Authentication Troubleshooting
Finding and fixing authentication failures
Authentication Troubleshooting
The Authentication Troubleshooting section breaks down which specific email sources are causing your compliance rate to fall. It's the fastest way to find what needs fixing and understand why emails are failing DMARC.
Priority Levels
Both SPF and DKIM are failing, and this source sends high volume. Fix these first — they are responsible for the largest share of non-compliant email.
One of SPF or DKIM is failing on a high-volume source. Partially authenticated but still dragging down your pass rate.
Authentication issues on a lower-volume source. Worth fixing, but less urgent than Critical and High issues.
What Each Failure Pattern Means
| SPF | DKIM | DMARC Result | How to Fix |
|---|---|---|---|
| Fail | Fail | Fail | Approve in SPF Management AND enable DKIM in sender's settings. If unrecognised, reject it. |
| Fail | Pass | Pass | DMARC passes via DKIM — no immediate action needed, but consider approving the source in SPF for redundancy. |
| Pass | Fail | Pass | DMARC passes via SPF — but enable DKIM for the sender to give you redundancy if SPF changes. |
| Pass | Pass | Pass | Fully authenticated. No action needed. |
How to Fix Common Issues
Source not in SPF (SPF Fail)
Go to SPF Management, find the source, and check Include in SPF. The managed SPF record updates automatically within seconds.
DKIM not configured (DKIM Fail)
Enable DKIM signing in your email provider's settings. Common providers: Google Workspace (Admin Console → Apps → Gmail → Authenticate Email), Microsoft 365 (Exchange Admin → Protection → DKIM). For other providers, search "[provider name] DKIM setup".
DKIM key expired or rotated
Your DKIM DNS record may be outdated. Check the DKIM page for your domain and look for selectors flagged as missing or invalid. Re-generate keys in your email provider and update the DNS record.
Focus on Volume, Not Count
One high-volume failing source can lower your compliance rate more than 20 low-volume sources combined. Always fix the highest-volume Critical issues first.