SMTPERRORCommonSecurityHIGH confidence

Multiple authentication checks failed — SPF and DKIM both fail

Q: How to fix SMTP 5.7.26 Multiple authentication checks failed — SPF and DKIM both fail?

Audit and repair SPF and DKIM configuration: DMARC aggregate reports (RUA) show exactly which messages are failing SPF and DKIM, identifying the source of the problem.

Production Risk

Critical — simultaneous SPF and DKIM failure results in DMARC rejection at major providers; all email to those domains will be blocked.

What this means

Both SPF and DKIM authentication checks failed for the message. When both mechanisms fail, DMARC will also fail regardless of policy, resulting in rejection or quarantine depending on the receiving server's handling.

Why it happens

1The message was sent from an IP not in the SPF record AND the DKIM signature is absent or invalid.
2The message was forwarded through an intermediary that broke both SPF and DKIM.
3DNS propagation delays caused both SPF and DKIM lookups to fail temporarily.

How to reproduce

A message arrives at the destination with both SPF=fail and DKIM=fail in the Authentication-Results header.

trigger — this will error

# Authentication-Results header on received message:
Authentication-Results: mx.example.com;
    spf=fail (domain of sender@yourdomain.com does not designate 203.0.113.1 as permitted sender)
    dkim=fail (signature verification failed)
    dmarc=fail action=reject
# Bounce:
550 5.7.26 This mail has been blocked because the sender is unauthenticated

expected output

550 5.7.26 ...

Fix

Audit and repair SPF and DKIM configuration

WHEN Receiving 5.7.26 or DMARC failure reports

Audit and repair SPF and DKIM configuration

# Check SPF:
dig TXT yourdomain.com | grep spf
# Validate SPF result for a specific IP:
# Use: https://www.kitterman.com/spf/validate.html

# Check DKIM selector (replace 'selector1' with yours):
dig TXT selector1._domainkey.yourdomain.com

# Review DMARC aggregate reports (rua address in DMARC record):
dig TXT _dmarc.yourdomain.com

Why this works

DMARC aggregate reports (RUA) show exactly which messages are failing SPF and DKIM, identifying the source of the problem.

What not to do

✕ Set DMARC policy to p=none and ignore aggregate reports

p=none provides no protection and the reports contain actionable data needed to fix authentication failures.

Sources

Official documentation ↗

RFC 3463 — Enhanced Mail System Status Codes

DMARC Specification RFC 7489 ↗DKIM Signatures RFC 6376 ↗

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformSMTP Response Codes