Alignment failure DMARC: FAIL Check From domain matches auth domains
Incorrect DMARC syntax DMARC: PERMERROR Fix record syntax
Multiple DMARC records DMARC: PERMERROR Remove duplicates

Fix: DMARC Alignment Failure

This is the most common DMARC failure in cold email. It happens when:

  1. The "From" domain is yourdomain.com
  2. But SPF authenticates mail.otherdomain.com (a different domain)
  3. And DKIM signs with otherdomain.com (also different)

Solution: Ensure your email provider's SPF and DKIM are configured for your exact sending domain, not a different domain.

For cold email through Google Workspace or Microsoft 365, alignment should work automatically if:

  • SPF includes your provider's servers
  • DKIM is generated for your domain in the provider's admin
  • The "From" address uses the same domain

Fix: No DMARC Record

Add this TXT record at _dmarc.yourdomain.com:

Start with monitoring:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

After confirming everything passes, upgrade:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

For full DMARC setup instructions, see our DMARC guide and our SPF, DKIM, DMARC guide.

Diagnosing Authentication at Scale

When managing 100+ domains (as we do at Alchemail), individual troubleshooting is not scalable. Here is our systematic approach:

Automated Authentication Audits

We run automated checks across all domains weekly:

  1. SPF check: Verify SPF record exists and includes correct providers
  2. DKIM check: Verify DKIM signatures are passing
  3. DMARC check: Verify DMARC record exists with appropriate policy
  4. Send test emails from each domain to seed accounts
  5. Parse authentication results from email headers

Prioritization Framework

Issue Priority Action Timeline
Missing DMARC High Fix within 24 hours
SPF failure Critical Fix immediately, pause sending
DKIM failure Critical Fix immediately, pause sending
DMARC alignment failure High Fix within 24 hours
SPF softfail Medium Fix within 48 hours
DMARC p=none (should be quarantine) Low Upgrade within 1 week

Common Patterns Across Domains

When multiple domains fail simultaneously, look for patterns:

  • All Google Workspace domains failing DKIM: Google may have rotated keys or changed settings. Check Google Admin for all affected domains.
  • All domains failing SPF: A common change (e.g., moving to a new sending service) was not applied everywhere.
  • Random failures across domains: DNS provider issue or propagation delay.

Authentication Testing Tools

Tool What It Checks Free? Best For
Gmail "Show Original" SPF, DKIM, DMARC per email Yes Quick checks
MXToolbox DNS records for all auth Yes Record validation
Mail Tester Overall email score Yes (limited) Pre-campaign testing
Google Postmaster Tools Domain reputation + auth Yes Google-specific monitoring
DMARC Analyzer DMARC report visualization Freemium Ongoing monitoring
EasyDMARC Full authentication suite Freemium Comprehensive management

Prevention: Avoid Authentication Failures

Setup Checklist for Every New Domain

Before any domain goes into warm-up or campaigns:

  • SPF record published and verified
  • DKIM key generated in provider admin and DNS record added
  • DKIM verified as passing (send test email)
  • DMARC record added (start with p=none)
  • MX records configured correctly
  • Custom tracking domain CNAME added
  • All records verified via MXToolbox
  • Test email sent and authentication confirmed via "Show Original"

Ongoing Monitoring

  • Weekly: Automated authentication checks across all domains
  • Monthly: Review DMARC aggregate reports
  • After any DNS change: Re-verify all authentication records
  • After provider changes: Re-generate and verify DKIM keys

Frequently Asked Questions

Why are my emails failing DKIM when I just set it up?

DKIM DNS records can take 24-48 hours to propagate fully. If you just added the record, wait and test again. If it still fails after 48 hours, verify the DNS record matches exactly what your email provider generated (check for trailing periods, correct selector name, and complete key value).

Can I have DMARC pass if only SPF passes (not DKIM)?

Yes. DMARC requires either SPF or DKIM to pass AND align with the From domain. Both passing is ideal, but DMARC will pass with just one. However, both should be configured because email forwarding can break SPF while DKIM survives.

Does authentication affect open rates directly?

Authentication does not directly change open rates. But authentication failures cause emails to land in spam or get rejected, meaning fewer emails reach the inbox. Emails in spam are never opened. So indirectly, authentication failures can reduce your open rate from 40-60% to near zero.

Should I use ~all or -all in my SPF record?

Use ~all (softfail) for cold email sending domains. This tells receiving servers to flag but not reject emails from unauthorized sources. The strict -all (hardfail) rejects unauthorized emails outright, which can cause issues if any sending source is accidentally missing from your SPF record.

How do I fix authentication for emails sent through a third-party tool like SmartLead?

When SmartLead sends email through your Google Workspace or Microsoft 365 account (via SMTP or OAuth), the email goes through your provider's servers. SPF, DKIM, and DMARC authenticate against your domain through your provider, not through SmartLead's servers. As long as your provider is properly configured, authentication should pass.

Get Expert Authentication Management

Managing authentication across 100+ domains requires systematic monitoring and rapid response. At Alchemail, we configure and monitor SPF, DKIM, and DMARC for every sending domain, maintaining spam rates under 0.3% and open rates of 40-60% across all client campaigns.

Book a call with us to discuss your email infrastructure needs.

Free Tool

Don't know your TAM? Find out in 5 minutes.

Score your ICP clarity, estimate your total addressable market, and get 20 real target accounts — free.

Estimate Your TAM & ICP →

Ready to scale?

Get your free pipeline audit

A call with Artur. We'll size your TAM, audit your outbound, and give you a realistic meeting forecast.

Book Your Audit

Related Articles

Deliverability Email Blacklists: How to Check If You're Listed and Get Removed Learn how to check if your domain or IP is on an email blacklist and how to get removed. Step-by-step blacklist removal guide for cold email senders. Deliverability Email Warm-Up: The Complete Guide for Cold Email Senders Learn how to warm up email accounts for cold outreach. Step-by-step email warmup guide covering tools, timelines, and best practices for deliverability. Deliverability Google's 2024 Bulk Sender Requirements: What Cold Email Senders Must Do Understand Google's 2024 bulk sender requirements for cold email. SPF, DKIM, DMARC, unsubscribe, and spam rate rules every cold email sender must follow.
Artur Grishkevich Founder, Alchemail. Running cold email campaigns since 2016. $55M+ pipeline generated for clients in 2025.
PreviousEmail Blacklists: How to Check If You're Listed and Get Removed NextHow to Rotate Domains in Cold Email Campaigns