Why is DMARC failing on my .fr domain despite passing SPF and DKIM?

Email marketer from Email Marketing Forum responds that even if SPF and DKIM records pass, a DMARC failure can occur if there's an organizational mismatch. DMARC checks the domain of the 'From' header against the authentication results. If these don't align, DMARC will fail, leading to deliverability issues.

Email marketer from Email Geeks explains that UIs saying 'passing' for SPF and DKIM is not the same as 'aligned' in the DMARC sense and it just means that they are not broken.

Email marketer from Email Geeks explains that Dmarcian for sure shows when there’s a lack of alignment. Some people, though, may define success as, for example, raw SPF is passing even if the MAIL FROM domain for which SPF’s implemented is out of alignment. So say my visible from domain is <http://example.com|example.com> and my MAIL FROM is <http://foo.some-esp-or-another.com|foo.some-esp-or-another.com> such that foo passes raw SPF but it’s not <http://example.com|example.com> or a subdomain of <http://example.com|example.com> so it’s out of alignment and so is SPF failure from the POV of DMARC compliance.

Email marketer from Valimail shares that DMARC builds on SPF and DKIM to validate the authenticity of emails, and protect email senders and recipients from fraud and phishing attacks. DMARC ensures that email messages align with the domain they claim to be sent from.

Email marketer from Reddit shares that forwarding can cause DMARC failures. When a message is forwarded, the SPF record of the original sender no longer applies, and if the forwarding server doesn't DKIM-sign the message with the correct domain, DMARC will fail.

Email marketer from EmailAuth shares that DMARC provides instructions to email receivers on how to handle emails that fail authentication checks (SPF and DKIM). If SPF and DKIM pass but are not aligned, the email will still fail the DMARC check, according to the policy of the domain owner.

Email marketer from Email Geeks recommends that the client check reporting for the org domain versus subdomain as subdomains inherit the DMARC policy of the org domain by default unless they have an explicit DMARC record of their own, and since is looked like they were using a subdomain, the client will want to make sure they are looking at the reporting for the subdomain (which may be out of alignment) versus the org domain (which may not have any issues).

Email marketer from Mailjet explains that DMARC alignment issues arise when the domain used for authentication (SPF or DKIM) doesn't match the domain found in the 'From' address. Resolving these issues often involves configuring SPF and DKIM to use the same domain as the 'From' address.

Email marketer from EasyDMARC shares that DMARC helps reduce email spoofing and phishing attacks by verifying that an email was sent from the domain it claims to be from. It also gives domain owners control over what happens to messages that fail authentication checks, either reject, quarantine or deliver.

Email marketer from Email Geeks explains that unalignment is a likely cause and Dmarcian will segment those data under DMARC Non-Compliant or DMARC Non-Capable tabs, which states there's an issue. Also, no one should ever think about enforcing DMARC policy if the knowledge of Alignment lacks and some judge via MBPs Headers analysis indicating SPF or DKIM are passing, without knowing that those checks don't give you the Alignment Pass/Fail results.

Email marketer from AuthSMTP explains that for DMARC to pass, either SPF or DKIM must pass *and* align with the domain in the From: header. It’s not enough for SPF and DKIM to simply be present and valid; they must also be aligned with the From: domain. Misalignment occurs when, for example, SPF passes using a domain other than the one in the From: header.

Email marketer from Postmark explains that to resolve DMARC failures when SPF and DKIM pass, you should check DMARC alignment. For SPF, the 'header from' domain and the 'mail from' domain must match. For DKIM, the 'd=' tag in the DKIM signature must match the 'header from' domain.

Email marketer from Stack Overflow responds that passing SPF and DKIM only validates that the message was authorized to be sent from a given infrastructure, DMARC cares more about the relationship between the domain used to authorize the message and the domain presented to the user.

Expert from Email Geeks suggests the DMARC failure might stem from an alignment issue or a problem with body hashing causing signature failure.

Expert from Email Geeks clarifies a DMARC alignment issue means one of the domains in the SPF and DKIM value has to be the .fr domain, ideally both.

Expert from Email Geeks says the messages could be fully authenticated, just not aligned in a meaningful way and that is causing issues.

Expert from Word to the Wise explains that the most common reason for DMARC failing despite passing SPF/DKIM is an alignment issue. The authenticated domain (the domain in the MAIL FROM for SPF or the d= tag for DKIM) must match the domain in the From: header. Even if both SPF and DKIM pass, if neither is aligned, DMARC will fail.

Documentation from Microsoft explains that DMARC is designed to protect email domains from being used for unauthorized purposes, such as phishing and spam. DMARC is set up by creating a TXT record in the DNS settings for your domain, which specifies how email receivers should handle emails that fail DMARC checks.

Documentation from RFC explains that DMARC builds on top of SPF and DKIM by adding a policy layer. It allows domain owners to specify how email receivers should handle messages that fail SPF and DKIM checks, addressing the problem of unauthorized use of their domains.

Documentation from Dmarcian Knowledge Base explains that DMARC failure despite passing SPF and DKIM often points to an alignment issue, where the domain used for SPF or DKIM verification doesn't match the domain in the 'From' header.

Documentation from Google explains that DMARC alignment requires either SPF alignment (the 'MAIL FROM' domain matches the 'From' domain) or DKIM alignment (the 'd' domain in the DKIM signature matches the 'From' domain). If neither aligns, DMARC can fail even if SPF and DKIM pass.