Email & DNS fix guides
Short, actionable guides for the most common SPF, DKIM, and DMARC errors — with links to free validation tools.
550 5.7.26 authentication required (Gmail)
Gmail returns 550 5.7.26 when a message fails sender authentication before inbox placement. The envelope-from domain must pass SPF or DKIM with DMARC alignment on the visible From domain. Fix authentication on your sending path — M365, Google Workspace, or ESP relay — then re-test.
Read fix guideSPF PermError — permanent error
SPF PermError means receivers cannot evaluate your SPF record. The usual causes are more than 10 DNS lookups (nested includes), invalid syntax, or multiple SPF TXT records on one domain. Receivers treat permerror as a hard evaluation failure, which breaks DMARC on the SPF leg.
Read fix guideDMARC alignment failed — SPF passed
When SPF passes but DMARC fails, the authenticated domain (envelope-from for SPF or d= for DKIM) does not align with the header From domain under your DMARC policy (strict or relaxed). Receivers treat the message as unauthenticated for DMARC purposes.
Read fix guideGmail unverified sender warning
Gmail shows unverified sender when it cannot verify your domain on the message — usually missing DMARC, unsigned DKIM, or SPF/DKIM that does not align with the From: address. Marketing and transactional mail from ESPs triggers this most often when only SPF exists on the root domain.
Read fix guideSPF too many DNS lookups
RFC 7208 limits SPF evaluation to 10 DNS lookups. Exceeding that triggers PermError — receivers cannot validate SPF. Each include:, a, mx, ptr, and exists mechanism in the evaluation chain counts, including nested includes inside delegated records.
Read fix guide