How to read Gmail Authentication-Results (SPF, DKIM, DMARC)

A practical way to find SPF/DKIM/DMARC PASS/FAIL from one real email and what to do next.
2026-02-226 min readdeliverabilitygmailspfdkimdmarc

If you can paste one email’s raw headers, you can usually answer: SPF pass? DKIM pass? DMARC pass? Gmail writes this in Authentication-Results.

Step 1: Open “Show original” in Gmail

  1. Open the email in Gmail.
  2. Click the 3-dot menu → Show original.
  3. Look for Authentication-Results.

Step 2: Find SPF/DKIM/DMARC outcomes

Authentication-Results: mx.google.com;
  spf=pass smtp.mailfrom=example.com;
  dkim=pass header.i=@example.com;
  dmarc=pass header.from=example.com
  • spf=pass means the sending IP is authorized by the domain in the envelope sender (Return-Path / smtp.mailfrom).
  • dkim=pass means the message was signed and the signature verified.
  • dmarc=pass means SPF or DKIM passed AND aligned with the visible From domain (header.from).

Common outcomes and what they mean

  • spf=fail + dkim=pass + dmarc=pass: often OK (DMARC can pass via DKIM). Still fix SPF to reduce risk.
  • spf=pass + dkim=none + dmarc=fail: DKIM not set up; DMARC likely fails alignment. Set DKIM at your ESP.
  • spf=pass + dkim=pass + dmarc=fail: alignment mismatch (From domain differs from signing / mailfrom domain).
Tip
If you see dmarc=pass (p=NONE), DMARC is passing but policy is monitoring. Consider upgrading to quarantine/reject once stable.
Open feedback form