What is “Authentication-Results” and how to read it?

Authentication-Results is a header added by receiving servers documenting the results of email authentication checks. It's the definitive record of whether your authentication passed.

Example:

Authentication-Results: mx.google.com; dkim=pass header.i=@example.com header.s=selector1; spf=pass (google.com: domain of bounce@mail.example.com designates 192.0.2.1 as permitted sender) smtp.mailfrom=bounce@mail.example.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

Breaking it down:

mx.google.com: The server that performed the checks

dkim=pass: DKIM verification succeeded. header.i shows the signing identity; header.s shows the selector

spf=pass: SPF check passed. smtp.mailfrom shows the envelope sender domain checked

dmarc=pass: DMARC alignment and policy check passed. p= shows the domain's policy; dis= shows what action was taken

Common results: pass, fail, softfail, neutral, none, temperror, permerror

When troubleshooting, this header tells you exactly what succeeded or failed and often explains why.