This guide helps you troubleshoot various issues related to setting up and using a DMARC policy with your email service.

Refer to this other guide if you encounter a DMARC problem specifically when using Google services.

DMARC error or rejection...

...during a redirection, even though the initial destination address received the message (SPF error)

Email redirection without SRS generating an SPF error

Imagine that you have configured an email redirection from the address "user@example2.com" to the address "user@yourdomain3.com", without using the SRS mechanism. When a message is sent to "user@example2.com", it is received by the first email server and then automatically forwarded to "user@yourdomain3.com". Example:

• sender: john.doe@gmahoo1.com
• initial recipient: user@example2.com
• final destination: user@yourdomain3.com

In simplified terms: when John sends an email to "user@example2.com", the "example2.com" email server redirects it to "user@yourdomain3.com". The destination server therefore receives the message from the "example2.com" servers, while the sender's envelope address still indicates "john.doe@gmahoo1.com".

In detail: during the redirection, the recipient's envelope address is replaced with "user@yourdomain3.com", but the sender's envelope address remains "john.doe@gmahoo1.com". The sender's address visible in the message also remains unchanged.

The SPF check may then fail because the "example2.com" servers are not normally authorized by the SPF record of "gmahoo1.com" to send messages for that domain.

An SPF error, however, does not always result in a DMARC failure. DMARC only fails if no valid SPF or DKIM mechanism is aligned with the domain of the sender's visible address. If the original DKIM signature is missing, invalid, or not aligned, the DMARC policy of the sending domain may then cause the message to be quarantined or rejected.

To prevent SPF from failing solely due to redirection, the provider performing the redirection must support the SRS mechanism.

How redirections work at Infomaniak

When an email received by an Infomaniak address is redirected to another address, Infomaniak uses SRS to rewrite the sender's envelope address. The sender's address visible to the recipient remains unchanged.

This rewriting allows the destination server to verify that the Infomaniak server performing the redirection is authorized to use the new envelope address. SRS does not modify the original DKIM signature and does not, on its own, guarantee DMARC validation. In the context of a redirection, DMARC can be validated, in particular, if the original DKIM signature remains valid and aligned.

...related to an incorrect DNS entry

The DMARC record must be published as a single TXT record on the "_dmarc" subdomain of the domain in question.

Malformed DMARC Record: if the DMARC record is not correctly formatted, it may be considered invalid. Check the syntax, semicolons, tags used, and their values.

Invalid DMARC Policy: the value of the main "p" tag must be "none", "quarantine", or "reject". Any other value renders the DMARC policy invalid.

Multiple DMARC records: a domain should only have one TXT DMARC record. If multiple records are published on the "_dmarc" subdomain, the configuration is considered invalid, and the policy cannot be applied correctly.

Combine all necessary DMARC settings into a single TXT record.

Check your current DMARC entry using a dedicated tool, such as the ones below:

• https://dmarcadvisor.com/dmarc-check
• https://mxtoolbox.com/dmarc.aspx

...related to an email that fails to validate any aligned SPF or DKIM mechanism

DMARC does not require both SPF and DKIM to be valid. DMARC verification succeeds as long as at least one of these two mechanisms is valid and aligned with the sender's address domain.

A DMARC error or rejection can therefore occur when neither SPF nor DKIM validates a domain aligned with the sender's domain.

This can happen, for example, if you send an email with your Infomaniak address using the SMTP server of another provider. The server used may not be authorized by your domain's SPF record and may not apply a valid DKIM signature for that same domain.

To resolve this issue:

• Check the overall security of the Mail Service,
• use Infomaniak's SMTP servers to send messages from an Infomaniak address,
• if you are using an external sending service, configure your domain with that provider so that it properly supports SPF, DKIM, and their DMARC alignment.

Messages from a newly created domain are arriving in the spam folder

This behavior does not necessarily indicate a DMARC error. A newly created domain has little or no sending history, and its reputation is therefore not yet established with the various email providers.

Start by sending a small volume of legitimate messages to consenting recipients, then gradually increase the number of sends. Also, make sure that SPF, DKIM, and DMARC are configured correctly and avoid sudden or large-scale sends.

Sending messages to yourself can help test the configuration and mark a message as legitimate in the recipient's inbox. However, this is not enough to establish a general reputation with other email providers.

Successful SPF, DKIM, and DMARC checks do not guarantee that messages will be delivered to the inbox. Providers also take into account the reputation of the domain and sending servers, the volume of messages, their content, and the recipients' reactions.

I'm sending an email from my Infomaniak address and I'm receiving a "Reject DMARC" error message.

To resolve this issue:

• Check the overall security of the Mail Service,
• perform a test send from the Webmail mail.infomaniak.com,
• check the server settings of the software or email client, including the SMTP server used and the authentication of the sending address.

If the message is sent correctly from the Webmail, the problem is likely due to the configuration of the email software or the external SMTP server used for sending.

I'm sending an email from an external address (Microsoft, Google, Yahoo, Orange, etc.) and Infomaniak rejects it with a DMARC error.

The message probably does not comply with the DMARC policy published by the sender's domain. This may mean that SPF and DKIM have failed or that they are not aligned with the visible sender address.

To resolve this issue:

• Check with the sending address provider that messages are being sent in accordance with their recommendations.
• Forward the complete error message to the sending domain provider or administrator so they can check the SPF, DKIM, and DMARC configurations.

I want to receive an email on my Infomaniak address, but the sender is receiving a DMARC error

The message was blocked because it did not comply with the DMARC policy published by the sender's domain. The configuration of the recipient Infomaniak account does not allow for correcting an authentication error originating from the sender's domain.

To resolve this issue:

• Ask the sender to forward the complete error message to their email provider or domain administrator so that the SPF, DKIM, and DMARC configurations can be checked.
• If the Infomaniak address forwards messages to another address, also check at which stage of the redirection the rejection is generated.