A sampling of DMARC rejection examples


My loss is your gain! I accidentally fumbled my DMARC record temporarily – locking everything down just a little too well for one of my domains – and then I sent an email to my test list.

If you’ve got your domain’s DMARC policy set to “p=reject” and you don’t have SPF and DKIM configured properly, you’re going to see a lot of rejections from different mailbox providers.

And that’s exactly what happened to me. Which allows me to now share with you examples of DMARC rejections, what they look like from Gmail, Yahoo, Microsoft, Apple and Comcast.

Gmail: <xxx@gmail.com>: host gmail-smtp-in.l.google.com[142.251.163.26] said:
550-5.7.26 Unauthenticated email from aliverson.com is not accepted due to 
550-5.7.26 domain's DMARC policy. Please contact the administrator of 
550-5.7.26 aliverson.com domain if this was a legitimate mail. To learn about 
550-5.7.26 the DMARC initiative, go to 
7-xyz.88 - gsmtp (in reply to end of DATA command)

Yahoo: <xxx@yahoo.com>: host mta5.am0.yahoodns.net[98.136.96.75] said:
554 5.7.9 Message not accepted for policy reasons. See
https://senders.yahooinc.com/error-codes (in reply to end of DATA command)

Microsoft: <xxx@outlook.com>: host
outlook-com.olc.protection.outlook.com[52.101.9.1] said:
550 5.7.509 Access denied, sending domain [ALIVERSON.COM] does not
pass DMARC verification and has a DMARC policy of reject.
[SN7PR13MB6083.namprd13.prod.outlook.com
2024-04-16T14:40:38.687Z 08DC5BFD8763316E]
[MN2PR18CA0015.namprd18.prod.outlook.com 2024-04-16T14:40:38.708Z
XYZ] [BL6PEPF0001AB57.namprd02.prod.outlook.com
2024-04-16T14:40:38.698Z ABC] (in reply to end of DATA command)

Apple: <xxx@icloud.com>: host mx02.mail.icloud.com[17.57.154.33] said:
554 5.7.1 Your message was rejected due to aliverson.com's DMARC policy.
(in reply to end of DATA command)

Comcast: <xxx@comcast.net>: host mx1.mxge.comcast.net[96.102.18.148] said: 
550 5.2.0 xyz Message rejected due to DMARC. Please see
(in reply to end of DATA command)

If you’re seeing these error messages yourself, and you’re stumped by them, here’s what you need to do.
  1. Make sure you’ve got DKIM authentication in place and that you’ve properly configured an SPF record for your domain.
  2. Make sure that the domain you’re using for SPF or DKIM “aligns” with (is part of the domain domain as) your “visible from” domain. Authentication without alignment – authenticating with some random domain that isn’t your from domain – isn’t best practice in 2024.
  3. Review the Yahoo/Google requirements and make sure you are in compliance with all of them.
  4. Test this by sending to a tester tool like aboutmy.email to confirm that you've fixed everything.
Never fear; while DMARC configuration can be tricky, don't assume that just because I fumbled that it'll be even harder for you. I purposely poke at things and try different configurations, sometimes breaking things on purpose, and sometimes just moving too fast for my own good, across my 150+ domains. Don't assume that my failure will be your failure, just because I got caught running with scissors.
Post a Comment

Comments