Defaults.Exposed › Opravy › Guides
Fix guides
- 'DKIM Signature Not Valid' — The Causes, in the Order to Check Them (2026)
'DKIM signature not valid' has five common causes, from content modified in transit to a truncated key. Only 51.84% of 261 million graded domains publish a discoverable DKIM key at all. Data as of 2026-06-29. - "DMARC Policy Not Enabled": What Checkers Mean, and the Honest 5-Minute First Step (2026)
"DMARC policy not enabled" means no DMARC record, or a record at p=none. Only 10.59% of domains enforce a DMARC policy — 75.11% publish no record at all. The exact TXT record to publish, the syntax slips to avoid, and what week one looks like. Data as of 2026-06-29. - "SPF Record Not Found" — But You Have One? The 5 Real Causes (2026)
SPF record not found but you're sure it exists? 1,013,416 domains publish two or more SPF records — a PermError many checkers report as not-found. The five real causes, the 60-second test for each, and the fix. Data as of 2026-06-29. - A Client's Security Questionnaire Is Asking About Email Authentication — Answer It (and Fix the Gaps) in One Afternoon (2026)
A supplier security questionnaire is asking about DMARC, SPF and DKIM. Only 7.4% of graded domains have email authentication fully aligned and enforced — how to answer honestly and fix the free gaps in one afternoon. Data as of 2026-06-29. - Contact Form Emails Going to Spam — The Web-Server Sender Fix (2026)
Contact form and website emails going to spam? Your web server sends them unauthenticated — route site mail through authenticated SMTP instead. 46.4% of domains publish no SPF record at all. The fix order that works. Data as of 2026-06-29. - DKIM 'Body Hash Did Not Verify' — What Changed Your Message, and How to Fix It (2026)
'Body hash did not verify' means your DKIM signature was valid when the message left you — something rewrote it in transit. Only 3.87% of 261 million graded domains hold the full SPF + DKIM + DMARC triad. Data as of 2026-06-29. - DKIM "No Key for Signature": Selector and Rotation Fixes (2026)
DKIM "no key for signature" means the selector record your signature points to is missing from DNS. How to find the selector, publish the record and rotate keys safely — only 3.87% of 261 million domains complete the SPF+DKIM+DMARC triad. Data as of 2026-06-29. - DKIM Failing After Switching Email Tools: The CNAME and Selector Migration Guide (2026)
DKIM broke after switching email tools? Zone-appended CNAME targets and prematurely deleted selectors cause almost every post-migration failure. Only 3.87% of 261 million domains complete the SPF+DKIM+DMARC triad. Data as of 2026-06-29. - DKIM Passes but DMARC Fails: The gappssmtp.com / onmicrosoft.com Default-Signature Trap (2026)
DKIM passes but DMARC still fails when mail is signed with gappssmtp.com or onmicrosoft.com — the provider default that never aligns with your From domain. Of 12,145,313 Google-authorising domains, only 18.5% enforce DMARC. Data as of 2026-06-29. - DMARC Fails but SPF and DKIM Pass? The Alignment Fix (2026)
DMARC can fail while SPF and DKIM pass because neither check authenticated your From domain — the alignment gap. Only 7.4% of 261 million graded domains pass SPF aligned under an enforcing DMARC policy. Data as of 2026-06-29. - DMARC p=none to p=reject Without Losing Legitimate Email: The Staged Rollout (2026)
Move DMARC from p=none to p=reject in four staged steps — monitor, fix sources, ramp quarantine, reject. 37,312,637 domains are parked at p=none and only 10.59% of graded domains enforce. Data as of 2026-06-29. - Forwarded Email Fails SPF — Why You Can't Fix It, and What Actually Works (2026)
Forwarding breaks SPF by design — no record you write can survive it. The honest fix is aligned DKIM. 7,355,985 domains ride Namecheap's forwarding include alone, per the Defaults.Exposed census. Data as of 2026-06-29. - Gmail "550-5.7.1 Message Blocked" — Decode the Bounce and Fix It (2026)
Gmail 550-5.7.1 decoded: policy blocks, IPv6 without reverse DNS, spam and reputation rejections — and which strings Google has moved to newer codes. Only 10.59% of domains enforce DMARC. Data as of 2026-06-29. - Gmail 550 5.7.26 "The Sender Is Unauthenticated": The Fix, in Requirement Order (2026)
Gmail returns 550 5.7.26 when your mail fails both SPF and DKIM. Of the 12,145,313 domains that authorise Google's servers via _spf.google.com, only 18.5% enforce DMARC. The decoder table for the 5.7.26 family (and new codes 5.7.27/5.7.30) plus the fix order. Data as of 2026-06-29. - Mailchimp, Brevo or Klaviyo Emails Failing DMARC? Turn On Real Domain Authentication (2026)
Newsletter platforms fail DMARC when they send from your domain without authenticating as your domain — the fix is custom domain authentication. Of 740,321 domains authorising SendGrid, only 18.0% enforce DMARC. Data as of 2026-06-29. - Outlook Rejecting Your Email: 550 5.7.515, 550 5.7.509 and compauth=fail, Explained and Fixed (2026)
Two Microsoft systems reject mail: consumer Outlook.com bounces high-volume unauthenticated senders (550 5.7.515), Exchange Online honours your own DMARC reject policy (550 5.7.509). Of 10,205,070 domains authorising spf.protection.outlook.com, only 21.7% enforce DMARC. Data as of 2026-06-29. - Setting Up Email on a New Domain: The 20-Minute SPF, DKIM and DMARC Checklist (2026)
Set up SPF, DKIM and DMARC on a new domain in about 20 minutes. 46.4% of domains never publish SPF at all, and only 3.87% complete the full authentication triad. Data as of 2026-06-29. - Someone Is Sending Emails From Your Domain: The Emergency Response Guide (2026)
Someone is sending emails from your domain? First check exact domain vs lookalike — the fixes are completely different. 89.41% of domains have no enforced DMARC policy and 46.4% publish no SPF at all. Data as of 2026-06-29. - SPF Failing for Your SaaS Tools? Why It Happens and the Fix Order — Europe Edition (2026)
When a SaaS tool 'fails SPF', the real problem is usually DMARC alignment or the 10-DNS-lookup limit — 2,119,539 domains sit one include from the cliff. How to diagnose it and the fix order for HubSpot, Salesforce, Mailchimp and SendGrid. Data as of 2026-06-29. - SPF PermError: How to Fix "Too Many DNS Lookups" Without Breaking Your Email (2026)
At least 797,263 domains break SPF's 10-DNS-lookup limit and their SPF returns PermError — void, and counted as a DMARC fail. The fix order: count real lookups, prune dead includes, use subdomains, and only flatten with automation. Data as of 2026-06-29. - SPF Stopped Working After You Switched Email Provider — The Migration Fix (2026)
SPF broke after changing email provider? The new record was almost certainly added next to the old one — two v=spf1 records void SPF entirely, the state 1,013,416 domains are in. The ten-minute migration fix, step by step. Data as of 2026-06-29. - That Invoice-Fraud Story You Heard — Could It Happen to Your Firm? Find Out in Two Minutes (2026)
Could someone send a fake invoice that looks exactly like it came from your firm? 89.41% of graded domains could be impersonated that way — a free two-minute check shows whether yours is one of them. Data as of 2026-06-29. - That Old Domain From Your Rebrand Is a Door You Left Open — How to Lock Domains That Send No Email (2026)
A parked domain that never sends email can still be used to send email as your business. Three free DNS records lock it shut — while 46.4% of domains have no SPF record at all. Data as of 2026-06-29. - Yahoo 554 5.7.9 'Message Not Accepted for Policy Reasons' — The Sender Fix (2026)
Yahoo returns 554 5.7.9 when a message violates its sender policy — usually failed SPF/DKIM authentication or DMARC enforcement. Only 10.59% of 261 million graded domains enforce DMARC. Data as of 2026-06-29. - Your Insurance Renewal Is Asking About SPF, DKIM and DMARC — Here's What to Answer (2026)
The cyber-insurance renewal form asks whether your domain has been scanned for DMARC, SPF and DKIM. Only 7.4% of graded domains have the aligned, enforced setup insurers probe for — how to get a truthful, dated answer in two minutes. Data as of 2026-06-29.