| SPF permerror |
spf=permerror |
>10 DNS lookups, syntax error, or multiple SPF TXT records |
Flatten includes, remove duplicates, use subdomain delegation |
| SPF fail on forwarded mail |
spf=fail |
Forwarding server IP not in sender's SPF |
Implement SRS on forwarder, rely on DKIM + ARC for DMARC |
| DKIM fail: body hash mismatch |
dkim=fail (body hash did not verify) |
Message body modified in transit (footer added, encoding changed) |
Fix intermediary, use l= body length tag (risky), or ARC |
| DKIM fail: key not found |
dkim=fail (no key for signature) |
DNS key record missing, wrong selector, or propagation delay |
Verify dig TXT selector._domainkey.domain, wait for TTL |
| DMARC fail: alignment |
dmarc=fail, but spf=pass and/or dkim=pass |
SPF domain or DKIM d= doesn't match From: domain |
Sign with d= matching From: domain, or use relaxed alignment |
| DMARC fail: third-party sender |
dmarc=fail |
SaaS sends with your From: but no DKIM delegation |
Have vendor sign with your domain via CNAME'd DKIM selector |
| Sporadic DKIM temperror |
dkim=temperror |
DNS timeout for key lookup, often under receiver load |
Low TTL on key record, ensure nameserver reliability, add redundancy |
| SaaS SPF include bloat |
spf=permerror |
5+ SaaS vendors each adding include: chains |
Dedicate subdomains per vendor, or flatten with automated tooling |