Why Gmail Is Rejecting My Emails After DMARC Enforcement
Why Is Gmail Rejecting My Emails?
Gmail is rejecting your emails because your DMARC policy tells it to. When you move from p=none (monitor only) to p=quarantine or p=reject, you are instructing receiving servers like Gmail to act on authentication failures. If any email from your domain fails both SPF and DKIM alignment, Gmail will now quarantine it (send to spam) or reject it outright — exactly as your policy requests.
The emails were likely failing authentication before, too. The difference is that with p=none, Gmail delivered them anyway and just sent you a report. Now it is enforcing.
What Changed?
Here is the progression:
| Policy | What Gmail Does with Failing Emails |
|---|---|
p=none | Delivers normally, sends you a report |
p=quarantine | Sends to recipient's spam folder |
p=reject | Rejects the email — it never reaches the inbox |
If you recently changed your DMARC policy and emails stopped arriving, this is almost certainly the cause.
How to Diagnose the Problem
Step 1: Check Your DMARC Record
dig +short TXT _dmarc.yourdomain.com
Confirm what policy is currently active. If you see p=reject or p=quarantine, that is your enforcement policy in action.
Step 2: Check Bounce Messages
If Gmail is rejecting your emails, the sending server receives a bounce message (NDR). Look for error codes like:
550 5.7.26 This message does not pass authentication checks (SPF and DKIM both do not pass).
550 5.7.1 Unauthenticated email from yourdomain.com is not accepted due to domain's DMARC policy.
These confirm Gmail is rejecting based on DMARC.
Step 3: Review Your DMARC Reports
Your aggregate reports (rua) contain the full picture. Look for:
- Which sending sources are failing
- Whether SPF, DKIM, or both are failing for each source
- The volume of failures vs. passes
The Most Common Causes
1. Third-Party Service Not Configured for DKIM
You use a service (CRM, marketing platform, helpdesk) that sends email from your domain but was never set up with DKIM for your domain.
Fix: Log into each service and configure DKIM with your domain's key. Common services that need this:
- Marketing: Mailchimp, HubSpot, ActiveCampaign, Klaviyo
- Transactional: SendGrid, Mailgun, Postmark, Amazon SES
- Support: Zendesk, Freshdesk, Intercom
- CRM: Salesforce, HubSpot
2. Forgotten Sending Sources
Your DMARC reports at p=none may have shown failures you did not address. Common forgotten sources:
- Legacy applications sending via SMTP directly
- WordPress or other CMS sending password reset / notification emails
- Monitoring systems sending alert emails
- Printers, scanners, or IoT devices sending via email
Fix: Audit your DMARC reports to find every source. For each legitimate source, configure proper SPF and/or DKIM. For unauthorized sources, leave them failing — DMARC is doing its job.
3. Email Forwarding
Recipients who forward your email to another address will trigger DMARC failures. This is not something you misconfigured — it is a known limitation.
Fix: Ensure DKIM is properly configured (it survives forwarding if the message is not modified). Consider whether p=quarantine is more appropriate than p=reject if forwarding is common in your audience.
4. "Send As" or Alias Configurations
If employees use Gmail's "Send mail as" feature or similar alias setups, the authentication chain may not be properly configured for the alias domain.
Fix: Ensure each alias domain has proper SPF and DKIM records, and that the email service signs with the correct domain's key.
Emergency Fix: Roll Back Your Policy
If critical email is being blocked and you need to restore delivery immediately, change your DMARC record back to p=none:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
This stops enforcement while you fix the underlying issues. It is not a long-term solution — you are leaving your domain unprotected — but it stops the immediate pain.
The Right Way to Enforce DMARC
To avoid this situation, follow a gradual enforcement path:
- Start at
p=none— Monitor for 4+ weeks - Use
pct=for gradual rollout — Apply enforcement to a percentage of failing emails:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com
- Increase
pctgradually — 10% → 25% → 50% → 100% - Move to
p=quarantineat 100% — All failing emails go to spam - Move to
p=reject— All failing emails are blocked
The pct tag is specifically designed for this gradual rollout. At pct=10, only 10% of failing messages get the policy applied — the rest are delivered normally (as if p=none).
Gmail-Specific Requirements (2024+)
Google has additional requirements for senders beyond DMARC:
- All senders: Must have SPF or DKIM (at least one), a DMARC record, valid forward and reverse DNS, TLS for transmission
- Bulk senders (5,000+ messages/day): Must have SPF and DKIM, DMARC at minimum
p=none, one-click unsubscribe headers, spam rate below 0.3%
If you send bulk email and do not meet these requirements, Gmail may reject or spam-folder your messages regardless of DMARC.
FAQ
Can I set different policies for different senders?
No — DMARC policy applies to your entire domain. You cannot exempt specific senders. However, you can use subdomains with their own DMARC records (or the sp= tag) to separate policies for different sending use cases.
How quickly does a DMARC policy change take effect?
After updating the DNS record, changes propagate within minutes to hours. Receiving servers like Gmail check your DMARC record on each incoming email, so the new policy takes effect as soon as they see the updated record.
Will Gmail tell the sender why the email was rejected?
Yes. Gmail returns a bounce message with a specific error code (550 5.7.26 or similar) that references DMARC. The sender's mail server should log this bounce and may notify the human sender, depending on the configuration.
My emails pass DMARC when I test them, but some still get rejected. Why?
You may have multiple sending sources, and only some of them are properly configured. A test from Gmail or your main email client might pass, while automated emails from a CRM or marketing platform fail. Check your DMARC reports for the full picture.