Suped

Why is there a drop in DMARC authentication?

7 Marketer opinions4 Expert opinions4 Technical articles2 Resources

Summary

A drop in DMARC authentication is a multifaceted issue often stemming from misconfigured SPF and DKIM records, email forwarding that breaks SPF, and the introduction of new sending sources (like SaaS providers or marketing campaigns) without proper authentication. Improper DMARC implementation, including incorrect DNS records and flawed processes, also contributes significantly. Troubleshooting requires a thorough review of DMARC reports, verification of SPF and DKIM configurations, and understanding the impact of third-party services and email forwarding.

Key findings

  • SPF/DKIM Issues: Misconfigured SPF records, DKIM signature failures, and improper alignment are frequent causes.
  • Forwarding and Third-Parties: Email forwarding and third-party services often break SPF, leading to DMARC failures unless DKIM is correctly configured.
  • New Sending Sources: The addition of unauthenticated sending sources, such as new SaaS providers or marketing campaigns without DKIM, can cause drops.
  • Implementation Errors: Incorrect DNS records, flawed authentication processes, and generally improper DMARC implementation contribute to failures.
  • Importance of Reports: Regularly reviewing and analyzing DMARC reports is crucial for identifying the root cause and patterns of failures.

Key considerations

  • Monitor Sending Sources: Maintain a comprehensive list of all authorized sending sources (including third-party services) and ensure proper authentication is configured for each.
  • Validate SPF/DKIM: Routinely verify that SPF records cover all sending sources and that DKIM signatures are properly configured and validated.
  • Address Forwarding: Implement strategies to handle email forwarding without breaking SPF, such as using SRS, or ensure DKIM is correctly configured for the forwarder.
  • Review DMARC Configuration: Carefully review and correct DNS records related to SPF, DKIM, and DMARC to ensure proper alignment and implementation.
  • Analyze DMARC Reports: Establish a process for regularly analyzing DMARC reports to identify failure patterns, adjust configurations, and detect unauthorized sending sources.
  • Inform IT of changes: Whenever new marketing softwares/systems are implemented, inform the IT department to correctly configure email authentication to prevent email delivery issues.

What email marketers say
7Marketer opinions

A drop in DMARC authentication can stem from several sources, including misconfigured SPF and DKIM records, third-party services disrupting SPF, new marketing campaigns lacking DKIM implementation, email forwarding issues, or new software sending emails without proper SPF/DKIM configuration. Reviewing DMARC reports is crucial for identifying the root cause.

Key opinions

  • SPF/DKIM Misconfiguration: Incorrect SPF records or DKIM signatures failing validation are common causes of DMARC failures.
  • Third-Party Services: Third-party services and email forwarding can break SPF, leading to DMARC failures if DKIM isn't properly configured.
  • New Campaigns/Software: New marketing campaigns or software implementations may not have DKIM fully implemented or properly configured.
  • Reporting Importance: Reviewing DMARC reports helps identify the source and patterns of authentication failures.

Key considerations

  • Review DMARC Reports: Regularly check DMARC reports to identify the specific reasons for authentication failures.
  • Verify SPF Records: Ensure SPF records cover all sending sources, including third-party services.
  • Validate DKIM Signatures: Confirm that DKIM signatures are properly configured and validated for all email streams.
  • Address Forwarding Issues: Understand how email forwarding affects SPF and implement DKIM to compensate where necessary.
  • Implement DMARC Monitoring: Setup monitoring alerts to be immediately notified when DMARC failures occur to enable you to investigate immediately.
Marketer view

Email marketer from Reddit suggests that a common cause is new marketing campaigns that did not fully implement DKIM.

March 2023 - Reddit
Marketer view

Email marketer from Email Security Forum states that one potential cause is new software that is sending email and is not configured correctly with SPF or DKIM.

September 2022 - Email Security Forum
Marketer view

Email marketer from AuthSMTP explains that common causes are email forwarding and mailing lists, which break SPF validation.

August 2023 - AuthSMTP
Marketer view

Marketer from Email Geeks suggests reviewing DMARC reports to understand the cause of the drop in DMARC authentication.

October 2023 - Email Geeks
Marketer view

Email marketer from EasyDMARC states that DMARC failures can be attributed to issues such as SPF not covering all sending sources, DKIM keys not properly configured, or emails being sent from unauthorized servers.

August 2021 - EasyDMARC
Marketer view

Email marketer from GlockApps shares that third-party services or forwarding can break SPF, leading to DMARC failures if DKIM is not properly configured to compensate.

June 2024 - GlockApps
Marketer view

Email marketer from Mailjet shares that common DMARC issues include incorrect SPF records, DKIM signatures failing validation, and DMARC policy misconfigurations.

January 2023 - Mailjet

What the experts say
4Expert opinions

A drop in DMARC authentication can occur due to the addition of unauthenticated sending sources, such as new mail servers, IPs, or SaaS providers being used without proper notification or setup. Improper DMARC setup, especially concerning SPF/DKIM alignment, and email forwarding practices that break SPF are also significant contributors. Ensuring authorized sending domains are correctly aligned with the DMARC policy and properly configuring DKIM for forwarders are crucial steps.

Key opinions

  • Unauthenticated Sources: Adding new, unauthenticated mailservers, IPs, or SaaS providers can cause DMARC failures.
  • Improper DMARC Setup: Incorrect alignment of SPF and DKIM records with the DMARC policy leads to authentication issues.
  • Email Forwarding Impact: Email forwarding often breaks SPF, resulting in DMARC failures without proper DKIM configuration for forwarders.

Key considerations

  • Monitor Sending Sources: Keep track of all authorized sending sources, including SaaS providers, and ensure they are properly authenticated.
  • Verify SPF/DKIM Alignment: Ensure SPF and DKIM records are correctly configured and aligned with the DMARC policy for all sending domains.
  • Address Forwarding: Understand how email forwarding impacts SPF and implement DKIM to compensate where necessary.
  • Inform IT Department: Communicate all marketing software changes to the IT department to ensure email authentication is configured correctly.
Expert view

Expert from Word to the Wise (Laura Atkins) responds that email forwarding often breaks SPF, leading to DMARC failures if DKIM is not correctly set up for the forwarder.

July 2023 - Word to the Wise
Expert view

Expert from Email Geeks suggests that a possible cause is that some part of the company started using a SaaS provider and didn’t inform anyone.

April 2024 - Email Geeks
Expert view

Expert from Email Geeks asks if a mailserver, IP, or sending source that’s not authenticated was added.

November 2022 - Email Geeks
Expert view

Expert from Spam Resource (John Levine) explains that improper DMARC setup, particularly regarding SPF and DKIM alignment, is a common cause of DMARC failures. He emphasizes verifying that sending domains are correctly authorized and aligned with the DMARC policy.

September 2021 - Spam Resource

What the documentation says
4Technical articles

A drop in DMARC authentication is often attributed to SPF failures caused by email forwarding, DKIM signatures being altered during transit, improper implementation of DMARC due to incorrect DNS records or flawed authentication processes, and the need for fully compliant SPF and DKIM records for proper setup. Troubleshooting involves checking DNS records, verifying SPF/DKIM configurations, and analyzing DMARC reports.

Key findings

  • SPF and Forwarding: Email forwarding breaks SPF, leading to DMARC failures.
  • DKIM Alteration: DKIM signatures can be altered during transit, causing authentication failures.
  • Implementation Errors: Improper DMARC implementation with incorrect DNS records and flawed authentication processes is a common cause.
  • DNS and DMARC reports: Analysing DNS and DMARC reports is crucial for identifying and resolving the issues.

Key considerations

  • Address Email Forwarding: Implement strategies to handle email forwarding without breaking SPF, such as using SRS.
  • Ensure DKIM Integrity: Implement controls to prevent DKIM signatures from being altered during transit.
  • Correct DNS Records: Verify and correct DNS records related to SPF, DKIM, and DMARC to ensure proper authentication.
  • Analyze DMARC Reports: Regularly analyze DMARC reports to identify failure patterns and adjust configurations accordingly.
Technical article

Documentation from Microsoft Learn responds that troubleshooting DMARC involves checking DNS records, verifying SPF and DKIM configurations, and analyzing DMARC reports to identify failure patterns.

September 2021 - Microsoft Learn
Technical article

Documentation from DMARC.org explains that DMARC failures can arise from improper implementation, such as incorrect DNS records or flawed authentication processes.

September 2022 - DMARC.org
Technical article

Documentation from Google Workspace Admin Help explains that common reasons for DMARC failures include SPF failing due to forwarded email, and DKIM failing due to alterations during transit.

January 2025 - Google Workspace Admin Help
Technical article

Documentation from RFC specification explains that correct setup needs fully compliant SPF and DKIM records.

October 2021 - RFC

Related resources
2Resources

You've finally reached DMARC enforcement: Now what? - Valimail
You've finally reached DMARC enforcement: Now what? - Valimail

Learn the next steps after you reach DMARC enforcement and how to avoid potential obstacles down the road.

Valimail -
Email Routing: some senders complain I'm unreachable by email ...
Email Routing: some senders complain I'm unreachable by email ...

I get occasional notifications from senders such as banks that I’m unreachable via email and I should update my email address. Or that they can’t send me e-statements and will switch me to paper statements 🙁 I’ve also seen cases where I did not receive order confirmation emails when I bought things online. My forwarding address is Gmail and it seems most emails make it, but apparently not all. Does Cloudflare keep any logs of attempts that result in fatal errors? Or could it be the c...

Cloudflare Community

Related questions