Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?

DMARC helps prevent spoofed emails from bypassing spam filtering, but it’s just one part of a broader anti-spam strategy. Not all DMARC reports are equal; some show detailed recipient responses, while others only indicate success or failure. Understanding why a message failed is as important as knowing if it did.

When SPF is used, it checks the domain in the RFC5321.MailFrom (also called “ReturnPath”) to find the SPF record. After a successful SPF check, the receiver gets an “Authenticated Identifier,” which is the RFC5321.MailFrom domain.

This article will explore why DMARC fails for third-party email senders.

Why does DMARC fail for emails sent by third-party vendors?

If there are any third-party vendors that are associated with your business and are required to send emails on your behalf, then you must enable SPF, DKIM, and DMARC for your email-sending domain. There are two ways to do this– either you ask your vendor to handle email authentication on your behalf, or you handle everything. 

If emails sent from the Gmail domain are failing the DMARC test, check your SPF record to see if you have included _spf.google.com. Receiving servers may not recognize Gmail as your authorized sending source, causing emails to fail the DMARC check altogether. 

We have listed below another possible reason for this failure.

Identifier alignment issue

Identifier alignment is a relatively new DMARC element that requires the domain in the ‘From’ header of an email to match or align with the domain used in the SPF and/or DKIM authentication checks. There are two alignment modes: strict and relaxed.

If you have applied strict alignment, then the domain in the “From” header must match exactly with the domain in the SPF “Mail From” or the DKIM “d=domain”.

As for the relaxed alignment, the domain in the “From” header must be a subdomain of the domain used in SPF or DKIM or vice versa.

Identifier alignment is necessary because anyone can set up SPF and DKIM for any email.

For example, a threat actor could create the domain personal.net to spoof emails from manufacturer.com, and even if SPF and DKIM pass, it doesn’t mean the email is genuinely from manufacturer.com.

Email receivers can’t keep track of which domains are associated with each other—they need to process emails quickly without figuring out the details. For instance, if your email service provider uses “manufacturernewsletter.com” for SPF and DKIM while sending emails for manufacturer.com, receivers can’t tell if manufacturernewsletter.com is legitimate, a phishing site, or related to manufacturer.com.

Identifier alignment ensures that email authentication technologies are relevant to the actual content of the email.

We can help

We at DuoCircle are dedicated to bolstering email security for domain owners so that they can dodge email-based cyber menaces. Contact us to avoid DMARC failures due to folly or genuine technical issues. We take care of everything for you.