Interpreting Authentication Results

Understanding the Authentication-Results Header

This technical header shows if an email passed security checks. Think of it like an email's "security report card".

What It Checks

• ✅ SPF: Did the email come from approved servers?
• ✅ DKIM: Was the email tampered with in transit?
• ✅ DMARC: Do SPF and DKIM agree on who sent it?

How to Read the Results

Each line shows:

1. Protocol: spf/dkim/dmarc
2. Result:
   • 🟢 pass = good
   • 🔴 fail = warning
   • 🟡 neutral = inconclusive
   • ⚪ none = not checked
3. Domain: Which organization's rules were checked

Examples

Example: Good Email

Authentication-Results: gmail.com;
  dkim=pass header.d=paypal.com;
  spf=pass smtp.mailfrom=paypal.com;
  dmarc=pass (p=reject) header.from=paypal.com

✅ All checks passed for paypal.com

Example: Phishing Attempt

Authentication-Results: gmail.com;
  dkim=fail header.d=scam.com;
  spf=fail smtp.mailfrom=scam.com;
  dmarc=fail (p=reject) header.from=paypal.com

🔴 Claims to be PayPal but failed all checks!

Common Scenarios Explained

1. SPF pass + DKIM fail

   • Possible spoofing - sender faked the domain
   • Example: Shows "From: bank@example.com" but signature is invalid

2. DKIM pass + SPF fail

   • Often means legitimate forwarding
   • Example: Work email forwarded to personal account

3. DMARC fail

   • Strong phishing indicator
   • Especially dangerous if combined with other failures

🔍 Pro Tip: Look for mismatches between the header.from domain and the authentication domains.

⚠️ Warning: Some legitimate emails may fail checks - always consider the context.