Authentication‑Results troubleshooting
Authentication‑Results (AR) tells you exactly how a receiver evaluated SPF, DKIM and DMARC for a message. Learn to extract identities (envelope From, DKIM d=, Header From), compute alignment, and pinpoint why DMARC did or did not pass.
Quick check
Paste headers or upload a .eml — the tool normalizes folds and selects the authoritative AR.
Core fields in AR
- SPF:
spf=verdict andsmtp.mailfrom= - DKIM:
dkim=verdict plusheader.d/header.iand selectorheader.s - DMARC:
dmarc=verdict andheader.from=
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of return@mail.example.com designates 203.0.113.1 as permitted sender) smtp.mailfrom=return@mail.example.com;
dkim=pass header.i=@mail.example.com header.d=mail.example.com header.s=s1;
dmarc=pass (p=REJECT sp=REJECT) header.from=example.comMessy realities
- Headers are often folded across lines — unfold before parsing.
- Multiple AR lines can exist; use the receiving system’s AR, not intermediate hops.
- Providers may use slightly different keys — normalize aliases when parsing.
Normalization rules
- Trim repeated spaces and normalize
;separators. - Accept both
header.d/header.ianddkim.d/dkim.ivariants. - Prefer the last AR block that belongs to the final receiver (e.g.,
mx.google.com).
Diagnosing alignment
Compare Header From’s organizational domain with smtp.mailfrom (SPF) and withheader.d (DKIM). In relaxed mode, sub‑domains align; in strict, exact match required.
Fix playbook
- Sign with DKIM
d=yourbrand.tld(not vendor domain), 2048‑bit keys - Prefer
MAIL FROMon a brand sub‑domain for SPF alignment - Unify
Fromdomains across routes or update DMARC expectations - Add One‑Click unsubscribe to reduce complaints and throttling risk
After fixes, save a PDF evidence pack — it prints scanId/sha256 and a Verify link for reproducibility.