DMARC can be implemented within the email industry when organizations require additional assurance that an email message is not fraudulent or spoofed.
These policies are designed to prevent forged transmissions that could be used in phishing, email spam, and distributed denial-of-service attacks.
Unfortunately, legitimate emails can also fail DMARC validation–with a message that says “email rejected per DMARC policy”–which can deliver a bad user experience.
Some things that could cause this are:
- SPF records not being implemented correctly
- DKIM not working as expected
- DNS records are not being set up correctly.
Let’s study the reasons that can cause the receiving servers to return the “email rejected per DMARC policy” error at length, in our next section.
Email Rejected per DMARC Policy: The Reasons & Their Troubleshooting
Do you receive messages indicating “email rejected per DMARC policy”? Learn the root cause of this issue and how you can troubleshoot it.
Reason 1: DKIM Authentication Record is not set.
The DKIM Authentication Record is required for your email to pass DMARC.
This record enables the receiver to see that the email is from someone who owns the domain name in question. Rather than an imposter trying to impersonate that person.
Therefore, the domain you are sending from must have a valid record for DKIM for emails to pass the DMARC check and be delivered to the user.
How To Troubleshoot?
You can troubleshoot “email rejected per DMARC policy” by setting up and enabling the DKIM authentication.
When DKIM is enabled, your domain’s mail server will generate a unique digital signature for every message sent from the domain. And append it to the message header.
The receiver then downloads the public key required to verify the digital signature and decrypts it using their private key.
To set up DKIM authentication, you’ll need to follow these steps:
1. Configure your domain name server so that it will publish information about your domain, including the public and private keys associated with DKIM signatures.
- You can find your email domain’s public and private key pair in your web server settings or on your DNS provider’s website.
- If you don’t have one yet, you can generate it using an online tool like DKIM Record Generator Tool
2. Go to your DNS settings. Create a TXT record that contains the public key, which you’ll use to sign outgoing emails. Create a DKIM record, which contains the private key and other information about your domain’s DKIM implementation.
This will look something like this:
example.com IN TXT “v=DKIM1; k=rsa; p=[public key]” |
3. Set up your email software to use DKIM signatures when sending mail from your domain. (You may need to consult your email service provider).
OR,
Alternatively, you can implement SPF in place of DKIM and this will also help troubleshoot the issue.
Reason 2: The SPF for the domain is set to not allow email aliases.
When emails are sent through an alias, they may be rejected by the receiving domain’s SPF policy. This means that emails sent through an alias are not recognized as being legitimate. And are therefore rejected by the receiving domain.
For example, if you have an email address john@example.com and you send an email through a Gmail alias, such as johndoe@gmail.com it will be rejected because the SPF policy is set to not allow email aliases.
How To Troubleshoot?
Adding an email alias SPF record to your domain’s SPF record is a simple process. But it’s important to make sure you do it correctly.
1. First, you need to get the correct SPF record for your email alias.
For example, if you are sending through Gmail then you can find out the Gmail alias SPF record by going to Google’s developer documentation page to copy the record which is:
v=spf1 include:_spf.google.com ~all |
If you are using Outlook or Yahoo as your email provider, then you need to add their SPF records to your domain’s SPF record. You can find these on their websites or by searching for them online. We have listed some suggestions for a few major providers below:
Email rejected per DMARC policy for zoho.com
To troubleshoot this error you need to set up SPF, DKIM, and DMARC for Zoho using specifications explicitly mentioned by them, all articles which have been covered on our solutions page.
Zoho support also recommends trying to send emails only through Zoho Webmail or from an Authenticated SMTP server to prevent email rejections.
Email rejected per DMARC policy for yahoo.co.uk
You can come across this message due to the following reasons as listed by Yahoo support:
- You’re sending emails from an unauthenticated server
- You have not included yahoo.co.uk as an authorized sending source in your domain’s SPF record
You can easily troubleshoot this error by making the respective modifications to your DNS records.
2. Now go to the DNS management tool of your domain registrar. And look for a TXT entry with the name _spf. This will lead you to the SPF records of your domain’s email addresses.
3. Now paste the email alias SPF record (that you copied in Step 1) into your domain’s SPF record file.
Reason 3: The ‘FROM’ field needs to be updated.
When you send an email from an address that does not match the one listed in the ‘FROM’ field of your message, it will be rejected by DMARC as spam or phishing.
For this message to be delivered successfully, you will need to update the ‘FROM’ field using the email provider’s settings page.
As an alternative to using the “FROM” setting, you can use the “REPLY-TO” setting to send emails from any DMARC-compliant address. When you do this, you will be able to send your emails without them being rejected by the recipient’s email service provider.
How To Troubleshoot?
To resolve this issue, you will need to update your ‘FROM’ field to use your brand’s email address. You can do so by updating your configuration settings in your email account.
For example, if you are using Gmail, then you need to follow these steps:
- Go to your inbox and click on the message from Gmail.
- On the right-hand side of the message box, there should be a button that says “More actions.” Click on that button and then click on “Show original.”
- In the new window that pops up, scroll down until you see “To:” and replace it with your brand’s email address.
- Then click on “Save Changes” at the bottom of the page.
- You should now be able to send out emails through Gmail without them being flagged as “email rejected per DMARC policy”.
Here’s an example:
$headers = ‘From: user@example.com’ . ” ” .
‘Reply-To: user@gmail.com’ . ” ” . ‘X-Mailer: PHP/’ . phpversion(); |
More Information
When we talk about email bounce, we’re usually talking about the email that bounces back to the sender because it couldn’t be delivered due to DMARC policy errors. But there are several other reasons an email might fail to arrive.
Email Bounces
Email bounces are a common problem that occurs when an email is sent to a recipient, but the recipient’s mailbox is full (soft bounce) or doesn’t exist (hard bounce). This can result in your email being returned to you with an error message.
Emails Sent To The Spam Folder
When you send an email, it is sent over multiple servers and networks before reaching its destination. Each server and network must examine the message for spammy characteristics before passing it on to its next stop. If a server or network finds that there are enough spammy characteristics in a message, it will reject that message and send it to the spam folder.
Many spam filters will look at the number of times an email has been sent and the frequency with which it’s opened. If your message is being sent to 100 people who have never opened it before, that’s a red flag. If all of those people suddenly stop opening, that’s another red flag. And if your unsubscribe link is at the bottom of an email and not easy to find, that’s also a red flag.
So how can you ensure your emails are not classified as spam?
First, make sure that all recipients are on your list. You should also avoid sending out large batches of messages all at once. Wait at least 24 hours between each batch. So that your contacts have an opportunity to open them.
Second, make sure your unsubscribe link is visible in every email you send. So recipients can easily click away from unwanted messages without having to hunt around for them.
Conclusion
The key takeaway is that if you want your emails to be received properly by recipients, you need to make sure that they comply with the DMARC policy. The good news is that it’s not hard to do. Just make sure the DKIM record is present, update the SPF record if needed, and make sure the ‘FROM’ field is set correctly.
And if you need assistance with setting up your records or just want to make sure everything looks good for your domain, we’ve got you covered! Sign up for a free DMARC trial with PowerDMARC and leave the rest of your implementations, monitoring, and management to us!
- 5 Common DNS Vulnerabilities and How to Protect Your Network - December 24, 2024
- Introducing DNS Timeline and Security Score History - December 10, 2024
- PowerDMARC One-Click Auto DNS Publishing with Entri - December 10, 2024