Skip to main content

Fixing Email Authentication Issues

Palisade's DMARC Agent automatically creates tickets when it detects email authentication issues for your domains. This guide explains how to review and resolve those tickets.

How Tickets Are Created

As Palisade processes incoming DMARC reports, it analyzes the results and creates actionable tickets when issues are detected. Each ticket includes details about the problem, the affected sending source, and a recommended course of action.

Common Ticket Types

Unknown Sending Source Needs Verification

A new sending source has been detected in your DMARC reports. You need to determine whether this source is a legitimate service that sends email on behalf of your domain or an unauthorized sender.

To resolve:

  1. Open the ticket and review the sending source details (IP address, organization name, volume).
  2. Determine if the source is a legitimate service (e.g., your email marketing platform, CRM, support desk).
  3. If legitimate, follow the ticket's guidance to authorize the source by updating your SPF or DKIM configuration.
  4. If not legitimate, dismiss the ticket. The source is likely unauthorized and will fail authentication as expected.

SPF Alignment Failure

A legitimate sending source is failing SPF alignment checks. The Return-Path domain does not align with the From domain.

To resolve:

  1. Open the ticket to identify the affected sending source.
  2. Update the sending service's configuration to use your domain in the Return-Path, or add the source's domain to your SPF record.
  3. Verify the fix by checking subsequent DMARC reports.

DKIM Alignment Failure

A legitimate sending source is failing DKIM alignment checks. The DKIM signing domain does not align with the From domain.

To resolve:

  1. Open the ticket to identify the affected sending source.
  2. Configure the sending service to sign emails with a DKIM key for your domain (most services support custom DKIM signing domains).
  3. Verify the fix by checking subsequent DMARC reports.

SPF Record Issues

Your SPF record has configuration problems that may cause authentication failures.

Common issues include:

  • Too many DNS lookups — SPF records are limited to 10 DNS lookups. Exceeding this limit causes SPF to fail for all senders, not just the one that pushed you over.
  • Permissive +all mechanism — an SPF record ending in +all effectively authorizes the entire internet to send email as your domain. This makes your domain trivially spoofable.
  • Missing includes — a sending service is not covered by your SPF record, causing its mail to fail authentication.

To resolve:

  1. Open the ticket to see the specific SPF issue.
  2. Follow the recommended action to optimize your SPF record (e.g., flatten includes, remove unused entries, change +all to ~all or -all).
tip

The 10-lookup limit is one of the most common SPF problems. Each include: counts as a lookup, and nested includes count too. Use the SPF Audit tool to see your current lookup count. If you are at or near the limit, consider switching to Hosted SPF where Palisade can help manage flattening.

General Workflow

For any ticket type:

  1. Go to the Domain Overview page for the affected domain.
  2. Open the ticket to review the details and recommended action.
  3. Follow the guided steps -- the DMARC Agent walks you through identifying the source, deciding if it is legitimate, and applying the appropriate fix.
  4. Once resolved, mark the ticket as done.
  • See the Domain Overview page breakdown to understand where tickets appear and how to navigate them.
  • See the Locking Down DMARC guide for the overall process of moving toward a strict DMARC policy after resolving authentication issues.