Skip to content
Open Ticket
  • There are no suggestions because the search field is empty.

Analyzing Email Headers for DMARC Issues

It’s crucial to understand how to analyze an email header to identify DMARC-related issues. Below, we’ll provide a detailed guide on where to check the authentication protocol conditions, whether they are passing or failing.

The key section to focus on in the email header is the Authentication-Results section, which indicates whether the authentication results are passing or failing.

For Google:

When you receive an email in your Google inbox, open the email, click on the three dots (more options), and then select Show Original, as shown in the screenshot below.

The information shown in the screenshot below relates to the authentication results for both SPF and DKIM. It’s important to understand that for SPF and DKIM to pass, both authentication and alignment must succeed.

SPF Pass/Fail depends on:

Authentication: The IP or sending host must be authorized in the domain's SPF record.


Alignment: The domain in the Return-Path (also known as MAILFROM) must align with the domain in the From address.

DKIM Pass/Fail depends on:

Authentication: A digital signature generated by the sending source using a private key. The corresponding public key is published in your DNS. The recipient’s server verifies the match between the private and public keys.

Alignment: The domain used to sign the message (the DKIM signing domain) must share the same parent domain as the From address.

Recently, Google started including the DMARC result in the email header, which wasn't previously the case. DMARC passes when either SPF or DKIM (or both) pass with alignment.

Now let’s dive deeper into the email header. Scroll down until you reach the Authentication-Results section, as shown in the screenshot below.

As shown in the screenshot above, all three authentication protocols are passing:

  • DKIM is passing with the selector zmail.
  • SPF is passing, as indicated in the header—IP address 136.143.188.55 is an authorized sender, and the SMTP MAILFROM is mydmarc.xyz, which aligns with the header domain.

Since both SPF and DKIM are passing, DMARC is also passing. The domain has a DMARC policy of p=reject, and the disposition (dis=) is none, which is expected when DMARC passes.

For Microsoft:

When you receive an email in your Outlook inbox, open the email, click on the three dots (More actions), then select View, and choose View message source, as shown in the screenshot below.

The email header will open up, you will need to scroll down a bit and find the Authentication-Results section.

As shown in the screenshot above, all three authentication protocols are passing:

  • SPF is passing with the sending IP 136.143.188.55.
  • The SMTP MAILFROM (Return-Path) is aligned with the From domain.
  • DKIM is also passing, as the signature was successfully verified.

As a result, DMARC passes with an action (disposition) of none.

For Yahoo:

When you receive an email in your Yahoo inbox, open the email, click on the three dots (More), then select View raw message.

A new tab will open displaying the full raw email header. What you would need is again the Authentication-Results section.

As shown in the screenshot above, all three authentication protocols are passing:

  • DKIM is passing, using the selector zmail.
  • SPF is also passing and is aligned between the SMTP MAILFROM and the From domain.

As a result, DMARC is passing successfully.

Identify Failures in Email Headers

Now we’ll show an example of an SPF failure in a Google inbox—how it appears in the email header and how to identify the reason for the failure.

As shown in the screenshot above, SPF is failing with the following message:

spf=fail google.com: domain of khatchig@mydmarc.xyz does not designate 136.143.188.56 as a permitted sender

This indicates a lack of SPF authentication. The SMTP MAILFROM address is mydmarc.xyz, which is aligned with the Header From domain—so alignment isn't the issue here.

To resolve this, you'll need to whitelist the sending IP by updating the SPF record for mydmarc.xyz. In this case, since the email was sent via Zoho, you should include Zoho’s SPF mechanism (e.g., include:zoho.com) in your SPF record. Once added, SPF authentication will pass for future emails sent from Zoho.

Below is another example of an email header showing an SPF failure, this time due to a lack of alignment.

As shown in the screenshot above, this is a common point of confusion. At first glance, it may seem that SPF is passing—but it's actually passing for the default domain amazonses.com, not the sending domain mydmarc.xyz.

This means that bounces are being handled by amazonses.com, not by mydmarc.xyz. For SPF to pass with mydmarc.xyz, proper alignment is required. Amazon provides SPF support at the subdomain level, which means you’ll need to:

  1. Create a custom MAIL FROM domain (a subdomain of mydmarc.xyz).
  2. Add the SPF and verification records Amazon provides to your DNS zone.
  3. Verify the custom MAIL FROM domain in Amazon SES.

Once these steps are completed, SPF will pass with alignment for mydmarc.xyz.

If you ever encounter inconsistencies or failures in your authentication results and you're unsure how to proceed, don’t hesitate to reach out. We’re here to help you troubleshoot, interpret headers, and strengthen your domain's security posture with confidence.