How does ZeroHook verify my domain security?

ZeroHook performs a tiered security audit: 6 checklist checks on Free and 35 on paid tiers, covering DMARC, SPF, DKIM, DNSSEC, MX records, SSL/TLS certificates, CAA records, BIMI, email routing, and DNS configuration.

How long does a scan take?

Most scans complete in under 30 seconds with real-time progress updates.

What is NIS2 compliance?

NIS2 is the EU's Network and Information Security Directive. Our reports help identify DNS security gaps and provide audit-ready documentation.

Back to Blog

Gmail Unverified Sender? Check DMARC

Gmail's unverified sender banner means authentication failed or DMARC is missing. Fix SPF, DKIM, and alignment before recipients stop trusting your mail.

ZeroHook TeamJun 23, 2026~3 min read

Your customer forwards a screenshot. Gmail shows a grey question mark next to your company name. "Unverified sender." Your campaign stats say delivered. A 19-person ecommerce brand in Lisbon saw this on post-purchase emails in January 2026. Klaviyo reported 98% delivery. Gmail's UI told recipients the sender might not be who they claim. Open rates dropped 22% in two weeks. SPF existed. DKIM was off. DMARC was never published. The From: address was correct. Authentication was not. Google's bulk sender guidelines (February 2024, still enforced 2026) require SPF, DKIM, and DMARC for senders above 5,000 messages per day to Gmail. Smaller senders see the same warning when authentication fails or DMARC is absent. The gmail unverified sender dmarc connection is direct: receivers cannot verify your domain, so Gmail warns the user instead of silently trusting the message. This is softer than a hard bounce. It is worse for revenue. People do not click mail they think might be fake.

What Gmail's Unverified Sender Warning Means

Not the same as spam folder

Unverified sender is an inbox warning banner. The message may still arrive in Primary or Promotions. Recipients see that your domain lacks strong authentication signals Gmail recognizes.

Not the same as 550 5.7.26

Hard SMTP rejection blocks delivery entirely. Unverified sender means Gmail accepted the message but will not vouch for the sender identity. Both trace back to authentication gaps.

What Gmail checks

SPF pass on the envelope path, DKIM signature with valid key, DMARC pass (alignment of SPF or DKIM with the visible From: domain). Missing any leg can trigger the warning depending on policy and reputation context.

Quick fix page: zerohook.org/fix/gmail-unverified-sender

Fix Unverified Sender (Step by Step)

Publish DMARC if missing. At Cloudflare or your DNS host, add TXT on _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r

p=none is fine while fixing senders. No DMARC record at all is not fine in 2026.

Enable DKIM on every sending path. Microsoft 365: Admin center → Domains → DKIM → create CNAME records for selector1 and selector2, wait for DNS propagation, toggle signing on. Google Workspace: Admin → Gmail → Authenticate email → Generate record → publish at google._domainkey.

Fix ESP relay mail. In Mailchimp, HubSpot, Klaviyo, or SendGrid: complete domain authentication (DKIM CNAMEs + custom MAIL FROM if offered). Verify Authentication-Results on a test to Gmail shows dkim=pass with d=yourdomain.com and ideally dmarc=pass.

Audit SPF includes so your root record authorizes M365 or Google plus each ESP:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

Stay under 10 DNS lookups. PermError breaks SPF and DMARC together.

Send a test to a Gmail account you control. Open → Show original → confirm spf=pass or dkim=pass plus dmarc=pass. Re-send the customer-facing template only after headers are clean.

Frequently Asked Questions

Will p=reject remove the unverified sender warning?

Only if legitimate mail already passes DMARC alignment. Reject without alignment fixes is how you bounce your own newsletters. Fix auth first, tighten policy later.

Why does Gmail warn on mail that "passed" in my ESP dashboard?

ESP dashboards often verify DNS records exist, not that live messages align From: with DKIM or envelope-from on every stream. Transactional and marketing streams may use different signing configs.

Does BIMI remove the warning?

BIMI requires DMARC enforcement (quarantine or reject) plus a verified mark certificate for logo display. It is downstream of fixing authentication, not a shortcut around DMARC.

Key takeaways

Unverified sender means Gmail cannot verify your domain identity on that message.

Publish DMARC, enable DKIM on all paths, fix ESP domain authentication before blaming list quality.

Test with Authentication-Results headers, not dashboard green checkmarks alone.

The warning hurts trust and clicks even when mail is "delivered."

Validate your DMARC record and policy at zerohook.org/dmarc-checker before your next campaign lands with a question mark next to your brand name.

Share this analysis

Help others discover this content

About the author

ZeroHook Team

Security Analysts

The ZeroHook Team breaks down DMARC alignment failures we see in production audits. Copy-paste fixes included where possible.

Fix DNS before the next audit

Provider-specific copy-paste fixes for Cloudflare, Route53, GoDaddy, and more.

Start free scan

Product

Solutions

Resources

Company