What is a DMARC or SPF-fail rejection?

DMARC/SPF-fail rejection occurs when authentication fails and policy demands rejection:

SPF-fail rejection:

SPF record evaluated, and sending IP is not authorized. SPF result is "fail" (not "pass" or "softfail"). Receiving server configured to reject on SPF fail.

DMARC-fail rejection:

SPF and DKIM both fail or are not aligned with From domain. Domain's DMARC policy is set to "p=reject." Receiving server enforces the DMARC policy.

Typical bounce messages:

"Message rejected per DMARC policy." "SPF check failed; rejected per policy." "DMARC: rejected"

Resolution:

Audit SPF record for all sending sources. Verify DKIM is properly configured. Ensure alignment between authentication and From domain. Test with DMARC validators before production.

DMARC/SPF rejection is the domain owner's intent. They published rules; the receiver enforced them.