What “SPF, DKIM, or DMARC failed” means on an email you received

One-paragraph answer. When a message you received shows spf=fail, dkim=fail, or dmarc=fail, it means the message could not prove it really came from the domain in its From address. Often that’s a forgery; sometimes it’s an honest sender who misconfigured their records or whose mail was altered in transit by a forwarder or mailing list. This guide explains where to find those results, what each one means in plain English, and how to decide whether a failing message is dangerous or just sloppy.

Where you see these results

Almost every provider records an Authentication-Results line in the raw headers. In Gmail, open the message, click the three-dot menu, and choose Show original; you’ll see spf, dkim, and dmarc each marked pass or fail. Outlook and Apple Mail expose the same through “view source” or message headers. Some inboxes also clip a visible “this message could not be verified” banner onto the message — that banner is reporting the same underlying result.

SPF fail

What it asks: was the server that sent this message on the list the domain authorized to send for it? A fail means it wasn’t.

Forgery looks like this. A stranger’s server sending as a domain it doesn’t control fails SPF outright. But there’s an innocent cause too: when a message is forwarded, or sent through a mailing list, the final hop is a server the original domain never authorized — so legitimate forwarded mail can fail SPF through no fault of the sender. SPF alone, therefore, is a weak signal; it’s why DMARC exists.

DKIM fail

What it asks: does the message carry an unbroken cryptographic signature from the domain it claims? A forger can’t produce one, because they don’t hold the domain’s private key.

Forgery looks like this. No signature, or a signature that doesn’t verify. Innocent cause: if anything modified the message body in transit — a mailing list appending a footer, a security gateway rewriting links — the signature breaks even though the sender is genuine. A DKIM pass is strong positive proof; a DKIM fail needs the context below before you read it as malicious.

DMARC fail — the one that matters most

DMARC ties SPF and DKIM to the visible From address (called alignment) and tells the receiver what to do when neither passes for that domain. A dmarc=fail means the message could not be authenticated as the domain it appears to be from — which is exactly the condition a spoof creates. It’s the most trustworthy of the three signals because it’s the one a forger can’t route around.

The domain’s published policy decides the consequence: p=none (monitor only — deliver anyway, just report), p=quarantine (send to spam), or p=reject (refuse outright). A bank or large brand failing DMARC is almost certainly forged; their policy is locked down, so a real message wouldn’t fail. A tiny sender failing it is more often a setup mistake.

Should you trust a message that failed?

A practical reading:

• DMARC fail on a domain you’d expect to be careful (a bank, a major service, your own domain) — treat as forged. Don’t click, don’t reply.
• SPF fail but DKIM pass — usually a forwarded-but-genuine message; the DKIM pass is the one to trust.
• Everything fails and the content is urgent or asks for money or credentials — classic phishing. The failure is the tell.

The catch: doing this analysis by hand on every message isn’t realistic, and most inboxes don’t do it for you — they fail open, delivering unauthenticated mail with at most a banner and leaving the judgment to you.

What an enforcing inbox does instead

Folio reads these same results on every incoming letter and files mail that fails authentication straight to Spam on arrival, before it’s scored on content — and then shows you, in plain English, which check failed and why, right next to the message. Mail that is merely missing authentication or temporarily unreachable fails open, so honest-but-misconfigured senders aren’t punished, and nothing is silently deleted. You get the verdict and the reasoning without reading a single raw header. For the wider picture of why this matters, see why you get email from your own address.

If it’s your own domain that’s failing

If your own mail is failing these checks — landing in recipients’ spam, or showing a “via” line — the fix is to publish correct records. Run a free domain health check to see exactly which of MX, SPF, DKIM, and DMARC is wrong, build a valid sender record with the SPF record generator, and tighten DMARC from p=none toward p=reject once a clean window proves it’s safe.

Frequently asked

What does it mean when an email I received fails SPF, DKIM, or DMARC?

It means the message could not prove it came from the domain in its From address. DMARC fail is the strongest warning — it indicates the message wasn’t authenticated as the domain it appears to be from, which is what a spoof produces. SPF or DKIM failing alone can also happen to genuine mail that was forwarded or modified in transit, so read them together with DMARC.

Is an email dangerous if it fails authentication?

Not always, but treat it with suspicion. A DMARC fail on a bank or major brand is almost certainly forged. An SPF fail with a DKIM pass is usually a forwarded but genuine message. If everything fails and the message is urgent or asks for money or credentials, it’s very likely phishing — the failure is the tell.

Why does legitimate email sometimes fail SPF or DKIM?

Forwarding and mailing lists route mail through servers the original domain never authorized, which breaks SPF, and list footers or gateways that modify the body break the DKIM signature. That’s why neither alone is conclusive. DMARC alignment, and a careful inbox that fails open on merely-missing authentication, prevent honest senders from being treated as forgers.

Where do I see SPF, DKIM, and DMARC results on a message?

In the raw headers, on the Authentication-Results line. In Gmail, open the message, click the three-dot menu, and choose Show original. Outlook and Apple Mail expose the same through view source or message headers. An inbox that enforces authentication will also summarize the result in plain language so you don’t have to read headers.

How do I stop unauthenticated email from reaching me?

Use a mail provider that enforces these checks and files mail that fails authentication to Spam on arrival, rather than delivering it with a warning. That removes the judgment call from you and keeps forgeries out of the inbox, while still letting honest-but-misconfigured senders through when authentication is merely missing rather than failing.