550 5.7.26 Authentication failed (SPF/DKIM/DMARC)

Meaning

The message was blocked because it failed email authentication checks (SPF and/or DKIM), and the sender's domain policy (DMARC) or the receiver's policy requires authentication.

Common causes

  • You are sending from a domain without an SPF record or DKIM signature.
  • Your SPF record does not include the IP address of the server currently sending the email (e.g., you added a new ESP like Amazon SES but forgot to update SPF).
  • Your DKIM signature is invalid because the DNS record is missing or the email was modified in transit.
  • Your domain's DMARC policy is set to 'reject' and the email failed alignment.

How to fix

  1. Set up and verify your SPF record to include all IPs and services that send email on your behalf.
  2. Configure DKIM signing for your domain in your email service provider.
  3. Use a DMARC reporting tool to monitor your authentication alignment before enforcing a 'reject' policy.

Provider notes

Gmail. Explicitly states: 'This message does not have authentication information or fails to pass authentication checks. Gmail requires all senders to authenticate with either SPF or DKIM.'

Example bounce

550 5.7.26 This message does not have authentication information or fails to pass authentication checks.

FAQ

Do I need both SPF and DKIM?
To pass DMARC, you technically only need one to pass and align. However, major providers like Gmail and Yahoo strongly require both for bulk senders.
I updated my SPF record, why is it still failing?
DNS changes can take time to propagate (up to 48 hours, though usually much faster). Also, ensure you haven't exceeded the 10-lookup limit in your SPF record.

Related codes