They Had SPF, DKIM, and DMARC - and Their Email Was Still "Unverified"

A Los Angeles-based food distributor reached out because their emails were showing up as "Unverified" in Outlook. They'd done everything right - or so they thought. They had SPF, DKIM, and DMARC records published in DNS. So why were recipients seeing warning badges on every message?

What We Found

We pulled the email headers and ran the authentication checks. Here's what came back:

• SPF: PermError - not a pass, not a fail, a permanent error
• DKIM: None - the message wasn't signed at all
• DMARC: Fail - with nothing to pass on, DMARC had no choice

The culprit? A single typo in their SPF record. One of the IP address mechanisms read i p4:203.0.113.25 instead of ip4:203.0.113.25. That invisible space turned a valid directive into an unrecognized token, which caused the entire SPF evaluation to short-circuit with a PermError - before it ever reached the include: that would have authorized their mail server.

To make things worse, DKIM was never configured on their outbound mail server. The record existed in DNS from a previous setup, but the server itself wasn't signing messages. So DMARC had two strikes and nothing to work with.

Why This Matters

This is the kind of problem that can go undetected for months - or years. The emails still get delivered (their DMARC policy was set to p=none), but every single one arrives with an "Unverified" badge that erodes trust with customers and partners. For a distributor sending invoices and account statements, that's a real business problem.

And here's the thing: if you looked at their DNS dashboard, everything appeared to be in place. SPF record? Check. DMARC record? Check. Unless you're actively monitoring authentication results, you'd never know anything was wrong.

The Fix

Two changes to resolve it completely:

1. Fix the SPF typo - remove the space in i p4 so the record parses correctly
2. Enable DKIM signing - configure the mail server to sign outbound messages and publish the corresponding public key

With those in place, SPF passes, DKIM passes, and DMARC aligns. No more "Unverified."

Your Customers Won't Tell You

Here's the uncomfortable truth: when your email shows up as "Unverified," your customers aren't going to reach out and let you know. They'll just trust your messages a little less. And if authentication degrades further and your messages land in spam? They'll never see them at all - and you'll never hear about it.

You can set up SPF, DKIM, and DMARC and still have broken email authentication. Typos, stale configurations, server changes - any of these can silently degrade your email trust without a single bounce or error notification reaching your inbox.

That's exactly the problem SenderClarity solves. We continuously monitor your domain's authentication health and proactively alert you when something breaks - so you find out before your customers stop opening your invoices.

Check your domain's email authentication for free →