Example

SPF, DKIM, and DMARC diagnosis example.

See how WillItInbox explains a message where SPF passes, DKIM passes, but DMARC alignment or policy still creates risk.

DMARC docsSPF guide

The common confusing failure

A message can pass SPF and DKIM checks but still be weak from a DMARC perspective if the authenticated domains do not align with the visible From domain.

SignalExample evidenceInterpretation
SPFReturn-Path domain passes for esp.example.netSPF authenticates the envelope sender.
DKIMd=mailer.example.net verifiesDKIM authenticates the signer.
FromFrom: team [at] example.comVisible sender is example.com.
DMARCNo aligned SPF or DKIM identifierThe visible domain is not authenticated.

How WillItInbox explains the fix

The report points teams toward alignment rather than only saying pass or fail.

  • Configure the ESP to use a custom Return-Path or bounce domain when SPF alignment is required.
  • Configure DKIM signing with the From-domain or an aligned subdomain.
  • Keep DMARC at p=none until legitimate senders are aligned, then move toward quarantine or reject.

Report-style example

Show the difference between authentication validity and alignment

The strongest authentication example makes one confusion obvious: SPF and DKIM can pass for domains that do not align with the visible From domain. DMARC only passes when at least one authenticated identity aligns.

LayerSample evidenceResultAction
SPFReturn-Path: bounce.esp.example passes SPF.SPF pass, DMARC SPF alignment fail.Configure an aligned bounce domain.
DKIMd=mailer.example verifies.DKIM pass, DMARC DKIM alignment fail.Sign with the From domain or aligned organizational domain.
DMARCFrom: example.com with p=none.DMARC fail but reporting only.Fix identity before quarantine or reject.

Next action

Turn a diagnosis into a monitored rollout

After fixing the example message, the team still needs to watch real aggregate reports. One passing test does not prove every SaaS sender, marketing tool, or transactional service is aligned.

Run a DMARC check

Confirm the published policy and reporting tags.

Monitor sources

Use aggregate reports to label real senders and unknown traffic.

Review rollout criteria

Compare quarantine and reject readiness before changing policy.

How to use this example

Read examples as implementation patterns

Examples are not decorative screenshots. They should show the request, evidence, interpretation, decision, and next internal link. Use them when you need to explain a result to a teammate or convert a diagnostic finding into a policy.

Decision policy

Examples should end in an action

A good example does not stop at valid, risky, pass, or fail. It says whether to accept, suppress, segment, retry, fix DNS, change a template, open an owner task, or retest after propagation.

Run a real-message test

Use /test when the question is whether the exact production email is technically ready.

Validate recipients

Use /validator or /validator/bulk before imports, outbound, newsletters, and reactivation.

Automate checks

Use /docs/api when deliverability QA belongs in CI, release tooling, or an internal workflow.

Related

DMARC checker

Inspect policy publication before reading aggregate reports.

SPF checker

Check sender authorization before diagnosing alignment.

Authentication diagnosis

See how SPF, DKIM, and DMARC evidence becomes a fix plan.

Pricing

Compare monitoring, reports, validation, and workspace limits.

DMARC Monitoring tool

Open the public tool that helps diagnose one part of dmarc monitoring and sender authentication.

DMARC Rollout None To Reject guide

Read the supporting guide for practical context around dmarc monitoring and sender authentication.

DMARC monitoring docs

Connect aggregate reports, source attribution, policy status, and alerts to the sender authentication dashboard.

Domain monitoring docs

Track DNS, TLS-RPT, provider reputation, and placement signals for the domains that carry production mail.

FAQ

Can I reuse these examples in production?

Use the request and policy patterns, but replace sample keys, domains, tokens, and thresholds with your own account and risk policy.