LeadHaste

How to Fix DMARC Reject in Cold Email (Step-by-Step)

Free Pilot →

How to Fix DMARC Reject in Cold Email (Step-by-Step)

Dimitar Petkov
Dimitar Petkov·Jul 3, 2026·9 min read
How to Fix DMARC Reject in Cold Email (Step-by-Step)

Your campaign stopped dead, bounce notifications are stacking up, and the error inside them says something like "rejected due to DMARC policy." If you are searching for how to fix DMARC reject errors, the good news is that this failure is loud, specific, and very fixable, usually with a handful of DNS corrections.

A reject means the receiving server checked your message against your domain's published DMARC policy, the authentication checks failed, and the policy told the receiver to refuse delivery outright. Unlike ordinary spam placement, the mail never reaches the recipient at all.

This guide covers what p=reject actually does, how to confirm DMARC is the real culprit, and the step-by-step repair: fix the underlying SPF or DKIM failure, sort out alignment, correct the record, and roll enforcement back out safely.

What p=reject Means and How It Differs From Quarantine

DMARC is the policy layer that sits on top of SPF and DKIM. It tells receiving servers what to do with mail that fails authentication, and it offers three enforcement levels: p=none delivers the mail and just reports, p=quarantine sends it to spam, and p=reject refuses it entirely.

The difference between quarantine and reject matters operationally. Quarantined mail still exists; a recipient can find it in spam, and you can detect the problem through fading reply patterns. Rejected mail bounces straight back. Your sequences fill with delivery failures, and the recipient never knows you wrote.

That severity is deliberate. Reject is the strongest protection against criminals spoofing your domain, which is why mailbox providers honor it so firmly. But the policy cannot tell an impersonator from your own misconfigured sending tool. Both get refused with the same bounce.

Confirm DMARC Is Actually the Problem

Before touching DNS, prove the diagnosis. Two sources tell the truth: message headers and aggregate reports.

For headers, send a test from the failing setup to a mailbox you control on another domain, open the raw source, and read the Authentication-Results line. You are looking for dmarc=fail alongside its cause: spf=fail, dkim=fail, or checks that pass on a domain that does not match your From address. When mail is rejected outright, the bounce text usually names the DMARC policy directly.

For the wider picture, use rua aggregate reports. The rua tag in your DMARC record tells receivers where to send daily XML summaries of every message claiming to be your domain: which sources sent, what passed, and what the receiver did with it. Tools like dmarcian or MXToolbox turn the raw files into readable dashboards.

Read the reports before acting. If your known sending tools are failing, you have a setup problem and this guide fixes it. If unknown servers are failing, the policy is doing its job against spoofers, and you should leave it alone.

Step-by-Step: How to Fix a DMARC Reject

Work through these steps in order. Each one depends on the one before it.

1. Read the Failing Headers

A dmarc=fail has only two possible roots: SPF failed or was misaligned, or DKIM failed or was misaligned. The Authentication-Results header shows each check and the domain it evaluated. Write down exactly what failed, because it decides which repair you make in step three.

2. Check SPF and DKIM Alignment

DMARC does not just require SPF or DKIM to pass. The passing domain must also align with the visible From domain: SPF aligns when the return-path domain matches, and DKIM aligns when the d= signing domain matches.

Alignment has two modes. Relaxed, the default, accepts subdomain matches, so mail.yourdomain.com aligns with yourdomain.com. Strict demands an exact match. Many rejects trace to a sending tool that passes SPF on its own domain rather than yours, which fails alignment even though the header shows spf=pass.

3. Fix the Underlying Authentication Failure

If DKIM is the broken half, our guide to fixing a DKIM failure walks through selectors, keys, and DNS records. If SPF is failing, our SPF failure fix covers includes, the lookup limit, and authorized senders. DMARC needs at least one of the two to pass with alignment, so this step is the heart of the repair.

For third-party tools, the fix is usually completing their custom domain authentication: publishing the CNAME or TXT records they provide so they sign as your domain instead of their own.

4. Correct the DMARC Record Syntax

Your policy lives at _dmarc.yourdomain.com as a TXT record. Confirm exactly one record exists there, that it starts with v=DMARC1, and that tags are separated by semicolons with no stray quotes or spaces. Two DMARC records at the same hostname invalidate each other, a surprisingly common leftover from domain migrations.

5. Turn On rua Monitoring

Add a rua tag pointing at a mailbox or monitoring service, such as rua=mailto:dmarc@yourdomain.com. Aggregate reports are your only complete view of every source sending as your domain, and you need that visibility before changing enforcement. Without it, you are tightening policy blind.

6. Roll Out none, Then Quarantine, Then Reject

If your own legitimate mail was being rejected, step enforcement back and re-earn it. Start at p=none and watch reports until every legitimate source passes with alignment for a few consecutive weeks. Move to p=quarantine, optionally using pct to apply it to a fraction of mail first. Return to p=reject only when reports show clean alignment everywhere. This gradual path is the same approach the major mailbox providers recommend to bulk senders.

7. Retest, Then Resume Sending

Send fresh tests from every tool that sends as your domain and confirm dmarc=pass in the headers. Resume campaigns gradually rather than at full volume, because receiving servers noticed the failure window too.

DMARC Tag Reference

These are the tags you will actually touch when repairing a record.

TagWhat it doesTypical value
vVersion tag, must come firstv=DMARC1
pPolicy for your main domainnone, quarantine, or reject
spSeparate policy for subdomainsDefaults to p when omitted
ruaWhere aggregate reports are sentmailto:dmarc@yourdomain.com
pctShare of failing mail the policy applies to100 unless staging a rollout
adkimDKIM alignment moder for relaxed, s for strict
aspfSPF alignment moder for relaxed, s for strict

Leave adkim and aspf relaxed unless you have a specific reason to tighten them. Strict alignment breaks legitimate subdomain sending far more often than it stops a real attack.

When Reject Is Right and When It Is Breaking Your Own Sends

p=reject is the correct end state for most established domains. It is the only policy that fully stops spoofing, it protects the people you email from impersonation scams, and mailbox providers treat a clean domain at reject as a trust signal. If your reports show only unknown servers failing, reject is working exactly as intended.

Reject becomes the problem when it was published before every legitimate source was aligned. The classic cases: a CRM or billing tool sending as your domain without custom authentication, a subdomain sender inheriting the root policy through a missing sp tag, or a forwarding path that quietly breaks SPF.

For cold outbound, the answer is separation. Send campaigns from dedicated domains you own, each with SPF, DKIM, and DMARC configured correctly from day one, and leave your primary domain's reject policy untouched. A well-set sending domain shows normal reply patterns, including out-of-office auto-replies, which are a healthy sign that mail is landing in primary inboxes rather than being refused.

Common DMARC Mistakes

  • Publishing two DMARC records at _dmarc, which receivers treat as no valid policy at all.
  • Jumping straight to p=reject without weeks of monitoring at p=none first.
  • Forgetting that subdomains inherit p when sp is missing, so a root reject silently applies to every subdomain sender.
  • Reading spf=pass as safe when the passing domain does not align with the From domain.
  • Deleting the record to stop the bounces instead of fixing the authentication underneath.
  • Treating pct as a permanent setting rather than a rollout tool; the end state should be the full policy at 100.

How We Handle This for Clients

Authentication is not a one-time task. Records drift, tools change, keys rotate, and one wrong edit can bounce every message your company sends. We build and manage the sending infrastructure for every client: dedicated domains, mailboxes, SPF, DKIM, and DMARC configured to pass with alignment, monitored through aggregate reports, and warmed up before the first campaign send.

You own all of it: the domains, the records, the mailboxes, and the reputation they earn. See how the full system fits together and what it produces in our case studies.

Ready to Send Cold Email That Actually Gets Delivered?

A DMARC reject is the loudest way deliverability fails, and it is rarely the only thing wrong underneath. We build, monitor, and manage the entire authentication and sending layer, and you keep every piece of it.

Book your free pilot →

Frequently Asked Questions

A strong positive reply rate for B2B cold email is 1.5–3%. Top-performing campaigns with tight targeting and personalized copy can hit 4–5%. If you're below 1%, it usually signals a deliverability or messaging problem — not a volume problem.

The safe range is 30–50 emails per inbox per day for warmed inboxes. That's why outbound systems use multiple inboxes (we use 80) — to reach 40,000+ monthly sends while keeping each inbox well within safe limits. Sending more than 50/day from a single inbox risks spam folder placement.

Yes. The CAN-SPAM Act permits unsolicited commercial email as long as you include a physical address, an unsubscribe mechanism, accurate headers, and non-deceptive subject lines. Unlike GDPR in Europe, the US does not require prior opt-in consent for B2B cold outreach.

Domain warm-up typically takes 2–3 weeks. During this period, sending volume gradually increases while the email warm-up tool generates positive engagement signals (opens, replies) to build sender reputation. Skipping or rushing warm-up is the most common cause of deliverability problems.

Cold email is targeted, relevant outreach to a specific person based on their role, industry, or company — with a clear business reason. Spam is untargeted mass messaging with no personalization or relevance. The distinction matters legally (CAN-SPAM compliance) and practically (deliverability depends on relevance signals).

DMARCdeliverabilityemail authenticationDNScold email
Dimitar Petkov

Dimitar Petkov

Co-Founder of LeadHaste. Builds outbound systems that compound. 4x founder, Smartlead Certified Partner, Clay Solutions Partner.

Newsletter

Get outbound strategies that work — delivered weekly.

Join 500+ B2B leaders getting one actionable outbound insight every week.

No spam. Unsubscribe anytime.

Ready to build outbound that compounds?

We'll build the entire system for your business. $7K+ in services, free — you only cover the infrastructure.

Book my free pilot →