Field notes · email authentication

The things that quietly break your domain — and how to fix them.

Practical notes from the people who built DMARC Guardian. Real failure modes from real reports — written for the operator on call at 22:47, not the analyst writing a whitepaper. No fluff, no RFCs cited unless they actually help.

14 articles Roughly one per week
June 10, 2026 8 min read dmarc

Why forwarded email fails SPF — and why DKIM is the only thing saving you

Your DMARC reports show authentication failures from IPs you don't recognize sending to recipients you don't expect. Before you panic, check this — forwarding is the most common source of scary-looking-but-benign rows in aggregate reports.

Read the post

All notes

Newest first
JUN 10 · 2026 Wednesday 8 min

Why forwarded email fails SPF — and why DKIM is the only thing saving you

Your DMARC reports show authentication failures from IPs you don't recognize sending to recipients you don't expect. Before you panic, check this — forwarding is the most common source of scary-looking-but-benign rows in aggregate reports.

dmarcspfdkimforwarding
8 minRead →
JUN 10 · 2026 Wednesday 5 min

Microsoft "550 5.7.515 Access denied" — what it means and how to fix it

Your emails to outlook.com and hotmail.com users are bouncing with 550 5.7.515. Here is who this actually affects, who it does not, and the exact steps to stop the rejections.

microsoftdmarcspfdkimdeliverability
5 minRead →
JUN 10 · 2026 Wednesday 6 min

Gmail "550 5.7.26 This mail has been blocked": the 30-minute fix

Your emails to Gmail users are bouncing with 550 5.7.26 and customers aren't hearing from you. Here is what changed, why it's happening to you right now, and the exact commands to find and fix the problem.

gmaildmarcspfdkimdeliverability
6 minRead →
JUN 10 · 2026 Wednesday 8 min

DMARC permerror vs temperror: one fixes itself, the other kills your deliverability

You're reading aggregate reports and see permerror or temperror in the SPF results. One of them is a fire alarm. The other is a blip. Here's how to tell them apart and what to do about each.

dmarcspftroubleshooting
8 minRead →
MAY 25 · 2026 Monday 9 min

SPF passes, DMARC fails: the alignment trap every DevOps engineer hits

You added SendGrid or Amazon SES, SPF is passing, but DMARC reports still show failures. This is the alignment problem — and it's not a bug in your SPF record. Here's what's actually happening and how to fix it.

dmarcspf
9 minRead →
MAY 25 · 2026 Monday 8 min

Your root domain is p=reject. Your subdomains can still betray you — here's how

One stale vendor DMARC record — left from a decommissioned integration — is all it takes: a subdomain-specific p=none silently overrides your root p=reject and inheritance never kicks in. Here is what actually leaves you exposed and why adding sp=reject takes five minutes.

dmarcsubdomain
8 minRead →
MAY 22 · 2026 Friday 2 min

Reading DMARC aggregate reports without drowning in XML

How aggregate (RUA) reports differ from forensic (RUF) data and what operators should focus on first.

dmarcreports
2 minRead →
MAY 18 · 2026 Monday 8 min

DKIM key rotation: the security step most admins skip after setup

You configured DKIM once and it's been "working" ever since. But DKIM private keys age out, leak, and get compromised — and most teams have no rotation process in place. Here's what the risk looks like and how to fix it before it matters.

dkimsecurity
8 minRead →
MAY 17 · 2026 Sunday 6 min

SPF permerror: why adding one SaaS tool breaks your email authentication

Your SPF record hit the 10-lookup limit and now DMARC reports show permerror for a growing chunk of your mail. Here is exactly what happened and how to fix it without breaking the senders you already have.

spfsaasflattening
6 minRead →
APR 20 · 2026 Monday 7 min

Moving from DMARC p=none to p=reject without killing legitimate email

A step-by-step guide for DevOps engineers and solo admins who set up DMARC monitoring months ago and still haven't enforced it — and why that matters.

dmarcenforcement
7 minRead →
APR 18 · 2026 Saturday 1 min

Welcome to the DMARC Guardian blog

Notes on email authentication, deliverability, and how we ship DMARC Guardian.

meta
1 minRead →
APR 11 · 2026 Saturday 5 min

My emails kept landing in spam — here's what I found out (no tech background needed)

A plain-English walkthrough for non-technical founders whose customer emails disappear into spam folders. No acronyms until explained.

deliverabilityfor non-technical founders
5 minRead →
APR 04 · 2026 Saturday 5 min

SPF + DKIM + DMARC — the bootstrap for startups

A practical checklist for DevOps engineers and solo admins who need email authentication done right without drowning in RFC specs.

spfdkimdmarc
5 minRead →
MAR 28 · 2026 Saturday 5 min

Why your transactional emails land in spam — and how to fix it

If your onboarding emails, password resets, or invoices keep hitting spam folders, SPF, DKIM, and DMARC misconfiguration is the likely cause. Here's how to diagnose and fix it without reading an RFC.

deliverabilityspfdkim
5 minRead →

Is a scammer emailing from your domain right now?

Type your domain. We will tell you — in plain English — whether anyone can forge a fake invoice from it today. 15 seconds. No signup, no card.